From passwords to passkeys: what's new with FIDO?

Speaker: Joost van Dijk

Abstract

Recent additions to FIDO and W3C standards enable mass adoption of passwordless authentication. Browser and platform vendors like Apple, Google, and Microsoft have started to implement support for these additions, enabling websites and other relying parties to further transition away from passwords to cryptographically secure passkeys.

In this talk, we will discuss what these new additions are, and how they can help with replacing passwords. Along the way, we will answer questions like the following:

• What are passkeys or discoverable credentials? What are multi-device credentials, how are they different from single-device credentials, and what problem are they solving?
• Should I allow multi-device credentials on my website? How can I tell if a user logs in using a multi-device credential? How can device attestation and the FIDO metadata service help me distinguish different levels of authentication strength?
• How do I migrate from passwords to passkeys? What is WebAuthn Conditional Mediation and why would I need it?
• What is Hybrid transport and how does it allow me to use my phone as an authenticator?

Biography

Joost van Dijk is a developer advocate at Yubico. He focuses on securing digital identities and accelerating the adoption of open source authentication standards as part of Yubico's developer program.