FIDO Multi Device Credentials with Andrew Shikiar and Tim Cappalli

Media Thumbnail
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, FIDO Multi Device Credentials with Andrew Shikiar and Tim Cappalli. The summary for this episode is: <p>On the first episode of the 4th season of Identity Unlocked, host Vittorio Bertocci, Principal Architect at Auth0, is joined by Andrew Shikiar, Executive Director &amp; CMO, FIDO Alliance, and Tim Cappalli, Digital Identity Standards Architect at Microsoft. Vittorio, Andrew and Tim discuss the new FIDO multi device credentials, commonly known as passkey,&nbsp;a new FIDO feature that are an alternative to passwords in consumer grade applications.</p>

VITTORIO BERTOCCI: Buongiorno everybody, and welcome. This is Identity, Unlocked and I'm your host, Vittorio Bertocci. Identity, Unlocked is the podcast that discusses identity specifications and trends from a developer perspective. Identity, Unlocked is powered by Auth0, in partnership with the OpenID Foundation and IDPro. In this episode, we discuss multi- device credentials, an upcoming FIDO feature that can possibly, finally, be a viable alternative to passwords for consumer- grade applications. To do that, I have two fantastic guests today. I have Andrew Shikiar, Executive Director of the FIDO Alliance, and a returning guest, Tim Cappalli, Identity Standards Architect with the Microsoft Identity Team, and one of the main folks working on those new use cases and updates. Welcome, guys. Thank you so much for being here.

Andrew Shikiar: Vittorio, thanks for having us.

Tim Cappalli: Hey, Vittorio. Thanks.

Vittorio Bertocci: Thank you for being here. We already heard Tim's story during the CAEP SSE episode in season... Aha. What season was that? I don't remember. Anyway, we'll add the link. But this is the first time that we have the pleasure to host Andrew. Andrew, it's tradition for the Identity, Unlocked show that the guest starts the episode, sharing their story of how they ended up working in identity. It's always an interesting story and I'm sure yours would be no exception. How did you happen to work in identity?

Andrew Shikiar: Yeah. It's interesting. I guess I don't want to date myself, but I think I was doing identity before identity was cool, way back when I worked at Sun Microsystems in the mid 90s, and the Java team. I left there to pursue startup riches and once those didn't materialize, I was recruited back to Sun to help launch the Liberty Alliance back in 2001.

Vittorio Bertocci: Wow.

Andrew Shikiar: For those not familiar, Liberty Alliance was the standardization effort, the first standardization effort around federated identity. It was actually launched as a counterpoint to what Microsoft was doing at the time with Passport and Hailstorm, which is centralizing identity through that system.

Vittorio Bertocci: I remember.

Andrew Shikiar: I know you do. You do. It was interesting. That whole experience was fascinating, and I've done some Alliance work before that. A lot of my initial work was actually recruiting the initial participants for Liberty Alliance. It was really a great opportunity at an earlier stage in my life, frankly, to work with some brilliant people, who I've been able to reconnect with since then, like Eve Maler and Jeff Hodges and many others. That Sun team was really dynamic. But after we got Liberty up and running, my focus pivoted towards Sun's go-to market efforts with their very nascent identity team. That job basically entailed working to educate Sun's sales force on not only how to sell software, but that comprised basically going around the world and talking to C-suites at Fortune 50 companies about this concept of identity. As a reminder, this is 2001. I still recall my slides, and the opening slide, and of course, this was not PowerPoint, this was open office because it was Sun. In open office. It started with the question, what is identity? Right. Single thing. Then, what does identity mean for your business? What does identity mean for your employees? What does identity mean for your customers? We'd have these very high level conversations with CEOs, CTOs, CFOs of very large corporations, and they hadn't thought about identity outside of their brand identity. It was a brand new concept at the time, and I think about that often, now, 21 years later. I personally actually stepped out of the identity space for several years, from around 2007 to around 2016, and I came back into FIDO Alliance. What's amazing to me, by and large, we're still having the same conversations that we had in 2001. What is identity? Now, in some ways, we've made a ton of progress. Obviously, identity has come together as an industry. It's a multi- billion dollar industry. So much innovation happening, so much progress is being made. But in some areas, we're still kicking the tire around some of these concepts and they haven't seen as much progress. It's been nice to be back in identity, coming full circle in my career over the past several years, helping lead FIDO Alliance, reconnecting with a lot of old identity friends and helping and working together to drive a lot of these concepts into market.

