FIDO: Passkeys beat passwords in phishing fight

The FIDO Alliance wants to leave passwords behind, because passwords get shared, guessed, and left behind.

In the fight against a growing number of text-, phone-, and email-based phishing scams, speakers at the FIDO Alliance’s Authenticate Conference in California this week made a case for passwordless security options like the passkey over the oft-hacked password.

“Any enterprise that’s using passwords or legacy forms of MFA is taking a gamble they will eventually lose,” Andrew Shikiar, executive director of the industry group known as the FIDO Alliance, told attendees.

Fresh off audio-deepfaking the set of 60 Minutes, Authenticate keynote speaker Rachel Tobac demonstrated another round of sophisticated, programmatic voice cloning. Using audio data from a previous Shikiar presentation on YouTube, Tobac, the CEO of data protection firm SocialProof Security, created a realistic-sounding but bogus clip of the FIDO chief saying: My name is Andrew, and I like cats instead of dogs. (Lies, says the dog-loving Shikiar…)

Phishing inphlation

• 54% of 10,000 global consumers said they’ve “seen an increase in suspicious messages and scams,” according to an October “barometer” study from the FIDO Alliance. 52% believe the fraud attempts “have become more sophisticated.”
• A 2023 phishing threats report from IT services company Cloudflare found that identity deception threats have increased “YoY from 10.3% to 14.2% (39.6 million) of total threat indicators.”
• According to the FTC, “consumers reported losing $330 million to text-message scams in 2022, more than doubling” the 2021 total.
• Last month’s hack of the MGM Resorts casino chain appeared to begin with social engineering using an IT employee’s LinkedIn data, reports from Vox and Bloomberg said.

With “FIDO authentication,” users sign in with credentials known as passkeys; no secret like “qwerty” is shared, and the cred is stored on a computer or phone. The passkeys can either be synced across devices or bound to a specific platform, biometric, or security key—not a password that an ethical hacker like Tobac can phish from an unsuspecting user.

“FIDO stops me almost every single day,” Tobac told the crowd.

Google recently announced passkeys as a default login option, and major industry players like Apple, PayPal, Adobe, Nintendo, and CVS Health have made the authentication feature available to users.

According to FIDO’s recent “barometer” study, consumer awareness of passkeys has grown from 39% in 2022 to 52% awareness today.

When passkeys become more prevalent, according to Shikiar, detection systems will begin to see passwords as “anomalous behavior.”

“So using a password not only becomes the worst user experience, but it becomes a high-risk activity. And that’s when we start to move toward the passwordless future,” Shikiar told attendees.