Lessons learnt in – and outside of – the FIDO Alliance Asia Pacific Summit 2023.

At the recent FIDO Alliance Asia Pacific Summit held in Nha Trang, Vietnam, attendees from around the region celebrated 11 years of developing and promoting authentication standards that help to reduce over-reliance on passwords.

It may come as a surprise to many, but the open standard online identity authentication advocated by the FIDO Alliance (and more recently in collaboration with W3C) took less than 15 years to take the shape it currently has, to become the leading global standard.

At the Summit, attendees also got to learn about passwordless authentication in Asia Pacific and safeguarding digital identities in the digital economy, including:

    • The vulnerabilities of credential-based authentication and why organizations urgently need to move away from them amid the rise of sophisticated scams generated by AI and deepfakes
    • How cyber-attacks can affect users’ confidence in cybersecurity and what can be done to restore digital trust
    • Tackling the challenges of going passwordless
    • The critical need to protect against the threat of online identity theft in the wake of a growing metaverse
    • How organizations can bolster the security of digital identities by leveraging modern authentication technologies
    • Balancing robust cybersecurity with seamless authentication for optimal online experience, especially with the phenomenal rise of e-commerce and m-commerce in the region

Speakers sharing their expertise and experience at the Summit included:

    • Andrew Shikiar, Executive Director, FIDO Alliance
    • Hieu Minh Ngo, Threat Hunter, NCSC Viet Nam & Co-founder, Chongluadao.vn
    • Khanit Phatong, Senior Management Officer, Thailand Electronic Transactions Development Agency
    • Henry (Haixin) Chai, FIDO China Working Group Co-Chair / CEO of GMRZ Technology, Lenovo
    • Gautam Pande, Vice President, Identity Solutions, Asia Pacific, Mastercard
    • Naohisa Ichihara, CISO, Mercari
    • Hyung Chul Jung, Head of Security Engineering Group, Samsung Electronics
    • Teresa Wu, Vice President, Smart Credentials – Civil Identity IDEMIA Identity & Security North America
    • Paul Heim, Director, Certification, FIDO Alliance
    • Sea Chong Seak, CTO of SecureMetric
    • Alex Wilson, Director, Engineering, Yubico
    • Dovlet Tekeyev (Dave), Director, AirCuve
    • Eiji Kitamura, Developer Advocate, Google
    • Gautam Pande, Vice President, Identity Solutions, Asia Pacific, Mastercard
    • Masao Kubo, Manager, Product Design Department, Smart Life Business Company, NTT DOCOMO
    • Cuong Tran, CTO, Pavana
    • Thang Phan, Passwordless Transformation Lead, VNPAY
    • Truong Nguyen, Back End Developer, PayPay Corporation
    • Jaebeom Kim, Principal Researcher, Telecommunications Technology Association

Having heard and learnt so much at the event, I felt it behooved me to crystallize and clarify some key issues by seeking out insights from Geoff Schomburgk, Vice President, Asia Pacific & Japan, Yubico.

Geoff Schomburgk, Vice President, Asia Pacific & Japan, Yubico

In what ways has Big Tech embraced a passwordless future? 

Schomburgk: Firstly, to clarify, there are many terms floating around the industry today. The term ‘passwordless’ is used to describe the user experience offered by providers such as Microsoft and is based on the FIDO2 or WebAuthn authentication standard.

That’s a bit of a mouthful, so the industry is moving to adopt the common term ‘passkeys’.

All the Big Tech giants are responding to the need for the reduction or removal of passwords. 

    • Google was an early adopter, and together with Yubico, we created the first FIDO standard.
    • Microsoft made big statements regarding availability of passwordless login on their Azure platform (which is behind the Microsoft 365 applications) around late 2020/early 2021 and have gradually been releasing improvements to support passwordless authentication with Passkeys.
    • Then there was a joint announcement in May 2022 by Apple, Google and Microsoft together (which was an achievement in itself) that stated the commitment of these giants to the passwordless cause through the common use of Passkeys.
    • Apple subsequently announced their support of Passkeys to secure AppleID in February 2023.