Vittorio Bertocci: Fantastic. Thank you for sharing your trajectory. I didn't know, and it makes complete sense. I can see how being exposed to the only challenges that you'd have with the Liberty Alliance, which had a common enemy, so you could rally the troops. But at the same time, again, like lots of different people with different opinions. I can see it was a formative experience that prepared you to be so incredibly effective as you have been as the head of FIDO Alliance, which is one of the smashing successes of our times, I believe. Also, like the thing earlier you said, identity today is cool. I wish it would be true. Identity today is at least profitable. There is money to be made in this space. Whether it's cool or not, I'm not sure. But anyway, I'll take your word for it. Thanks, again. You absolutely did not disappoint. This was a great story. Now, let's thrust ourselves straight into the core of the episode. We know what we want to talk about, that famous feature that we won't name yet. But before we go there, not everyone in our audience heard the episode about WebAuthn with John Bradley. Can you guys give me a refresher of what FIDO is and in particular, what WebAuthn is and what it does for developers?

Andrew Shikiar: Yeah. Why don't I start there, give us a high level background on FIDO Alliance and what we're trying to do? For many of you, this will be familiar. For some of you, it might not be. FIDO Alliance itself was launched around almost 10 years ago with the aim of actually reducing data breaches. The best way to get rid of data breaches is to attack the password problems. Passwords are the root of over 80% of data breaches, and so that's a tip of the spear and that's what we're focused on doing. Fundamentally, what FIDO does is deploy user-friendly, asymmetric public key cryptography. That's a mouthful and an earful, but basically what it does, it replaces the concept of a password with a key pair, introduces the concept of an authenticator. The authenticator holds a private key that the user must verify their self to, and then instead of a password on the server, it's just a public key. At a high level, that's what we're doing. That concept in and of itself is not new. PKI has been around for years, smart card's been around for years. But FIDO's tagline is simpler, stronger authentication, and both those words are absolutely critical. The strength has always been there, but the simplicity has not always been there. The average person shouldn't have to be able to say, let alone understand what asymmetric public key cryptography means in order to use it. It's user-friendly. We like to say it's single gesture, public key cryptography, in the sense that it's a biometric. It's a touch with security key. Whatever it might be, it's a very user-friendly approach to doing this, and that's critical for multifactor authentication to take off. There's a long history of MFA products that are too complex to scale, both for consumers and also in the enterprise. Very interestingly, recently, the US government, it's part of the Zero Trust strategy. The OMB, Office of Management and Budget, specified that as part of the Zero Trust strategy, agencies must deploy unphishable user authentication. Not just PIV and CAC, which they have been doing for years, but also now, FIDO security keys. Security keys are much easier and quicker to deploy and provide the same level of unphishability with a higher level of usability. I think that's a very powerful proof point in the enterprise too, where usability and simplicity comes to the fore.

Vittorio Bertocci: Absolutely. The thing that I believe is the secret sauce that you guys deployed is that although those ideas aren't new, while the remaining ideas, they are not very consequential. What you guys successfully did, which never ceases to impress me, is to go to all the relevant places, all the relevant players, and have them implement this thing so that you actually made it possible for the end user to tap into those capabilities without having to do installations and being aware. We all remember PGP, which I think is still around, and it's basically the same principle, the same laws of physics, but arcane and obscure for a normal person. Whereas by the fact that you worked with all the big names in operating systems, browsers, hardware and similar, you actually made it approachable to everyone, and in particular to developers. Tim, do you want to add something about what this meant for developers?

