Episode 103 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Passkey implementation != passkey adoption

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Vincent Delitz, CoFounder of Corbado
• Guest: Andre Priebe, CTO iC Consult

Channels

• Linkedin Event
• Youtube Video

Description

Many passkey deployments fail to achieve the results initially expected. While passkeys are often implemented correctly from a technical standpoint, user adoption remains low. As a result, phishing risks persist, security is not improved, UX remains unchanged, and operational costs are not saved. In this episode, we’ll discuss why a shift in mindset is needed - where adoption is given as much attention as implementation - and explore strategies to drive adoption for large-scale B2C deployments.

Homework

• Slides: Insights from Large-Scale B2C Passkey Deployments

EIC Session: Passkeys for CIAM – Pain & Gain

As digital interactions continue to grow, the security and usability of authentication methods are under increasing evaluation. Passkeys, the most current evolution of the phishing-resistant FIDO2 standard, promise both enhanced security and a better user experience in Customer Identity and Access Management. However, their adoption is not without challenges. This session will outline the value of passkeys and address real-world considerations and challenges that organizations face.
Key points to be covered include:
- Value Proposition of Passkeys: The potential of Passkeys to provide phishing-resistant authentication and robust identity security will be highlighted.
- Usability Improvements: Enhancements in user experience and accessibility with passkeys will be explored.
- Challenges in Real-Life Implementation:
- Compliance: The compliance considerations that come with implementing passkeys.
- User Journey: Impacts on the end-to-end user journey and considerations for user adoption.
- Operational Challenges: Issues related to authenticators, technical operations, and integration with existing systems.

Why This Topic Matters:

With the increasing demand for secure, seamless digital experiences, passkeys, grounded in the FIDO2 standard, offer a significant breakthrough in CIAM. Moreover, as spear-phishing attacks become more sophisticated and widespread due to advancements in Generative AI, phishing-resistant solutions like passkeys are critical to safeguarding users. To fully leverage these benefits, organizations must understand both the "pain" and "gain" of passkey implementation. Practical insights will be shared on navigating these challenges to achieve a successful passkey strategy.

Takeaways

• ⚡ Google Login? Google Passkey? Google Wallet? Do consumers really understand the differences? With the current political and economic turbulence and global warming, do people really have the attention span necessary to sort out the nuances of modern digital identity?

• ⚡ The user experience for passkeys is reminiscent of smart cards--with cryptic browser messages that are too small to read. Discovery is needed--I have to know how to properly select my passkey provider. Could be hard if I don't even know what a Passkey Provider is.

• ⚡ Shared passkeys like--iCloud Keychain or Google Chrome Password Manager--are only considered one factor (control of your account). Users may be perplexed why they are required to perform 2FA with a weaker credential. It can make sense--smart card + PIN number for example. But without a good explanation, it may be very confusing to end users.

• ⚡ Business drivers for passkey adoption: marginal cost benefits, risk mitigation, better user experience. These aren't forcing functions for businesses to invest in passkey infrastructure right now. So security is out the window for most enterprises... with observed over-reliance on "OTP" mechanisms, like the worse offender: "email OTP"--probably the least effective mechanism for authentication ever invented, crossed with the most vulnerable to phishing-lateral movement.

• ⚡ Perhaps deployment of passkeys for mobile authn--where the browser is avoided and the user experience is more controllable--is more likely.

• ⚡ Passkey adoption is useless unless we actually improve the authorization infrastructure to make better policies about how and when to authenticate a person. That's why we need token based access control ("TBAC"), and the attestation JWT from the authenticator (passkey provider, token, whatever) is input to the application policy for local evaluation.

Livestream Audio Archive

here

Token of the week