The FIDO Alliance turned its attention to the future on the last day of its inaugural Authenticate event. The day’s speakers discussed some of the ways in which FIDO’s authentication standards will evolve in the next few years, and then went on to detail some of the things that organizations can do to support those strong authentication practices moving forward.
To that end, the day started with a session that analyzed the differences between public-key cryptography (which underpins FIDO’s standards) and more traditional Public Key Infrastructure (PKI) technology. StrongKey CTO Arshad Noor explained that FIDO does not use x.509 digital certificates, and instead uses keys that do not expire. With that in mind, Noor went on to argue that the FIDO standard is not as complex as legacy PKI systems.
However, FIDO does present its own logistical challenges. For example, Microsoft Senior Program Manager Aakashi Kapoor stressed that credential management is just as important as authentication, making it an important consideration for organizations that are looking to transition to a passwordless FIDO system.
The day’s final sessions made some predictions about the future of authentication. Thales Technologist Asad Ali highlighted the role of machine learning, which could be used to support device vicinity context as a concept. Device vicinity context assumes that people will often have a similar set of devices near them when logging in, and that information could be taken into account to streamline an authentication request on one of those devices. Lockstep Managing Director Steve Wilson emphasized the importance of data quality, while the final panel discussion noted that FIDO uses a decentralized authentication process, and that that will continue to be the case moving forward.
“The FIDO model is built to address today’s use cases, as well as those emerging in the future,” said FIDO Executive Director and Chief Marketing Officer Andrew Shikiar in his closing statement. “FIDO has matured from a whiteboard concept, nine years ago, through early adoption to becoming a must have feature for user authentication.”
Shikiar announced that next year’s Authenticate has been scheduled for October 19-21. The event will be held in person in Seattle, Washington, which is where this year’s conference was supposed to take place before COVID-19 forced the organizers to transition to a virtual format.
The Alliance had previously highlighted WebAuthn and the current regulatory environment in its recap of Day 4.