Tim Cappalli: Yeah. I think the nice thing is what I call the FIDO2 stack or the spec family. Ultimately, there's two different audiences. For the most part, the average developer that is responsible for signing on a relying party or a resource, they don't have to worry about all the plumbing to get to an authenticator, whether that's USB, NFC, Bluetooth, or even the platform. That's handled in a spec that is specifically targeted towards that group, and that's the Client To Authenticator Protocol spec, so CTAP. A lot of people sometimes call it the FIDO2 spec, just the little mixing of terms, but ultimately, FIDO2, there's WebAuthn and CTAP. Those are the two specs that make up the family, and WebAuthn is that browser API, the JavaScript API. That is what interfaces with developers. We're starting to actually see a point where developers maybe don't even have to really be too aware of WebAuthn and all its innards, because there are some really amazing SDKs out there. We're just seeing significant support across SDKs, relying parties, SaaS services, etcetera, for this as an overlay to what would be perceived as complexity if someone picked up a spec. No one wants to read a spec. Even the people who write the spec don't want to read a spec.

Vittorio Bertocci: Yeah. Oh, absolutely. I relate 400%. Great. The developers, don't need to be exposed to the nitty- gritty details, but there are still some things at a higher level that people need to reckon with. In particular, I'm thinking of the requirements that end up being on the end users. The top two things that come to mind are the two authenticators that come out of the box, like you mentioned, roaming authenticators and platform authenticators. Can you add a bit of color of what those are and what they mean in term of usability of the system?

Tim Cappalli: Sure. Yeah. The pattern that evolved between roaming authenticators and platform authenticators is that a roaming authenticator being generally a USB thing you attach to your key chain, but most of the time it has some other protocol. NFC plus USB is a very popular combo because of mobile devices, and really that became your bootstrapping key. The first time I wanted to sign in to a resource on my new device, whether that was a laptop, tablet, or phone, you obviously can't use the authenticator that's built into that device because it's fresh. It's factory reset. The idea was that the roaming authenticator could become the bootstrapping mechanism, and the first time you used that, the relying party or the application you're accessing could take you through a step of enrolling. We call this the trusted device model. Now that you've bootstrapped, now you can actually use that local device from then on out, and that's a super seamless pattern. Most users are familiar with the screen lock concept, and that's ultimately what the user experiences is; their screen lock to unlock other applications. That is, I think, what is the most fluid and amazing experience for users. We hear users all the time just calling this Windows Hello, or touch ID or face ID, not even understanding all the technology behind it. But it's just what they're used to when they're doing their daily operation of their device. It just flows right in and becomes magical to the user.

Vittorio Bertocci: The thing that you described is the platform authenticator, as in the thing in the device?

Tim Cappalli: Correct. Correct.

Vittorio Bertocci: Perfect. Whereas when you mentioned with roaming, instead, we are talking just to be concrete, the classic YubiKey that people use for accessing their GitHub and similar experiences, right?

Tim Cappalli: Right. Right. Something you can unplug or detach or physically remove from the device.

Vittorio Bertocci: Right. Well, I have a few, because of course, throughout the years, but the one that I love is one that has USB-C on one side and lighting on the other, and I can use it both with my Surface, with my Mac and with my iPhone. That's really nice. Those things clearly raised the security level to a now acceptable level. Both are unphishable. They're cryptographically, very solid. Great. Fantastic. But now, tell me more, any of you, about adoption of these, both in the business world, and also let's talk about the consumer- grade applications adoption as well.

