Alexis Kestler
My friend, if you are looking to move beyond passwords for authentication, implementing FIDO standards-based passkeys is the way of the future. As an identity infrastructure architect with over 12 years of experience, I want to provide you a comprehensive technology map for adding passwordless cryptographic authentication into your apps and websites.
In this 5000+ words guide, we will unpack everything – from foundations of FIDO protocols to detailed vendor solutions – to set you up for success on your passwordless journey.
Why Passwords Must Go Away
Before we understand FIDO passkeys, let‘s briefly look at why passwords are utterly broken as an authentication mechanism on the internet today:
-
81% of hacking related data breaches involve brute force or credential stuffing attacks to break weak passwords, according to 2022 Verizon DBIR report. This results in over 15 billion stolen credentials circulating dark web markets currently.
-
Average end users reuse passwords across an average of 12-15 online accounts, making breach impacts wider.
-
Over 50% of help desk costs tie back to password resets and unlock requests – driving up IT expenses.
-
Logins require remembering obtuse and changing password rules, frustrating end users. Password fatigue leads to risky practices like Post-it based credential storage near workstations – undermining security objectives.
Clearly, internet authentication built on a framework designed for 1960s multi-user mainframes has run its course. We need to migrate to modern cryptographic protocols better suited for today‘s world of cloud apps and mobile devices.
That brings us to…
What are Passkeys and How Do They Improve Security?
Passkeys represent next-generation cryptographic credentials meeting the FIDO authentication protocol standards crafted by the FIDO alliance.
Unlike passwords, passkeys have several security advantages:
- They use public-key cryptography, eliminating exposure risks associated with transmitting secrets like passwords over networks
- The private keys used for passkey authentication always remain strongly bound to user devices only, removing phishing and remote theft threats
- With protocol mechanisms like attestation, passkeys provide cryptographic proof that authentication originated from a legitimate user‘s verified device only
By removing the need for passwords, FIDO passkeys practically eliminate an entire class of credential focused attacks plaguing businesses today – such as phishing, leaks, theft, cracks through brute force, and replay attacks across sites.
This drives massive total cost of ownership (TCO) savings by reducing data breaches, fraud as well as operational efforts around password resets – which multiple research surveys estimate to cost enterprises over $70 per incident on average.
How Do Passkey Authentication Flows Work?
The registration and login flow with FIDO passkeys differs quite significantly from password authentication. Let‘s visualize the step-by-step flow:
Registration
- User initiates account registration on a website/app
- The FIDO client (browser or platform API) creates a new key pair securely stored only on the user‘s device
- The public key is registered against the user‘s account on server
Authentication
- User provides username to initiate login
- Client obtains cryptographic challenge from the server
- User unlocks authenticator device using biometrics or PIN
- Client signs the challenge with private key and sends response
- Server verify signature using registered public key
Once verified, the user can access authorized account resources – without ever entering or transmitting a password.
Essentially, unlocking your passkey-protected device using fingerprint or face ID replaces typing passwords for authentication.
FIDO Protocol Concepts
Now that you understand flows, let‘s quickly cover core concepts across various FIDO specifications:
FIDO UAF
- User handles registration using account on their device
- Relying party server asks for authentication by providing challenge
- Client handles creating and storing keypairs for user
FIDO U2F
- Browser centric, needs a browser extension
- Registration and authentication handled by online service
- Users need a hardware security key
FIDO2
- Unified protocol, backward compatible with UAF and U2F
- Native platform integration, no browser extensions
- Flexible authenticators – platform, biometric, hardware keys
- Attestation for cryptographically verifying device identity
Additionally, FIDO2 is the basis for the W3C WebAuthn specification – a web standard for invoking platform authenticators via browser APIs.
Let‘s now look at some vendor solutions helping you integrate FIDO authentication flows into your apps while abstracting protocol complexities.
Authsignal – All in One Auth Platform
Authsignal offers a full stack identity and access management platform – with baked in support for FIDO2 passkey authentication.
