How many of you have ever forgotten a password?

How many of you have ever used the same password for multiple accounts?

How many of you have ever got a phishing email?

Any idea, suggestions what "Passwordless Authentication" could be?

Table of Contents

1. The Problem with Passwords
2. What is Passwordless Authentication?
3. Technical Foundations
4. Passwordless Standards
5. Practical Implementations
6. Corporate Impacts and Benefits
7. The Future of Passwordless Authentication
8. TODO / Homework

1 The Problem with Passwords

81% Hacking-related breaches are caused by weak or stolen passwords

Verizon Data Breach Report

1,265% Rise in malicious phishing emails since Q4 2022

SlashNext 2023 State of Phishing Report

1.1 Security Challenges

Common Attack Vectors:

• Phishing attacks
• Brute force attempts
• Database breaches
• Credential stuffing
• Social engineering
• Man-in-the-middle attacks
• Password spraying

User Behaviors:

• Password reuse across services
• Using simple, guessable patterns
• insecurely storing passwords

Taneski, V., Heričko, M., & Brumen, B. (2019). Systematic overview of password security problems. Acta Polytechnica Hungarica, 16(3), 143-165

1.2 Operational Impact

Organization Costs:

• Help desk password resets
• Security incident response
• Lost productivity
• Compliance requirements

Policy Challenges:

• Complex password requirements
• Regular password changes
• Password history restrictions
• Multi-factor deployment

1.3 User Experience

Common Pain Points:

• Password fatigue
• Complex requirements
• Frequent resets
• Account lockouts
• Multiple MFA methods

Had you ever had a complex password policy / complicated authentication process?

1.4 Why traditional Solutions fail short

Password Managers:

• Additional cost/complexity
• Single point of failure
• not all users use them

Multi-Factor Authentication:

• Additional friction
• Device dependency
• Recovery challenges

2 What is Passwordless Authentication?

authentication without a password or any other knowledge-based secret

relying instead on ownership (e.g. devices)

or inherence (e.g., biometrics) factors

2.1 Key Principles

• improved security by minimizing attack surfaces like (phishing, brute force, etc.)
• cryptographic foundations (public/private key pairs, time-sensitive cryptographic tokens OTP)
• user experience simplification / guidelines

Have you ever used Passwordless Authentication?

2.2 Types of Passwordless Authentication

• Magic Link / OTP Code (Mail, SMS, etc.)
• biometrics (Face, Voice, Fingerprint, Eye, etc.)
• public- /private-key cryptography
• hardware tokens

3 Technical Foundations

3.1 Public-/ Private Key Cryptography

Core Concept: A system using pairs of keys:

• Public key: Shared openly
• Private key: Kept secret

Primary Uses:

• Encryption
• Digital signatures
• Authentication
• Key exchange (Diffie-Hellman)

Key Properties:

• Mathematically linked keys
• Computationally infeasible to derive private from public
• Foundation of modern secure communications

3.2 Public Key Cryptography Flow (Encrypted Message)

3.3 Public Key Cryptography Flow (Digital Signature)

3.4 Authentication Factors & Multi-Factor Authentication

3.5 Three Core Authentication Factors:

• Knowledge: Passwords, PINs, security questions
• Possession: Security keys, phones, smart cards
• Inherence: Fingerprints, face, voice recognition

3.6 Multi-Factor Authentication:

• Combines 2+ different factor types
• additional factors increases security exponentially
• Common: Password + SMS code (Knowledge + Possession)
• Modern: Biometric + Security key (Inherence + Possession)

4 Passwordless Standards

4.1 Evolution of Authentication Standards:

• Early: Basic Auth, Cookies
• Modern: OAuth 2.0, OpenID Connect
• Latest: FIDO2

4.2 FIDO2: The New Standard

• set of standards for passwordless authentication
• developed by FIDO Alliance and W3C
• released in 2015, widely adopted since 2019

Major Backers:

• FIDO Alliance
• W3C
• Apple, Google, Microsoft

4.3 FIDO2 Basics

• focuses on passwordless authentication
• cross-platform compatibility
• uses public-/private key cryptography
• uses authenticators to store keys

4.4 FIDO2 Components

• WebAuthn: Web standard for passwordless auth
• Authenticators:
  • Platform (f.e. Smartphone)
  • Roaming (f.e. Security Key)
• CTAP: Client-to-authenticator protocol
• Passkeys: Consumer-friendly implementation / Marketing term

4.5 FIDO2 vs Legacy Standards

Advantages:

• Phishing-resistant by design
• Secure Credential Generation and Storage
• No server-side credential storage
• Unique credentials per service
• Better UX through native integration

Compatibility:

• Gradual adoption possible
• Backward compatible with MFA (use passwordless as fallback)
• Can coexist with passwords

5 Practical Implementations (Passkeys)

What are Passkeys?