Andrew Shikiar: Yeah. I'll start. It's interesting the little dialogue that you all just had about WebAuthn and PGP and the challenge that FIDOs face, or really any new technology faces. If you think about what FIDO is trying to do with our specs, it's a pretty audacious goal; to replace passwords. Also, by the same matter, SMS OTP. That's a bigger story to talk about actually is we're trying to get rid of legacy credentialing, knowledge- based credentialing in general, and move to this possession-based approach that we're talking about. Possession-based authentication is not susceptible to remote attacks, to phishing, and all the things that are causing all the problems we see today. But to get to that point, to be able to replace passwords and OTPs, knowledge-based credentials, we need to take on their competitive advantage, which is ubiquity. The thing about passwords or SMS OTP, anyone can do it. It's not great to enter a password on a smart TV, but you can do it. It's not great to do an SMS OTP on a feature phone, but it works also. That's why WebAuthn has been so important and why the FIDO2 support and platforms has been so important. All that's happened over the past couple of years, to the point where now virtually every modern web browser, every modern device does have FIDO support built into it, which has set the stage for adoption, which gets back to your question, Vittorio. Who's using this? I think that if you look at different use cases, we're seeing different patterns of use. There's very broad support in the enterprise. I've seen projections from Gartner, for example, who says that 2022 is the year that more enterprises are going to start deploying FIDO authentication and pass those authentication to their employees. We're seeing that take up across the board. Microsoft has built FIDO support extensively into all of its platforms, which allows businesses to more rapidly deploy FIDO authentication, as other companies have as well. Basically every identity stack today supports this, which has set the stage for large enterprise implementations. On the consumer side, we're seeing good progress as well. WebAuthn, as Tim was saying, basically allows any web developer to do the advanced cryptography that they couldn't do otherwise. Most web developers just want to focus on their domain, build the site, build the functionality. The last thing they want to think about is authentication, which is why so many historically have defaulted to passwords or maybe SMS OTP. But WebAuthn now presents them with a public API and as Tim says, there's a lot of SDKs out there and web frameworks out there that developers can use to actually implement advanced cryptography instead of passwords. We've seen companies like eBay, is a famous example. They rolled their own implementation of FIDO, working off the WebAuthn specs, allowing anyone now to log in without a password. We see the US government with supporting this. A lot of government sites support it. A lot of banking sites support FIDO authentication. I've seen what I would categorize as really strong initial adoption of FIDO for the masses. Now, that being said, we have a long ways to go. What's interesting to me, from my perspective, I talk to companies on a frequent basis about their FIDO deployment plans and have been over the past couple years, the conversation generally has gone from, what is FIDO and why should I do this, to like, okay, how do I do it? The number one question about how do I do it, comes back to usability. Yes, FIDO, we're hitting our goal of simpler, stronger authentication, but I don't think it's quite simple enough for the adoption take off like we wanted to. So we realized that we need to address usability. We've done a couple things in enterprise inside of FIDO Alliance to do this. One is we actually released UX guidelines for how to deploy FIDO to platform authenticators. But beyond that, more work needs to be done and we're excited about the next phase of innovation around FIDO authenticators.

Vittorio Bertocci: Tim, do you want to add something?

Tim Cappalli: Yeah. I think one of the challenges that I think we set out to start looking at is, many of the deployments that are out there today, eBay, GitHub, they're all fantastic deployments, but you still need a password. You still have to capture a password to make the solution work. It's a journey. This first step was, you still need a password, but you're going to use a second factor, either from a YubiKey or a security key, and then you enroll the platform. But we still had that password in the database. The users still need to know it or have it in their password manager. The next step is, how do we get to a world, which I think we're going to see very shortly now, where developers never have to capture a password in the first place, the password field disappears from account creation flow? To me, that is when we claim amazing, monumental success, when there's no longer password fields nor magic links or any of the other things people do to not acquire a password.

Vittorio Bertocci: If I can be a bit autobiographic at the last Authenticate, I actually had the honor to get on stage and show some of the adoption data. We polled our users and it was very clear that people were just uncomfortable with completely letting go, and I think for good reason. Because at the state of technology today, the moment in which you say that you want to use a platform authenticator and you place it on your iPhone, and then you forget your iPhone on the Uber, and then now, what's going to happen? Okay. You do need some mechanism for recovery, which so far, we didn't have. But I think that here, that's where we start talking about recent history. I know that a number of the important manufacturers looked at what FIDO had to offer, looked at the usability challenges, and plotted a path forward that they thought would solve those. Can you tell me a bit about that? What happened?