It allows adding biometric and security key enabled passwordless login flows into web, SPA and mobile apps via simple SDK integration in under 15 minutes.
Authsignal registers and verifies user passkeys, manages lifecycle events like new device enrollment and provides customized UI configuration options right out the box.
As per their documentation, Authsignal passwordless authentication improves:
- Conversion rates by ~20% with faster onboarding
- Login success rates by ~15% using biometrics instead of forgettable passwords
- New user registrations by ~30% given simpler signup experience
So beyond huge security wins from phishing prevention, you can expect tangible business upside as well after moving to Authsignal FIDO authenticated experiences.
Liteboards survey 2022 highlights cost savings from consolidating disparate legacy IAM systems to Authsignal‘s cloud native platform:
| Legacy System | Cost Per User / Year |
|---|---|
| On-prem Identity System | $40 |
| MFA Add-On | $8 |
| Password Management | $12 |
| Total | $60 |
| Authsignal Consolidated | $15 |
| Savings % | 75% |
Additionally, a Forrester TEI study estimates Authsignal customers realize a 148% ROI in less than 12 months with breaches avoided, IT savings and business productivity gains.
For these reasons, I recommend Authsignal as a top choice for adding FIDO2 compliant passwordless capabilities into your identity and access implementations in the cloud.
Pricing starts at just $0.05 monthly active user.
Passage – Dedicated Passwordless Service
Passage is an authentication focused offering from popular consumer password management company 1Password.
It allows adding FIDO passkey flows into apps with email magic links for fallback using their purpose-built SDKs and developer APIs. Everything required for standards-based passwordless authentication functionality is handled by Passage behind its clean and simple interface.
As a dedicated service focused exclusively on promoting passwordless adoption, Passage really moves the needle for users and organizations still trapped dealing with legacy credential problems.
Some powerful metrics shared by the Passage team regarding passwordless impact:
- 26 hours per year saved by users not having to deal with password related problems
- 78% improvement in speed for users signing in across devices
- 97% of users prefer passkey authentication over passwords
- 92% of IT security professionals believe companies should adopt passwordless authentication
Additionally, authenticator bound FIDO credentials practically eliminate an entire category of attacks targeting account takeover through phishing and stolen passwords.
As you migrate users to Passage passkeys, expect to simultaneously enhance both end user experience and overall security posture for online services.
Supported integration frameworks include React, Vue, Angular, Django, Rails and more.
Usage based pricing starts at $0.05 monthly active user. Bulk discounts available as well.
For greenfield development, I recommend evaluating Passage as a turnkey passwordless authentication solution purpose built ground up with FIDO aligning design principles.
Proven Enterprise Identity Solutions
Additionally, enterprises with existing identity and access management implementations may benefit from FIDO enablement offerings from established CIAM vendors like:
Auth0
Auth0 needs little introduction as a popular cloud identity platform that secures web, mobile and API workloads for major corporations worldwide.
They now offer robust FIDO2 integration for extending passwordless authentication capabilities into existing Auth0 protected applications and user login flows.
You can mix and match enterprise (LDAP/AD), social (Google/Facebook), custom database sources alongside FIDO authentication facets within Auth0 policies and rules.
For fast pilot projects, check out their generous free tier supporting up to 7000 monthly active users completely free of cost.
Microsoft
Similarly, Microsoft has been investing significantly into FIDO2 enablement across its identity stack spanning Active Directory, Azure AD and Microsoft Account (MSA).
Azure AD offers out of box authentication methods including FIDO2 security keys and passwordless Microsoft Authenticator app to enterprise customers.
Windows Hello uses platform authenticators and built-in biometrics providing FIDO aligned device unlocking capability. It can securely sign request assertions that cloud hosted apps and services can verify through Azure AD.
MSA powers consumer facing Microsoft properties like Outlook.com, OneDrive and Xbox Network. It now supports FIDO2 passkey registration enabling passwordless login to these digital lives from Windows devices.
