Mistaken Identity

Crack the Code with Passkeys, with Andrew Shikiar, Executive Director and CMO of the FIDO Alliance

Episode Summary

Let’s be honest: passwords stink. Today Matt and Andrew discuss the future of authentication as we shift from passwords to passkeys. Learn why they’re an improvement from the past, and why authentication is a business imperative.

Episode Notes

Matt interviews Andrew Shikiar, Executive Director and CMO of the FIDO Alliance. The FIDO Alliance is a non-profit association focused on eliminating the world’s dependence on passwords by driving the adoption of open standards for simpler, stronger user authentication. Today Matt and Andrew discuss the future of authentication as we shift to passkeys. Learn why they’re an improvement from the past, and why authentication is a business imperative. 

Video quote:

“Authentication is not just a security imperative. In fact, it's more and more a business imperative, right? So when we talk about bottom line and top line, it really hits both areas because authentication should be a competitive advantage.”

Key Quotes:

“The fact of the matter is, passwords remain a threat to the integrity of the network economy itself. We need to move beyond those and that's what FIDO is doing in conjunction with all of our partners in the broader ecosystem.”

“When we look at FIDO authentication and we look at our very audacious goal of replacing passwords with passkeys, we need to consider those advantages that they have and make sure that we're delivering the same thing with FIDO and with passkeys.”

“Pass keys now are, I would say, the most elegant, seamless solution. The best way to actually get people in a truly passwordless form of authentication that's not dependent on any sort of knowledge based credentialing or any fishable methodology. So more and more, we're seeing a very rapid adoption of passkeys, because they're so integrated into the devices and operating systems that we use on a daily basis.” 

“I think two key metrics are: time to sign in and sign in success rate. Especially when compared to legacy 2FA. So, passwords plus something like SMS OTP and SMS OTP has its own flaws, but it's certainly better than a password alone. But when compared to that, we've seen companies find upwards of a 25 percent improvement of sign in success rate and over 75 percent time in reduction to sign in. Those are massive changes. Google reported four times improvement in sign in success rate versus passwords at half the sign in time.”

“Authentication is not just a security imperative. In fact, it's more and more a business imperative, right? So when we talk about bottom line and top line, it really hits both areas because authentication should be a competitive advantage.  Authentication is a massive competitive disadvantage. “

“I think consumers will associate a good authentication experience with a brand that's modern, that's cutting edge, that cares about them. These are all attributes that I think I would want to have someone think about me, not old fashioned, stodgy, stuck in the past, difficult to work with.”

Time stamps:

00:52 - What’s your identity?

03:50 - Why passwords suck

05:36 - The evolution of passwordless technology

07:14 - All about passkeys

17:47 - Marketing outcomes of passkeys

20:32 - Passkeys are a competitive advantage

28:52 - Future-thinking

35:09 - Quick hits

Links:

Learn more about FIDO Alliance

Follow Andrew on LinkedIn
Follow Matt on LinkedIn
More about Okta
 

Subscribe:
On Apple Podcast

On Spotify

Episode Transcription

[00:00:00] Matt Duench: Welcome to Mistaken Identity. I'm Matt Duench. Today, I'll interview Andrew Shikiar, executive Director and Chief Marketing Officer at the Fido Alliance. Andrew and I will discuss why the future is past keys and not passwords. He'll also share some insight for higher user engagement and better user education.

[00:00:19] Let's get into it.

[00:00:19] music break

[00:00:20] Welcome everyone to another episode of the Mistaken Identity Podcast. I'm your host, Matt Deneck, and I'm very excited today to be joined by Andrew Shikiar from the Fido Alliance. Andrew, say hello.

[00:00:31] Andrew Shikiar: Hi, Matt. Thanks so much for having me today. It's great to be here.

[00:00:34] Matt Duench: Yeah, like I mentioned, really excited to have, you know, somebody in your position, obviously being an executive director and chief marketing officer at the Fido Alliance. That's really interesting perspective, but why not, uh, for the folks, give us a little bit of your background, your role at the FIDO Alliance and what the FIDO Alliance actually does.

[00:00:50] Andrew Shikiar: Yeah. So let's start with Fido Alliance. So the Fido Alliance is an industry body. Uh, we've been around for over 10 years now, uh, have over 300 members worldwide. We're focused on creating open standards and driving adoption of simpler, stronger user authentication, you know, most namely pass keys instead of passwords. Awesome. Um, the fact of the matter is, you know, passwords remain a threat to the integrity of the network economy itself. Uh, we need to move beyond those and that's what FIDO is doing in conjunction with all of our partners in the broader ecosystem. My role at Fido Alliance, I serve as executive, co executive director and chief marketing officer. Um, in this capacity, I'm in charge of coming up with the strategy, engagement, and tactics to, you know, drive Fido's, uh, brand presence, marketing presence, and all of our adoption activities in the marketplace, both marketing, products, service adoption, and things like that.