Tim Cappalli: Right. Yeah. One of the things. I think us, all being technologists, we have no problem carrying a security key on our key chain. But the reality is the world is moving away from having a key chain at all. In the past two years, we've seen car keys, apartment keys, dorm room keys, everything is moving onto to a phone or a similar device. To ask consumers to go have this little USB thing on their key ring, just to access their basic consumer services, there's no way we would get to that point, and that the numbers show that. That has been in our opinion, one of the highest barriers to entry for this, just from both a usability standpoint and a cost standpoint, from inclusivity around the world. Not everyone can go out and buy even a$ 30 piece of hardware. If we start looking at what could we do to take advantage of these seven to eight billion smartphones that are in people's pockets that are capable of doing something, Microsoft, Google, and Apple, together with the FIDO Alliance, came together and started to look at, can we take advantage of those devices? We realized early on, absolutely yes. We already had an idea of how we could use your phone to... My Android phone could slide into windows and vice versa through all these ecosystems, which have traditionally been very siloed. Generally, these things don't work well together. That's been one of the problems. But we realized that wasn't really the problem. The problem was exactly what you described, Vittorio. I lose my phone. I lose my Android phone, my iPhone. I don't have a backup. There's no possible way for me to transfer something between devices because I don't have the original device. That's where we re- shifted the focus to, how do we make recovery and how do we make this a true usable solution, more akin, closer to a password manager? The password manager experience, as much as it is passwords, the user experience is fantastic, and it works right. The user just signs in again on another device and everything is there and everything just works. That was the thinking. Apple really led the charge on that thinking of this password manager-like experience for this next generation of credential. That's how we landed on what we're calling in the specs, multi-device credentials and what we're more casually calling for consumers, passkeys; password, pass key, fun, little take that we hope catches on. We think it will. We've already heard people talk about it, even in the early days. The idea here being that for the lower security use cases, which are not necessarily enterprise use cases, can we have this idea that the platform can help the user, both ensure their credentials are on their devices when they need them, but also help the user select the credential when they need to use it? If we break those out into two, let's start with the first one, the first is ensuring that if I leave my phone in the car and I go get a new phone, after I've securely proven who I am to log into the platform services, which are some of the user's most critical things, like Google Photos, iCloud Photos, people's lives run on these things, after they've gone through that strong process that exists today, is there a process to then restore a set of keys, these WebAuthn credentials, these multi-device credentials onto that device so they can pick up where they left off and continue on with their day, and this worry about not having access to your account goes away? We came to the conclusion, yes, that was possible. The platforms today, they already have incredible security. There's platform documentation that you can read for days that talks about all these security mechanisms in place, and it was perfectly suited to solve this problem. Thinking about the recovery standpoint, you also gain some usability. If I have multiple devices in the same ecosystem, so let's say I have a tablet and a phone and a laptop from the same company, and I'm signed in to the same account, well, now it just magically works across all my devices as well, just like a password manager. The initial reaction is often like, well, what about the security of all this? And we really start to map out on a security spectrum. If we went all the way to the left with what I call one, and we go all the way to the right, which is two, on the left- hand side, you have passwords. Let's call it 1.1. You have password plus OTP, because developers have been told for years now, passwords are phishable and adding an OTP adds another layer that makes it a little bit less bad. But that's painful. Users hate that. The user thinks they're logged in after they put their password in. Now, they have to do this other step and it's awful, it's miserable. Then you look all the way to the right-hand side and you have FIDO2 security keys with hardware backing and all of the things that make security keys amazing for a ton of use cases, as well as some platform capabilities that are heavily geared towards enterprise. Windows Hello is one example where you know there's a TPM and there's like these very rigid enterprise requirements, which are fantastic for those use cases. But there's nothing in the middle here and that's what we were trying to solve. We want to solve for the 1.5, which is this multi-device credential model, where a developer that has rolled out password plus OTP could drop this in and think nothing. That is instantly better because it is cryptographically bound and phishing resistant.

Vittorio Bertocci: Fantastic. You went in a whirlwind tour and you placed so many things on the stove. Let me take a step back and try to see if I followed. You mentioned how we can meet this challenge of the recover, and you mentioned extra advantages in usability, as in using the same credentials across devices. Fantastic. Let me be concrete. Are you saying that now, I can have a key that behaves like a FIDO key, that instead of being either relegated to a piece of dedicated hardware, like a key, or relegated to one particular device, as it would be a case with roaming and platform authenticator respectively, but instead, you have a key that is shared across a family of devices? That I go on my iDevice, I have my Mac, I have my iPhone and my iPad, and now, once I use this key with a certain relying party from my iPhone, and then I land on the same website from my Mac, then I can use the same key?

Tim Cappalli: Correct. Yep.