A easy, user friendly, system-level integration of FIDO2 standard

• cryptographic credentials
• replace passwords with device-based authentication
• cross-platform, phishing-resistant solution and other attack vectors

5.1 Demo: Passkey Authentication

DEMO

5.2 Infos on Passkeys

• supported by all major browsers since ~2019
• since 2018 supported on Android
• since 2022 supported on iOS
• since 2023 supported on Windows 11
• since Oktober 2024 officially recommended by BSI

5.3 Architecture Overview

Core Components:

• Client: Browser/OS
• Server: Identity Provider/Relying Party
• Authenticator: Smartphone, Security Key, etc. (Hardware-backed key storage)

Features

• Sync: Cross-device availability (limited)
• Import/Export: Backup and recovery options

5.4 How Passkeys work (creation)

5.5 How Passkeys work (Sign in)

Let's examine how these work together...

5.6 How Passkeys strengthen security

• Scoped Credentials / one passkey per site
• Hardware Attestation
• FIDO Metadata Service (authenticators)
• Origin-Bound Keys / site verification
• secure (hardware based) client-side storage

5.7 Revisiting Password Attack Vectors

6 Corporate Impacts and Benefits

6.1 Security Improvements

• Phishing Resistance
• Mitigation of Credential Stuffing
• Localized Secrets

6.2 Operational Benefits

1. Streamlined Authentication Processes:

   • Faster, more secure logins, especially in production or field settings
   • Reduced IT overhead for password resets and account recovery

2. Enhanced Usability for Employees:

   • Biometric authentication or simple device verification
   • Improved satisfaction with easier workflows

3. Standardization Across Devices:

   • Support for roaming and platform authenticators (e.g., Windows Hello, iPhones, Security Keys)
   • companies can use different authenticators for different use cases / security levels

6.3 Cost and Efficiency Gains

• Lower IT Support Costs:

  • Password resets are one of the largest IT helpdesk expenses
  • Secure self-service options for employees reduce dependence on support teams.

• Reduced Compliance Costs:

  • Meeting stringent regulatory standards (e.g., GDPR, PSD2, HIPAA, and CCPA) through strong authentication mechanisms
  • Simplifies audit processes with verifiable cryptographic security

6.4 Challenges When Introducing Passkeys

Usability and User Resistance

• Friction with Change
• Fallback Mechanisms
• Complex Onboarding

Technical and Infrastructure Barriers

• Legacy Systems
• Browser and Device Support
• Developer Effort

Cost and Compliance Concerns

• Deployment Costs
• Security Concerns (Third-parties)

6.5 Takeaways for Corporates

Key Benefits

• Phishing resistance
• Lower helpdesk costs
• employee satisfaction through simplified authentication

Transition Strategies

• Start Small: Pilot passwordless systems in non-critical workflows
• Educate Employees: Provide training on new authentication methods
• Hybrid Approach: Enable coexistence of traditional and passwordless systems

7 The Future of Passwordless Authentication

7.1 Adoption Trends

• more mainstream adoption in applications and services
• more use of passkeys as MFA
• wider adoption in corporate environments
• more devices supporting passkeys with hardware-backed key storage

7.2 Compability and Integration

• more support for sync and backup options
• more password-manager integration
• more user-training from major companies (Google, Apple, Microsoft, etc.)
• support for moving between devices / services

8 TODO / Homework

• use a password manager (different, secure passwords)
• setup MFA (maybe with a passkey)
• try out passkeys on a service
• set up passkeys as alternatives to passwords
• inform relatives, companies, etc. about password security and maybe passkeys

8.1 Resources for Passkey adoption

• passkeys.io
• passkeys.directory
• FIDO Alliance Passkeys

9 Questions?

• How do passkeys prevent phishing?
• Passkeys as MFA?
• What happens when a device/passkey is lost?
• How easy is implementation in existing infrastructure?
• Continued development of standards?

10 Backup Slides

10.1 Difference MFA and Passkeys

10.2 Passkey Recovery Mechanisms

What happens when something goes wrong? f.e. lost device, broken device, etc.

No recovery solution proposed by FIDO2 Standard

Several options:

1. Cloud sync backup - backup to passkeys through encrypted cloud services
2. Delegated recovery - access through a trusted user or admin
3. Platform recovery - recovery through the platform provider
4. Backup authenticators / methods - backup authenticators or methods like security keys, devices or even passwords

some solutions reduce the security of passkeys