As we join cybersecurity companies from all over the world at RSA Conference 2023 this week, we’re excited about how the FIDO passwordless standard is expanding to provide easier-to-use, phishing-resistant authentication for a wider range of use cases.
In the security world, there is a constant tension between making technology as secure as possible and making it easy to use. RSA joined the FIDO Alliance in 2014 because we see the potential for FIDO to resolve this tension, and because we want to ensure that the standard continues to meet the needs of security-sensitive enterprises by moving closer to a passwordless future that is both secure and convenient.
As the FIDO Alliance addresses those very issues in its new passkey solution, RSA has been a champion in keeping the FIDO2 standard capable of supporting the most secure use cases while making it available for wider consumer adoption.
Historical “FIDO security keys,” now called device-bound passkeys, are for high-security use cases like accessing financial accounts (especially B2B), confidential corporate information, or systems dealing with sensitive personal information (hospitals, banks, government services).
The new credential type, “synced passkeys,” are stored in an app on a mobile device or computer and are synchronized through a cloud service and made available on all of a user’s devices.
Today, we’re putting FIDO Alliance standards to work in products designed to help organizations make a smooth transition to passwordless authentication and the improved identity security it enables.
In 2016, we introduced FIDO U2F in the RSA Cloud Authentication Service, then added FIDO2 support in 2019. And at last year’s RSA Conference, we announced the DS100—the first hardware authenticator to combine FIDO2-based passwordless authentication capabilities and SecurID OTP authentication on one device. It’s also the only FIDO security key with secure, field-updatable firmware for adding features and addressing bugs.
The DS100 demonstrates RSA’s specific commitment to the FIDO2 protocol for passwordless authentication, which makes it possible to use common devices to authenticate securely to online services.
Why passwordless, and why now? When it comes to data breaches, compromised credentials are a big problem that’s getting bigger all the time. According to the Verizon Data Breach Investigations Report, which has tracked credentials-related breaches since 2008, passwords have been one of the leading causes of data breaches every year for the last 15 years. And in 2022 alone, 84% of organizations reported an identity-related breach, according to data from the Identity Defined Security Alliance.
In fact, credentials-based cyberattacks have been at the root of some of the worst data breaches in recent memory, including Colonial Pipeline in 2021 and SolarWinds in 2020. And just this past February, attacks on companies including Activision and Atlassian were attributed to compromised credentials.
RSA has been an active member of FIDO for nearly a decade, and RSA representatives have served on the alliance’s board of directors since we joined in 2014. We have also been actively engaged with FIDO Alliance working groups, most recently with membership in the Enterprise Deployment Working Group (EDWG) and the FIDO2 Technical Working Group (TWG).
Members of the EDWG advise internally on issues that affect the deployment of FIDO solutions at the enterprise level. RSA representatives who are part of this group share their expertise on technical and other issues as part of an effort to accelerate enterprise deployments of FIDO solutions. Members of the TWG focus on advancing the core FIDO2 technical specification.
Everything we do with the FIDO Alliance is in service of their mission and our goal: a world with fewer passwords—and fewer password-related security problems.
If you’re attending RSA Conference 2023, we would love to talk with you about our work to advance passwordless and give you a demo of the passwordless capabilities of our DS100 authenticator. You’ll see our booth front and center just past the event entrance.
FIDO® is a trademark (registered in numerous countries) of FIDO Alliance, Inc.