[00:01:41] Matt Duench: That's great. I'm really excited to dive a little deeper specifically on passkeys. I know it's an area that's near and dear to my heart and we've talked about it in the past together as well, but, uh, you mentioned obviously working with, uh, organizations over 300, uh, you know, customers and organizations around the world as well. Are there specific personas you're finding that the FIDO Alliance ishaving success in sort of educating or creating awareness with. And, um, how have you actually had success in doing that?

[00:02:06] Andrew Shikiar: Yeah. So FIDO's audience, we market to business decision makers, right? So technology strategists, identity architects, um, people who are either seeking to implement products and support FIDO standards or people who are seeking to deploy FIDO authentication. And so that's the audience we talk to. I'd say that the general person is a product lead, uh, or someone in the CISO's office who's seeking to strengthen their organization's authentication, um, and the programs and the properties we've put into place are all targeted at them.

[00:02:35] We make sure that we develop this content, deliver this content, make it very accessible and discoverable so that anyone seeking to learn about when and how to deploy FIDO Has resources they've need, they need, and I've heard from multiple companies, oftentimes we'll read about someone who you're deploying passkeys. And so I'll reach out to them to learn more about how they started their journey. And it's incredibly rewarding to hear something like, Hey, I attended Authenticate and I saw a case study presentation in 2021. And that got me excited. I brought it back into my management and talked about why we should go pass through this.

[00:03:07] We started a pilot and now we've rolled it into production. You know, so I've heard that in more than one occasion, which is really validating. Both the vision of Fido Alliance itself, but also some of the techniques we've taken to help seed the market and drive adoption of this important technology.

[00:03:23] Matt Duench: I love that. And I know I've, I've seen a few of your presentations around Authenticate and Identiverse, et cetera. And a lot of times what I feel you're really successful in doing is educating, I think, these folks in the market generally on the trends that we're seeing, you know, passwordless trends and really what's driving those. Could you talk a little bit about that? Why, you know, why passwords suck, right? What, how they degrade, how they, how do they degrade the user experience? And really what are some of the broad things that you're seeing in the market?

[00:03:50] Andrew Shikiar: Yeah. I mean, passwords do suck, you know? Um, but that being said, they have some, you know, redeeming characteristics, but let's talk about the unredeeming characteristics first. Very poor security, very poor usability. they're a drag on both the top and bottom line, right? Um, you know, they cause data breaches, which costs money.

[00:04:08] Um, they, you know, have a lower sign in success rate, which means people are not accessing services. They lead to shopping cart abandonment rates of over 50%. we did a survey recently. Half the people we surveyed had abandoned a purchase within the past six months because they forgot their password. Right? So that's a drag on, on, on the bottom line and also the top line because you're missing opportunity. To engage more customers. Um, now that being said, you know, they do have a couple advantages. One is ubiquity, You can enter a password anywhere. Now it might be a horrible experience to enter a password on, say, a smart TV or any keyboardless device, and then trying to recover that password too is a horrible experience, but if you know that password and you have it, you can enter it just about anywhere. They have the advantage of incumbents in the sense that they've been around for 60 years, right? And 40 years of the internet. So just about anyone who's been on the internet has a password and knows what that is. It's a known commodity. So when we, you know, look at FIDO authentication and we look at our very audacious goal of replacing passwords with pass keys, we need to consider those advantages that they have and make sure that we're delivering the same thing with FIDO and with pass keys.  But the broader trends around passwordless, you know, passwordless is the trend, um, and it's happening quite rapidly. And I think that, you know, past keys are the inevitable conclusion of this very rapid movement away from passwords to what's next.

[00:05:30] Matt Duench: So how have you seen sort of the trend of adoption of passwordless technologies evolve over the past few years?

[00:05:36] Andrew Shikiar: Yeah, that's a great question. And I think that, again, there is this undeniable trend and you see signals all around us and I see it. I think we all see it in our daily lives as consumers, like we're all consumers are on the web. I 90 something or 200 something accounts where you have to sign into. And more and more you're seeing what we'll call a converged sign in page. Alright, so the old username and password dialog box in the upper right hand corner of the website is rapidly going away. And more and more you're seeing, well, you're given a choice. Enter your email address. Or you can go to the password screen and the email address flows, converge sign in flow, will probably send you a magic link, right?

[00:06:14] Or you can choose to have a password or you can choose to use social sign in. So these are techniques that service providers are taking to start taking people away from passwords because they understand the costs and risks associated with them. So that's one very good sign of, you know, uh, product managers are evolving their authentication strategies in a passwordless direction.

