The FIDO Alliance has published a new set of papers aimed at offering guidance on how passkeys can be used across different enterprise environments.
The series consists of four papers: “FIDO Deploying Passkeys in the Enterprise – Introduction,” “Replacing Password-Only Authentication with Passkeys in the Enterprise,” “FIDO Authentication for Moderate Assurance Use Cases,” and “High Assurance Enterprise FIDO Authentication.” Additionally, a fifth paper titled “Displacing Password + SMS OTP Authentication with Passkeys” is expected to be published later this summer.
Pioneered by Apple, Google, and Microsoft in collaboration with the FIDO Alliance and the World Wide Web Consortium, passkeys essentially store passcodes for various online accounts on a user’s mobile device, and allow them to be unlocked with a biometric scan or a PIN.
In the example of an Apple Passkey, the authentication mechanism operates by generating a pair of cryptographic keys: a public key and a private key. The private key is securely stored on the device, while the corresponding public key is stored in a cloud-based infrastructure.
An important aspect of Apple Passkey’s design is the sharing of the public key among devices that possess their own private keys. This means that multiple devices linked to the same user account can utilize the shared public key stored in the cloud.
The underlying rationale for this approach is to enhance security measures. In the event of a server breach, the attacker’s access would be restricted to the public key alone. The private key, which is securely stored on the user’s device, remains inaccessible to unauthorized parties. As a result, successful authentication necessitates the possession of both keys, thus safeguarding user accounts against unauthorized access.
The passkey concept represents a potentially important security tool for businesses and other organizations, and FIDO is now seeking to explain in detail the different ways in which it can be leveraged.
“These papers demystify synced and device-bound passkeys and provide the decision points for how to leverage them across a variety of use cases, whether they are using passwords alone, legacy MFA or FIDO-based solutions today,” explains FIDO Alliance Executive Director Andrew Shikiar.
July 4, 2023 – by the Mobile ID World Editorial Team