The FIDO Alliance has launched a new microsite, LoginWithFIDO.com, for high level, non-technical information about FIDO for consumers and service providers. As part of this project, we wanted to learn more about consumer attitudes and habits around authentication. What are their password habits? What do they think about the FIDO approach? Do they want to see FIDO at login?
To find out, we conducted a survey of 1,000 U.S. consumers – the results of which were shared on this webinar. These slides include the findings from our research and how you may be able to utilize the data for your own FIDO offerings and/or deployments.
This webinar includes:
--How many different passwords consumers really use for their online accounts
--What tactics they use for password management and how often they are resetting passwords and
--Their familiarity with various types of authentication technologies including SMS OTPs, biometrics and others
--The types of apps and services where consumers most want to use FIDO
--How consumers want to be communicated with about FIDO at enrollment and login
We also gave the audience a detailed look at LoginWithFIDO.com and how you can consider using it for your own educational initiatives around FIDO. You’ll learn:
--How to navigate through the microsite and its two landing pages
--How you can reference the site and its materials for your own offerings and deployments
--Added insights into how to utilize FIDO’s consumer-facing marks
Hi everyone and welcome to the webinar. It’s Megan Shamas, marketing director for the FIDO Alliance. We’re looking forward to today’s webinar, where I and Andrew Shikiar will be sharing some research that we did recently and talking through our new consumer-oriented website loginwithfido.com.
Before we get started, a few housekeeping notes….
Let me introduce today’s speakers… me, and Andrew Shikiar who is the FIDO Alliance executive director and chief marketing officer
Here’s what we’ll cover today…
Andrew will talk through some FIDO updates, which will help uncover why we’re introducing consumer-level assets, then I’ll cover the research findings, give an overview on the new website. Then we’ll have time for some Q&A
We know that passwords have very weak security and poor usability – but the thing that doesn’t (or didn’t“) get enough attention was the risk associated with OTPs. Not only do OTPs present major usability challenges (what’s worse than one password? Two passwords) but OTPs are also centrally stored secrets, just for a shorter timeframe. As such, they are succeceptible to large-scale attacks and/or spear-phishing – as we’ve seen in some very well-documented breaches.
This really is the crux of what FIDO is trying to do – it’s eliminating use of all shared secrets, not just passwords.
FIDO’s goal from day one was to transform the market away from dependence on centrally stored shared secrets to a model that uses public key cryptography and allows consumers to authenticate through devices that they literally have in their fingertips every day. It’s simpler and stronger authentication.
FIDO rapidly realized this goal with the initial release of FIDO’s UAF and U2F specifications in 2015.
-2019 was Significant year in terms of fido2 adoption
-Platform authenticators are certified
-Brings reach of fido2 to billions of users using these platforms
-Browser support grown in breadth and depth
-Ex: Stronger initial and growing support in safari for fido2
-Safari13 supports security keys on macOS, iOS and iPadOS
-Significant year in terms of fido2 adoption
-Platform authenticators are certified
-Brings reach of fido2 to billions of users using these platforms
-Browser support grown in breadth and depth
-Ex: Stronger initial and growing support in safari for fido2
-Safari13 will support security keys on macoS
- You can deploy across any mainstream OS today
Based on your requirements, there are various approaches you can take.
Many organizations, especially in the B2C/B2B model, start with a Mobile First Strategy. It helps you drive mobile application usage through more convenient authentication, while vastly improving the security.
For enterprise models, security keys often an appropriate first step for improving authentication security.
For frequent authentication on a device, it’s most convenient to use the available authenticators on the primary device (eg. Windows Hello, fingerprint sensor, etc).
Knowing that support for FIDO is wide and growing fast, many service providers have been coming to us to ask about basic terminology around FIDO, and graphics for login screens. We know that introducing any new technology requires consistent communication and education across all of the services that offer it. So we took a step back and talked, through our research company, with some consumers to get their feedback on their authentication preferences, and FIDO.
6% said they use just 1 password for everything
Another 24% said they use 6-10 passwords, so that means 76% of everyone we talk to uses 10 or less passwords. So if know the average number of online accounts per person is around 90, obviously getting some password reuse there.
24% said password manager
As I said earlier, service providers have been looking for more assets to help them educate their internal constituents and external customer bases. With the learnings from our research and understanding what consumers want to see, we focused on how we could help drive adoption and consistent and accurate education – loginwithfido is the core site that houses these outputs
Need something more simplified for service providers to educate internally and externally – fidoalliance.org is great but overwhelming to those that are totally uninitiated.