Passwordless future: Interview with FIDO CEO on passkeys and business cybersecurity outlook

I had the very exciting opportunity to sit down with Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, to discuss the ins and outs of passkey technology and how it will shape the future of business security.

Jonas Karklys: Andrew, last year, we watched passkey technology gain huge traction from Google, Microsoft, and Apple. What do you think caused it?

Andrew Shikiar: It’s not just those three – hundreds of companies now support and deploy passkeys. I think this reflects a massive appetite and enthusiasm for moving beyond passwords in favor of something easier and more secure for people to use.

We know there’s been a password problem for decades now, and passkeys are the first truly viable alternative. They’re true password replacements that help get rid of all risks and hassle associated with using knowledge-based factors – not just passwords but also second factors like SMS one-time passwords (OTPs). Essentially, passkeys provide a more secure, unphishable solution. For most early adopters, usability and ease of access have been key drivers, at least for consumer services.

JK: Can you talk more about the early adopters of passkeys?

AS: A lot of the earliest passkey adoption came from payment and e-commerce companies, travel, and hospitality – companies where each time someone needs to reset a password and then simply abandons the site, they’re losing a meaningful opportunity and meaningful dollars.

For example, a major e-commerce vendor has improved its sign-in success rate by over 15%. That translates into a much greater chance for transactions and commerce while reducing costs associated with password resets or SMS OTP. This is why we highlight that passkeys improve the top and bottom lines for companies that choose to implement them.

JK: Many wonder if passkey technology will replace passwords for good or if another alternative will emerge. What would you say to those who believe passkeys are not the ultimate solution?

AS: The most important mission here is to create a safer internet. That means any progress (whether using passkeys or an alternative) in the direction that leads to unphishable authentication and unphishable identities is a step in the right direction.

However, I believe that passkeys are the right way to go as they're standards-based, widely supported, and widely distributed. This also hits on the value of FIDO’s certification program, which helps unlock the value of open standards. For passkeys, this means that various servers can be interoperable with different authenticators, and we’re also committed to supporting independent passkey providers, including well-established credential management companies like NordPass.

And, perhaps most importantly, with passkeys, there is a consistent brand and a user flow that’s becoming more familiar to users who’ll look for passkey iconography when signing in. In my view, these benefits make passkeys the inevitable password replacement at a mass scale.

JK: Why do you think businesses should care about enabling passkey access, especially if they think their company-wide password policies are working fine?

AS: Anytime you rely on a knowledge-based system to protect your workforce, you put yourself at tremendous risk. Let’s say that a company uses a strong password management system with a second factor like TOTPs where simple social engineering techniques are at work to bypass two layers of traditional authentication.

Look no further than the Caesars Entertainment social engineering attack last summer. Someone duped an employee with a phone call and asked them to transmit their OTP credentials to reset the account. At that point, the criminal got access to the network.

Ultimately, passkeys take this risk out of the equation. They require possession-based authentication, which is immune to sophisticated phishing and social engineering attacks that otherwise succeed when a human communicates the secrets. Passkeys are a highly usable technology that solves security and access challenges.

That being said, as companies move away from passwords, they should ensure they use password managers that support MFA or other MFA-enabled solutions that will enable a smooth transition to passkeys.

JK: In your field, you meet many representatives of different companies. Why are some businesses still hesitant about passkey adoption?

AS: Different companies have different profiles and pacing when it comes to adopting new technologies. It depends on the industry or company culture. In general, surveys show that IT, security, and business leads want to go passwordless – the vast majority do. The problem is that a lot of people simply don’t know how to get started.

I believe these things can be addressed through education. That’s the one thing we’re really focused on as an organization. We want to provide educational resources to enable those who will be driving passkey implementations. Whether it’s an architect, design lead, product manager, or developer, we want to provide all stakeholders with the resources they need to move forward.

We also have a very robust ecosystem of FIDO-certified vendors, integrators, and solution providers that are ready to tackle the most complicated use cases to help companies put passwords in the rearview mirror.

JK: Let’s talk about your organization. Last year, FIDO and its partners set solid ground for passkey technology to skyrocket. This year, it’s expected that business adoption of passkeys will increase further. What’s on the agenda to ensure the interest in passkeys keeps growing?

AS: FIDO Alliance continues to invest substantially in passkey enablement and adoption. This includes hosting events and public conferences – for instance, our flagship event, the Authenticate conference, takes place every October just north of San Diego.

Additionally, we support our members who do their own marketing, whether that’s B2B sales or customer and stakeholder education. We also support service providers who introduce passkeys to customers and platforms. We’re aware of how major platforms are introducing passkeys to their consumers. We partner with them as best as possible to amplify that message and ensure they’re communicating consistently.

We’re also very eager to support things on the development front. We’re engaged with many developer platforms and are looking at what resources we can provide to the developer community – whether that’s tutorials or supporting sites like passkeys.dev. We understand that developers are a key cog here, and they also need the right education to help accelerate the ongoing passkey adoption.

JK: What about the main hurdles that businesses face once they factually decide to move to passwordless solutions?