Vittorio Bertocci: Honestly, this is magic. Great. This thing, I'm guessing, some of this magic already happens. I just recently bought a new iPhone because I take too many pictures. I needed a bigger one, and I did my migration, which works pretty smoothly. As part of that migration, I was asked to sign in again and iCloud brought back almost all of my sessions, so I didn't have to re-authenticate in my new phone. Are you saying that now, FIDO keys have this superpower as well?

Tim Cappalli: Right. They can be enlightened through those existing services that exist, with the potential to even have a higher level of security for that specific thing. Photos are one thing, credentials are another thing. There are protections in place, which you can go to certain vendors' websites and actually get a very deep dive into how this works, but it's not just access to the account. You need another piece of information. You need, let's say, your old device's pin. It's having access to just your Apple ID or your Microsoft account or your Google account. It's not going to be enough to gain access to this, and that's a super important detail because it does differ from access to your photos or restoring your apps. It's a different security model with a whole different set of properties.

Vittorio Bertocci: But that is vendor specific. Let's say that Apple has a discretion to do it in a way, Google might do it in a slightly different ways. Microsoft might do it then exactly. Okay. Perfect. This is great. Andrew, do you want to comment on how this thing improves some of the problems that you expanded earlier?

Andrew Shikiar: Yeah. I think fundamentally, FIDO's challenge has been an account recovery challenge. We've known this for a while. Earlier on, I was talking about the benefits of possession-based authentication, which are great and profound. But the question's always been, well, what happens when I lose possession of that possession-based authenticator? What do I do then? I personally think the lost device use case is overblown, but the new device use case is under blown. People add devices to their lives all the time, where you go to a smart TV or something like that. There you go. I think cracking that account recovery challenge has been a focus area for FIDO, and I think that this helps solve that. Now, it's not every use case that it solves, but I think it's the long tail of consumer service use cases are a perfect fit for this. At the end of the day, a multi-device credential is just one signal that a relying party needs to consider. But if you step outside the world that we live in, which are large technology providers, large service providers with massive technology infrastructure, who can do things like manage risk signals and authentication signals, if you think about the average T-shirt shop or very basic online merchant, or restaurant or whatever it might be, the very long tail, these are companies that are comfortable using social logins. But they're still sitting on passwords or they need some sort of credential to help people recover their accounts. Passkeys will be a far better way, a far more secure way for them to actually authenticate consumers. Very significantly, I think part of the challenge we've had as an industry has been getting credentials off the server. You think about the ongoing cycle of credential theft, credential stuffing, credential theft, credential stuffing, that cycle won't end until we break our dependence on credentials, knowledge-based credentials. Those have been sticking around because of need for recovery, so eliminating that need allows us to finally start eliminating credentials off the server. So we're very excited about that.

Vittorio Bertocci: Fantastic. Wonderful. Now, taking the developer perspective is this thing, this multi-device credential, a new type of authenticator, or are you augmenting and overloading one of the existing ones?

Tim Cappalli: I think ultimately, we are in a way, simplifying what a developer has to implement. Because now, something like your phone, the way the protocol works is, this is ultimately a platform authenticator and my local machine is a platform authenticator. Now, the platform can help figure out where the credential lives and the developer no longer has to request and say, "I want a credential from a security key, or I want a credential from a platform." The platform is now going to help the user. One of the things that I mentioned earlier that we're working on in the spec is, how can we have that password manager- like experience? Think about a username field that now shows these platform credentials from your local machine or from your phone in a little dropdown box, that all you have to do is tap and do fingerprint interface and you're in. Developers no longer have to worry about that distinction anymore of where the credential is coming from.

Vittorio Bertocci: Okay. What I'm hearing is those multi- device credentials are exposed as a platform authenticator, like you're extending the traditional platform. Okay. From the consumer perspective, I think this. Personally, I believe it's going to be a game changer. So absolutely fantastic. But if I put myself in the shoes of someone that was relying on the fact that a platform authenticator guaranteed that the device was actually that one particular device, did you hear people concerned about this? How would you respond to people saying, for the enterprise people, "I don't want to lose this ability to say yes, this was this particular device and not any other"?