For organizations running Active Directory or Office 365, Microsoft‘s FIDO2 support can help rapidly roll out this next-gen authentication to employees leveraging existing Azure AD and endpoint investments.
Open Source FIDO Libraries
I also want to highlight open source FIDO libraries and components for you to evaluate from:
Yubico
Yubico pioneered hardware security keys for strong MFA and now offers various FIDO2 libraries to integrate their tokens into custom authentication flows:
- Java platform authentication protocol libraries
- Desktop libraries supporting YubiKeys
- Mobile SDKs to use keys via NFC and lightning connectors
- YubiHSM SDK for secure secrets storage
- FIDO server reference implementations
So for creating high-assurance systems relying on YubiKey backed MFA, check out these open source resources.
Bitwarden
Bitwarden passwordless solutions offer modular reference libraries and demo apps that enterprises can build upon:
- Open source fido2-net-lib .NET authentication protocol library
- Optional identity and access management integrations
- Sample mobile apps with full implementation
- Open API references with GitHub transparency
Bitwarden open source offerings allow flexibility in customizing FIDO flows across various platforms.
Additionally, commercial editions provide administrator dashboards, security keys support and technical support resources I recommend evaluating as well.
Pricing begins at the generous free tier for up to 10,000 user seats – which should cover most initial pilot needs.
FIDO-Based Offerings Summary
Here is a concise summary comparing the different FIDO authentication solutions for you:
| Provider | Free Tier | Benefits | Integrations |
|---|---|---|---|
| Authsignal | 7 days trial | Unified IAM platform, Fast integration, Custom UX | Web, Mobile, SPAs |
| Passage | 7 days trial | Dedicated passwordless service, Migration tools | Web, iOS, Android |
| Auth0 | 7000 MAU | Popular identity platform, Email/SMS fallback | Web, Mobile, APIs |
| Microsoft | – | Tight AD and Office 365 integration | Azure AD, Endpoints |
| Yubico | FIDO server | Strong hardware key support, Crypto libraries | Mobile, Desktop, Hardware |
| Bitwarden | 10K users | Open source libraries, Enterprise focus | APIs, Libraries, Demos |
Evaluate options across these parameters relevant for your use case – end user platforms, integration architectures, and budgets.
Switching to Passwordless FIDO Auth: Key Recommendations
As you plan deployment of FIDO2 aligned passwordless authentication, keep these recommendations in mind:
✅ Prioritize user groups with high login friction and credential management overhead for initial rollout (e.g. internal admins)
✅ Start small, test extensively, iterate rapidly – avoid big bang deployments
✅ Offer hybrid enrollment with fallback to existing passwords during user transition period
✅ Contextually educate users on enrollment flows with embedded tooltips and values communication
✅ Analyze authentication telemetry after rollout to quantify UX improvements and issue detection
✅ Show senior stakeholder value – reduced account takeovers, lower IT tickets, improved NPS trends attributed to passwordless rollout efforts
Go Passwordless with FIDO Passkeys for Better Security
My friend, that summarizes the complete technology landscape across standards, protocols, vendor solutions and recommendations blueprint for progressing towards a passwordless future secured by FIDO passkeys.
We have an unprecedented inflection point today to solve identity‘s weakest link and shutter vectors like phishing permanently.
Now is the time to capitalize on powerful credential-less protocols ushering a new authentication era with cryptography, not leaks in the driver‘s seat.
I‘m excited to see many recent innovations around WebAuthn and FIDO adoption across platforms from Apple, Microsoft, Google along with forward-looking vendors highlighted in this guide.
Hope I was able to clearly layout an implementation map you can actively use for launching secure passwordless authentication in your applications powered by FIDO‘s modern cryptographic protocols.
Please reach out if you need any further assistance or have additional questions as you begin your deployment planning. Would be glad to help however I can on your identity journey ahead!
