At RSA, our mission has always been to eliminate the weak links in digital security. Today, we’re thrilled to announce a significant milestone in this journey: the preview of our mobile FIDO solution, available in RSA Authenticator app V4.4 for iOS and Android. RSA ID Plus is a FIDO2-certified server, and with this milestone, our authenticator app for iOS and Android is now a FIDO2-certified authenticator.translated
This marks our commitment to pioneering secure, intuitive, and seamless user experiences—and our quest to eradicate passwords once and for all.translated
Passwords have long been a critical vulnerability in cybersecurity, relying on human memory and discretion, which often leads to weak, reused passwords. For a long time, we have supported passwordless solutions like QR code, biometrics, one-time passcode, or FIDO2-certified hardware authenticators like the RSA DS100 to address these vulnerabilities.translated
This latest milestone brings secure passwordless to enterprises by adding device-bound passkey support (mobile FIDO) to our RSA Authenticator app, providing a secure, user-friendly alternative that removes cybercriminals’ favorite vulnerability, enhances organizational security, and keeps users connected and productive.translated
Passkeys have received a lot of attention, both because of commitments from Facebook, Apple, and Amazon for a more consumer-facing solution and because the FIDO Alliance adopted the term “passkey” for any type of FIDO credential. That’s led to some confusion about what exactly an organization means when it uses the word “passkey,” which we’ve tried to clarify.translated
The most important distinction we’ve found is the difference between device-bound and synced passkeys:translated
- translatedDevice-Bound Passkeys: This type of passkey is created securely and stored on a single device. The private key never leaves the device, ensuring a high level of security. Device-bound passkeys minimize the risk of key exposure and provide robust protection against phishing and other cyber threats. This means the passkey cannot be used on another device without manually registering it again, making it the ideal option for enterprise and public sector organizations. These solutions are phishing-resistant and offer a higher degree of security.
- translatedSynced Passkeys: Synced passkeys are stored and synced across multiple devices via cloud services, providing the convenience of accessing services across different devices without needing to register each one individually. They also allow for passkey recovery if the host device is lost, stolen, or replaced, which is especially useful as users often upgrade their mobile phones every couple of years. While this improves user convenience, it requires robust security measures to protect the synced passkeys in the cloud. Synced passkeys may be suitable for consumer use, but they may not offer the same level of security required for federal and enterprise environments.
translatedBy implementing a device-bound passkey solution within the RSA Authenticator app for iOS and Android, we help strengthen our clients’ Zero Trust framework, ensuring a deeply integrated and straightforward path to phishing-resistant passwordless authentication. This technology eliminates the weaknesses of traditional passwords, offering a seamless and intuitive user experience.
Philip Corriveau, our head of UX, emphasizes why this development is important: “At RSA, we believe that security should not be a barrier but a seamless part of the user experience. With device-bound passkeys support within the RSA Authenticator app for iOS and Android, we’re not just enhancing security; we’re transforming how users interact with their digital identities.”translated
Device-bound passkeys provide several layers of security that neutralize common attacks:translated
- Phishing: translatedSince the private key never leaves the device, attackers cannot intercept or steal it through phishing attempts. It is technically impossible to phish the passkey directly from a user’s device. While bad actors may attempt to phish access to the cloud to download a copy of the key, the private key itself remains secure on the device, preventing most attacks from succeeding.
- translatedSocial Engineering: With device-bound passkeys, the private key is not sharable or extractable. Users do not need to access, remember, or handle the private key, which significantly reduces the risk of social engineering attacks. Attackers cannot trick users into revealing something they do not have access to.
- translatedAdversary-in-the-Middle: Even if an attacker intercepts the communication between a service and the authenticator, they cannot use the public key alone to gain access.
translatedWhile nearly every organization in every sector can benefit from Mobile FIDO, the solution may be especially valuable for government agencies striving to meet the presidential cybersecurity mandate and comply with Executive Order 14028 by the end of the fiscal year.
EO14028 requires government agencies to use passwordless, phishing-resistant solutions to authenticate their users. It’s a critical component of modernizing and defending critical infrastructure—but it requires government agencies to act quickly and implement a proven solution.translated
“The FIDO2 certified, device-bound passkey from RSA is a significant asset for federal agencies striving to meet the presidential mandate and the FY2024 deadline,” said RSA Federal President Kevin Orr. “More than checking a box, RSA can bring decades of security-first pedigree and a unified, scalable, user-friendly solution that can enhance collaboration for the public sector.”translated
Our mobile FIDO solution is a crucial step toward delivering a consistent and seamless passwordless experience from start to finish. RSA Authenticator app V4.4 for iOS and Android supports mobile FIDO as a technical preview. Mobile FIDO capability will be generally available with the RSA Authenticator app V4.5 for iOS and Android. This version will include additional enhancements and a streamlined user experience.translated
The RSA mobile FIDO solution is a powerful fit for Zero Trust environments, where secure, passwordless access is crucial. Device-bound passkeys align with Zero Trust principles by verifying each access attempt without relying on passwords, which are vulnerable to phishing and credential theft. With device-bound passkeys, the private key remains securely on the original device, ensuring that access is limited to verified devices only—ideal for protecting remote and hybrid workforces.translated
In addition to better security, the RSA mobile FIDO solution betters flexibility by enabling easy access across work environments, reducing interruptions while keeping sensitive data secure. As government mandates push for phishing-resistant authentication, the RSA mobile FIDO solution helps organizations not only secure today’s needs but also prepare for tomorrow’s standards.translated
At RSA, we are at the bleeding edge of passwordless technology. Our relentless commitment to innovation drives us to create solutions that redefine digital security. We’re paving the way for a more secure and user-friendly world by transitioning to a passwordless environment.translated
We are excited to continue this journey with you and look forward to making our mobile FIDO solution generally available as part of V4.5. Together, we can set new standards for the industry and lead the charge toward a future where security is both secure and intuitive.translated
Stay tuned for more updates and insights as we continue to lead the charge toward a passwordless future.translated
RSA launched the 4.5 Authenticator App in December, 2024. Learn more about the innovation bringing phishing-resistant, passwordless, FIDO2-certified authentication directly to users’ mobile devices. Or, if you’re an admin, learn how to enable the feature in RSA ID Plus.translated