Tim Cappalli: Yeah. If we go back to that sliding spectrum between one and two, we think what we've added to the spec and what all vendors are planning on looking at is a 1.75, which it's still not quite a hardware security key that has a certain set of properties, but it's better. It's better than just this key that is synced. It's called the device public key. It's an extension in WebAuthn and it allows you as a relying party to say, "Hey, I want some extra information if you support it." Can you give me a key that is bound just to that device, to just let me know that the multi- device credential is coming from a new device? We're seeing this more as a new device signal. We see this super valuable at Microsoft as providing the ability for an admin to say, "I'll accept a multi- device credential. No problem." But the first time you use it on a new device, we want to do something else to check who you are. After that point on that same device, you are good to keep using that credential. We think that's a nice balance between the enterprise heavy-security model and the usability, and the fact that users are going to be super used to this in their personal life, this new experience. We think that's going to be a great balance and it's super flexible. We're still hashing a lot of that out. We're coming up on more use cases that this device public key might be able to use, so we do believe that we have a solution. Honestly, at the end of the day, if you still have this very high security need, governments, for example, and FIPS, there is a whole solution area for that, which is proven out over the years and it's not going anywhere, which is security, these hardware security keys.

Vittorio Bertocci: That's it. If a relying party wants to know whether the key that is being used is a traditional, let's say 2 in the spectrum, as opposed to 1.7, do they have the mechanisms for knowing, right? That's what you are...

Tim Cappalli: Yeah. Yeah. Really high level, there's two ways. One is all the certification work that FIDO does, ultimately goes back to a directory called the metadata service. You, if you're checking attestations today to validate the authenticator, there will be a difference that you can detect when this change happens. But also for the relying parties that aren't doing that, that's a little bit more work to implement, we're adding some simplicity at the WebAuthn end layer to actually give a flag to the relying party to say," Hey, this credential is allowed to be backed up, and whether it's currently backed up or not." We expect those. We're calling it the bit, to essentially allow an RP to drive UI/ UX to say," Hey, you've had a credential that you enrolled two weeks ago that's been backed up for a while now. Maybe it's time to run the user through a UX flow to remove their password, that magical remove password thing that everyone dreams of." We're trying to give the relying party developers as much visibility as possible while still maintaining all the privacy preserving promises of FIDO.

Vittorio Bertocci: Fantastic. I have to say, I've always been a skeptic. Every time I heard people saying this is the year in which we kill passwords, I always thought, "Okay, that's marketing liking to be hyperbolic." But this is the first time in many, many years that, of course it won't be one year, because even if the solution will be completely frictionless, it's going to be a while, but I do think this has the potential to truly... These, plus fact that everyone has a phone, which is capable, it's fantastic. But now, in good tradition, of course I still find something to be unhappy about. Sorry, you have to cope with that. The main question that I want to ask is, this thing relies on popularity. This thing will be largely driven by the big ones, like Apple, Google, and Microsoft, are the ones that give you the devices that have this capability. It looks like if this thing is successful, which I believe it will be, those three companies will now be somehow in the critical path of everything. What do you think about it? Do you think there should be any concern, any things that people should do to cope with that? What do you think?

Andrew Shikiar: Vittorio, to your point earlier, I think I often get the question, when are we going to get rid of passwords and when will we be passwordless? It is a journey, and not a sprint. I think more important than passwordless is less passwords. Ultimately, we want to start taking passwords out of the equation. The fact that these three companies came together within FIDO Alliance to collaborate on this, I think it's incredibly profound and powerful. Now, I'm not trying to dodge your question. The fact of the matter is these companies, they have device platforms that the vast majority of people on this planet use. We talked earlier about the importance of ubiquity, ubiquitous access, and this is the way to get ubiquitous access. By building it into these devices which are tied, often tied to the user's identity, it's a very natural starting point to really address the authentication process for users that does not require password. Is there a trust issue or is all the security going there? It depends on the persona that you're talking about. From a relying party standpoint, again, they don't need to take this as a binary signal. Some will say, there's going to be flagging mechanisms. They see that someone's loging through the same key, they might want to add other data on top of that to authorize the authentication. From a consumer standpoint... What's so funny? My dog?

Tim Cappalli: Oh, it's FIDO. He arrived.

Andrew Shikiar: Sorry, producers.