AS: Whether we’re talking about the workforce or the customers, there’s always concern about how end users will react. They know how to use passwords and the current systems. Their concern is legitimate.

Some companies may choose to use passkeys more incrementally. Let’s say, if you’re deploying in the workforce, you might start with a small subset of users. Or, if you’re using something like NordPass, you can use passkeys alongside passwords. As more and more resources are protected by passkeys rather than passwords, user migration will actually be quite seamless. They’ll just be using the same thing to sign in – their credential manager.

This all comes down to change management and education. The challenge is preparing your users for passkeys, especially in the workforce. Ultimately, it’s an easier way to authenticate, but it’s different. It’s change – and change is always a little intimidating. That’s why it’s really important for companies rolling out passkeys to really think about how they can get their employees ready – with solutions ranging from company-branded education campaigns, through additional training for help desks, to hands-on tutorials at company offsites. Our vendors are usually happy to help their customers on this front as well.

JK: What about the public perception of passkeys? Is there any push for businesses from the outside to offer them a passkey login option?

AS: We’d certainly like to see more of that and I think we’re starting to. However, it’s important to remember that the private key synchronization, which we introduced the term ‘passkey’ for, is relatively new – before 2023, there were no implementations at scale. Today, we have over 13 billion user accounts that can enroll with passkeys. While it’s still a relatively new technology, we’re starting to see signs of consumer pull.

It was interesting to see the positive feedback when Sony introduced passkeys for PlayStation on social media. People were giving Sony all sorts of kudos for making passkeys available – and we’re starting to see more and more consumers ask their service providers for passkeys as a sign-in option.

As I’ve become more accustomed to not using passwords or legacy authentication, especially legacy 2FA, I find it incredibly frustrating. For example, if I want to look at my 401k on my PC, every time I try to sign in, our benefits provider forces me to choose between SMS OTP or knowledge-based “secrets”, which is a bit like picking your poison as both user experiences are lousy. This shows how my expectations as a user have shifted from accepting such authentication to really resenting it. If I had the option to move to a platform that doesn’t require that experience, I absolutely would – and this is something that I assess as FIDO’s CEO when looking at other services for FIDO Alliance’s employees.

JK: FIDO has partnered with many standout companies worldwide, many of which have already adopted passkeys. What has their feedback been so far, and how are they moving forward on this topic?

AS: We continuously learn of companies that have deployed passkeys. Ultimately, we keep seeing the metrics that report higher sign-in success rates and quicker login times. Those are the most important front-line measures for most companies deploying passkeys to consumers at scale.

We’re also receiving some second-level data indicating increased revenue and reduced support costs. I anticipate that, over time, we’ll also be able to draw a direct line between the increase in the percentage of passkeys sign-ins and both reduced fraud and increased revenue.

We’re also hearing about the workforce being pleased with the user experience they’re having. People who deploy FIDO biometrics for sign-in report a very positive ROI. They also get cost reductions and increased employee productivity. All in all, the feedback has been quite positive, which is why we’re seeing passkey adoption continuously growing.

JK: How does the scale of passkey adoption look? It seems that moving to passkeys is easier for enterprises, given both financial and human resources to do so, whereas SMBs might face difficulties, although they experience the most cyber attacks. How is the passwordless market prepared to tackle this issue?

AS: I think a lot of this comes down to the tools SMBs are using. Different cloud solutions support passkeys for sign-in. NordPass also has an SMB solution that allows users to use both passkeys and passwords. I think certain solutions for SMBs exist, and they just need to choose them. There’s probably also some educational work to be done to let SMBs know how they can move forward.

CISA (Cyber Information Security Agency) has some best practice guidance for SMBs. They have some pointers for SMBs to look at for moving towards unphishable authentication rather than passwords.

JK: Finally, we can’t talk about passkeys without covering regulations. In terms of upcoming compliance regulations in the biggest markets, do passwordless solutions fall under the scope? Do you believe the change in the legislative environment will increase companies’ interest in passkey technology?

AS: That’s one of my hot buttons. Too often, I hear that regulators or legislators don’t like passkeys or synced credentials. My counterpoint is that I think that’s absolutely untrue. I don’t think regulators have ever contemplated passkeys. If you think about the past 40 years and beyond of our frame of reference, it’s always been passwords.

Regulation after regulation basically says, ‘Hey, passwords are not okay. Let’s make them much better by adding more layers, so you must use 2FA.’ This primarily regulates MFAs because the primary factor is so fundamentally flawed. Passkeys change this dynamic and this narrative entirely.

So, rather than worrying about layers or factors, regulators should ask themselves one specific question — “if phishing is a primary threat vector, how well can an authentication method prevent phishing?” We were pleased to see NIST’s additional instructions to their digital identity guidelines last month which said that, when implemented in accordance with their guidelines, synced passkeys meet the MFA requirements associated with AAL2, suitable for helping prevent phishing attacks.

NIST isn’t a regulator, but many regulators follow their guidance, so we really believe that we’ll start to see regulators consider synced credentials as a preferred means to de-risk consumer authentication at scale.

For more insights from this interview, check out the article on TechRadar.