In addition to Microsoft, Google and Apple, many Identity and Access Management vendors have also enabled this: Ping, Okta, Cisco (Duo), Citrix, eBay, Facebook, to name a few. Support for passwordless or FIDO security keys or passkeys has now been added to all these platforms. 

How secure are passkeys based on FIDO2 standards?

Schomburgk: All too often we see that “complexity reduces security”.  Conversely, to increase security, we need to reduce complexity and make it easy for anyone to login securely. 

Passkeys are based on open industry standards (FIDO) which were designed from the ground up to be highly secure, easy to use and deployable at scale. 

The security built into the standard supports the latest cryptographic constructs available, which makes passkeys phishing-resistant and the most secure form of MFA available today.  In addition, the FIDO standard has been designed to allow adoption of post quantum computing algorithms in the future.

What does the broad move towards passkeys spell for businesses and end-users in Asia Pacific?

Schomburgk: Anyone who requires a simpler, faster and more secure login experience will benefit from passkeys.  That is why governments are upgrading their advice to businesses and consumers alike to encourage and/or enforce adoption of phishing-resistant MFA – i.e. passkeys – as the most secure option we have today.

Whilst the tech industry has clearly embraced support for Passkeys, the adoption by businesses and end users across Asia Pacific will be a gradual change.  Most online services today support some form of two factor or multi-factor authentication.  But we know that moving from legacy MFA such as email, SMS, or authenticator apps takes time.  For businesses this change to passkeys can be enforced for some or all users, depending on the organization’s risk appetite. 

Typically we see businesses requiring secure phishing-resistant passkeys for users with access to sensitive information.  And broader adoption is accelerating for other user groups who see the simpler login experience and increased security as a win-win.

Those businesses that realize the cost savings made when passwords no longer exist (replaced with a simple yet secure technology) will be seen by their peers as industry leaders and others will follow suit.

For consumers, online services allow users to now have different methods of logging in to the service. Industry leaders are already offering Passkeys as an option for users, then progressively this will move to a recommendation, and then ultimately become the default. This will take time and not all providers will get it right, but we will be on the path to solving the password problem.

What are some key hurdles to a passwordless future, and how could they be overcome?

Schomburgk: Simple phishing-resistant authentication has been available since 2014 and over the last few years the remaining big tech vendors have added support for passkeys into their platforms. 

So, it is fair to say that the “supply” side or availability has been addressed by the tech industry.  The challenge really now lies on the “demand” side – one of encouraging user adoption.

And the biggest hurdle to adoption is the belief that a malicious attack won’t happen to me! The result is that organizations are either ignoring the uptick in phishing attacks or simply making their passwords more complex and forcing password change more frequently. As stated earlier, “complexity reduces security”. 

So there is some work to do around broader awareness of passkeys as a better, more secure alternative.  When users start to see that passkeys remove or reduce the “MFA fatigue”, I think we will see a big increase in adoption across businesses and consumers alike.

In your opinion, why and how should industries and organizations in Asia Pacific see a wider adoption of and access to passkey security?

Schomburgk: Industries and organizations in Asia Pacific should see a wider adoption of and access to passkey security because they’re secure! They’re also easy to use and are an affordable option that is scalable within organizations of all sizes – which makes it a cost-effective and secure solution.

What is equally important is that having a strong phishing-resistant MFA option reduces the risks of attacks, which are costly for any organization.

With regards to how we can get organizations to adopt the wider use of passkey security… it comes down to providing a better user experience. Passkeys are easy to use and, as a result, this provides a convenience for the user that helps to remove MFA fatigue.

Organizations may look to implement the use of passkeys by enforcing or making their use part of their compliance. While this may be easier for corporates to implement, the risk is that they may encounter some user resistance. Offering an alternative that makes life easier for the end-user is a more effective means of ensuring sustainable change.