What's ahead for passwordless authentication: Takeaways from the FIDO Alliance plenary

The FIDO Alliance is vital in today’s evolving security landscape. It sets interoperable standards and provides the conversation spaces necessary for security companies to form a united front. OneSpan is a proud FIDO Alliance board member, dedicated to providing customers with FIDO authentication solutions.

Three times a year, the FIDO Alliance brings its members and industry stakeholders together face-to-face to tackle some of the opportunities and challenges ahead for the state of FIDO, passkeys, and passwordless authentication.

I had the chance to attend the most recent FIDO Alliance Plenary in Istanbul. My main takeaway? The security world is headed for change thanks to AI, and hardware security keys will continue to play a pivotal role.

Syncable passkeys are taking FIDO mainstream — but gaps still exist

Syncable passkeys have been a major accelerant of FIDO adoption, booming in popularity due to their enhanced security benefits. By one estimate from the FIDO plenary, there are over 2 billion passkeys in use globally, and it’s easy to see why:

• Phishing resistance. Syncable passkeys offer a more secure passwordless authentication option than traditional passwords, which are susceptible to phishing attacks.
• Improved UX and faster logins. Syncable passkeys store private keys in the cloud, reducing friction for users operating multiple devices.
• Lower costs. Passkeys often require fewer IT resources than SMS or traditional username/password solutions.

Though syncable passkeys have accelerated FIDO adoption, security gaps still exist compared to device-bound passkeys. Companies that want to implement passwordless authentication may find themselves balancing the convenience of syncable alternatives with vulnerabilities around enterprise control and policy enforcement.

Progress toward solving these challenges was another focus of the plenary, as various FIDO Alliance working groups explore two primary paths: trust signals and relational public key (RPK).

Best practices around passkeys — and more broadly, FIDO standards — will continue to iterate as threats adjust to the measures meant to block them. The FIDO Alliance plenary in Istanbul made it clear that members have a proactive mindset around these issues, particularly amid AI’s evolution.

Revamping FIDO authentication in light of AI

FIDO security will need to adapt to an AI-driven world, a reality that keynote speaker David Birch acknowledged in his visionary address during the event. It’s worth asking what effect agentic AI might have on passwordless authentication, which, as currently constructed, requires explicit proof of user presence.

If AI models start taking actions on behalf of users, the future of FIDO may need to look a bit different, especially in highly regulated industries like financial services, where margins for error are thin.

Changes to both FIDO standards and agentic AI’s role will come gradually, as tools need to prove that they are up to the task of keeping user information safe. The progression likely starts with agents using credentials before developing their own identities, and later operating within customized, user-defined boundaries as they mature. Behavioral changes like these will require new standards, devised and agreed to by the FIDO Alliance.

Infographic

Syncable vs device-bound passkeys

View this infographic to learn the difference.

View now

Shaping the future of hardware security keys

Special interest groups (SIGs) are vital collaboration avenues for the FIDO Alliance. While three new ones were created this year, the Hardware Security Keys SIG deserves special attention. Co-chaired by OneSpan, the group aims to promote the broad, inclusive adoption of FIDO2 security keys to elevate user experience.

Hardware security keys will remain foundational to the future of FIDO security because of the unique advantages that they provide, which balance user experience with protection against sophisticated, web-based threats. These include:

• Enhanced security through physical binding: Linking FIDO2 credentials to secure storage within hardware security keys offers more resilient security.
• Universal usage across your user base. Hardware security keys provide a robust solution for protecting your entire user base. This includes regulated use cases and scenarios where mobile authenticators are not accepted.
• Convenience for users. FIDO2 hardware security keys give frustrated users an alternative to the friction created by traditional multifactor authentication methods such as passwords or SMS codes.

FIDO standards are crucial to achieving a passwordless future

OneSpan is keenly aware of the vital role that FIDO plays in keeping user information safe in an increasingly passwordless world. We are committed to offering powerful, flexible authentication solutions like our Digipass® FIDO2 security keys, as well as mobile and server-side solutions.

Further, our recent acquisition of Nok Nok Labs enables us to provide customers worldwide with the industry’s most comprehensive and future-ready authentication portfolio. It also enhances and accelerates our innovation in this direction, immediately adding new software FIDO capabilities to our existing solutions, which will help our customers reach their cybersecurity objectives and ultimately drive down cyber fraud.

Digipass FIDO2 security keys

Explore OneSpan’s Digipass FIDO2 security keys for passwordless authentication.

Learn more