Vittorio Bertocci: It is FIDO.

Andrew Shikiar: I'm sorry, producer. Yeah, I know.

Vittorio Bertocci: That's perfect.

Andrew Shikiar: Come on, Otis.

Vittorio Bertocci: No, don't worry. Don't worry. Don't worry.

Andrew Shikiar: Ultimately, the fact that these platforms are supporting multi-device credentials gives greater scale to the promise of the goal we've always had. FIDO's goal has been to reduce industry reliance on passwords, and building it into platforms are helping make that a reality.

Vittorio Bertocci: Wonderful. Thank you, Andrew. That makes lot of sense. All right. Before we part ways, and this has been an amazing conversation and I'm very grateful for you guys to have taken the time to chat with me about these, so clearly, that's early days. But if you were to make a call for action for the audience, think that our audience are largely relying party developers and some identity provider, so what would be the call to action? What's the way in which we can help to make this a reality?

Tim Cappalli: Yeah. I think there's already been some buzz. We've already heard about this technology a little bit and over the past few months. I think that the comment Andrew made is super important. I know it's a little buzzwordy, but it's, this is a journey. We're not going to flip a bit tomorrow and this is going to be solved. What I would ask is this. The next 12 months or so are going to be like a giant dev trial. We have all the stuff, it's all coming together. We're working on developer resources. We're working on a very pointed something we're calling, how to passkey. How do you build this very specific use case, which is like, I never want to have a password in the first place, or I want to remove a password and get rid of password plus OTP and all those? It's the very pointed use cases that there's really not a lot of good developer resources, independent developer resources today. They're always about this SDK or that. I think the next 12 months, if we can get the industry to play, for all intents and purposes, and start testing this stuff and give feedback, if you're familiar with the spec world, the specs aren't going to be final for a little bit of time. We have time to make tweaks if we need to. That is the goal and I think Apple and Google would agree with me on that. This is the time to play. I think if we do that, realistically, you can quote me, I think in 24 months, we will start to see a significant number of relying parties starting to remove passwords, or never accrue them in the first place. We can get there.

Vittorio Bertocci: Fantastic. Andrew, any parting words?

Andrew Shikiar: No, I think Tim hit it on the head. The call to action for relying parties is to learn about this, dig into it, and give feedback. We're super excited to have released multi-device credentials and talked about it. It's now out in the domain for people to start working with. It will be an initial implementation in these platforms and I would expect any technology after this, to iterate and improve over time. That only happens though with feedback. Whether you bring it in through FIDO Alliance, through W3C, or directly through these platform companies, please do. Because ultimately, it's a holistic effort. Passwords are a universal problem, and it takes everyone to actually commit to getting these credentials off their servers and moving towards a less password future.

Vittorio Bertocci: Fantastic. Amazing. Once again, thank you so much for taking the time to come here and chat about this. We'll publish links and we'll see how that evolves. Who knows? Maybe I'll have you over again after some time, so that we can see where we landed. Thank you.

Tim Cappalli: Thank you, Vittorio.

Vittorio Bertocci: Thanks, everyone, for tuning in. Until next time. Thanks, everyone, for listening. Subscribe to our podcast on your favorite app or at Until next time, I'm Vittorio Bertocci, and this is Identity, Unlocked. Music for this podcast is composed and performed by Marcelo Woloski. Identity, Unlocked is powered by Auth0, in partnership with the OpenID Foundation and IDPro.


On the first episode of the 4th season of Identity Unlocked, host Vittorio Bertocci, Principal Architect at Auth0, is joined by Andrew Shikiar, Executive Director & CMO, FIDO Alliance, and Tim Cappalli, Digital Identity Standards Architect at Microsoft. Vittorio, Andrew and Tim discuss the new FIDO multi device credentials, commonly known as passkey, a new FIDO feature that are an alternative to passwords in consumer grade applications.

Today's Host

Guest Thumbnail

Vittorio Bertocci

|Principal Architect, Auth0

Today's Guests

Guest Thumbnail

Tim Cappalli

|Identity Standards Architect, Microsoft
Guest Thumbnail

Andrew Shikiar

|Executive Director & CMO, FIDO Alliance