[00:06:34] But of course, pass keys now are a, you know, I would say the most elegant, seamless solution, the best way to actually get people in a, a truly passwordless, form of authentication. That's not dependent on any sort of knowledge based credentialing or any fishable methodology. So more and more, we're seeing a very rapid adoption of pass keys, because they're so integrated into the devices and operating systems that we use on a daily basis.

[00:07:00] Matt Duench: We've mentioned passkeys a couple of times now. Maybe let's just get into it. Like, I mean, what is a passkey? What are the benefits that they bring? And why would someone, why would a consumer or even an employee eventually opt for a passkey over something like a social login, for example?

[00:07:14] Andrew Shikiar: Yeah. So any passwordless FIDO credential is a passkey. Um, and so we should back up a little bit to talk about how FIDO works, right? So any FIDO credential is a passkey. How FIDO has worked since our inception over 10 years ago is replacing the old way of authenticating, which is knowledge based credentialing, say a password on a server and a secret in your head with something called asymmetric public key cryptography, um, which is a mouthful and the earful and no one should have to say, let alone know what it means to use. Right. And we'll talk about usability too, I think a little bit. Um, but public key cryptography works, um, as opposed to passwords, where again, you have a secret on the server and a secret in your head. You have a unique key pair, a virtual key pair, if you will. A public key sits on a server and the private key sits safely on the device. Unlike a password, the public key has no material value, right? So you can steal all my public keys and you can't reuse them. If I steal your password, Matt, I could probably log into one or two of your accounts. Maybe not you, but anyone who doesn't practice perfect password hygiene tends to reuse passwords. And so you can do credential stuffing and things like that to take over accounts. So, um, public key cryptography avoids that by, you know, having these unique key pairs. Now the private key is a more valuable piece that stays safely on one's device and the user needs to verify themselves to that device to sign in. And the verification is a local verification. It's a biometric. It could be touching a security key. It could be a device unlock. It's basically the same thing that we all do dozens of times each day to unlock our device, right? That's a verification. And that's, once you do that, then you can sign into the account using the FIDO authentication process.

[00:08:46] Um, so that's how FIDO works. Now, when we announced PassKeys around a year and a half ago with Microsoft, Google, and Apple, what we were announcing was a change in the way that that private key can be found on the user's device. So historically, that private key Bound to each device. So if I enrolled for FIDO authentication, so, you know, passwordless sign in, uh, and say, you know, e commerce site. com with on my iPhone, when I go to the e commerce site. com On my iPad, I had to enroll that device too, and my PC, and my Kindle, and whatever device I'm using, I had to enroll each one. With PassKeys, it's a new way of implementing the FIDO protocols that allows that private key to be securely synchronized across an operating system or credential provider cloud.

[00:09:32] Such that now, if I enrolled on my iPhone, when I show up on my iPad, I automatically have a PassKey there. And so that was a sea change in the way that we allowed FIDO to be implemented in the sense that the FIDO credential is readily available on all of the user's devices right away. 

[00:09:49] So that's a very dramatic change in the way that we are providing passwordless solutions for companies to implement for consumers or for the workforce. Now, you can still choose to have what we call the device bound passkey, most typically found in a security key, where that passkey does not move. And that's very important for higher assurance or higher security use cases. But for consumers at large, the consumer sites that are adopting Passkeys en masse, like Amazon, and TikTok, and Google, and Roblox companies like that. They appreciate the syncability. So that's, you know, a little bit how Passkeys works. So it's basically, um, again, it's a cryptographic key pair. Uh, the user experience is simple. I'm just unlocking my device, or touching my device, and then I'm signing in. And just like that, I have access to that site and that service on any of my devices automatically.

[00:10:36] Matt Duench: I mean, when we start to talk about like private key cryptology and, and, you know, things like this, obviously you mentioned it's a mouthful for, and even the end user, what do you think are some things or considerations that, that we should be putting out there or how should we educate end users to get them more comfortable with passkeys?

[00:10:52] Andrew Shikiar: Yeah, first and foremost, like the end users should never have to think about public key cryptography. I mean, if they hear that from anyone, like we failed, we failed horribly. Right? They should know about passkeys. And it's something FIDO is lacking. One of the cool things about kind of embracing this term and creating a kind of industry wide icon for PASCEs is that we didn't have that before.

[00:11:13] Right? So we had a lot of adoption of FIDO authentication, you know, dozens of like some of the biggest brands on the planet were using FIDO and native apps or with WebAuthn. Companies like eBay have been using WebAuthn for passwordless sign ins for years. 

[00:11:26] These were all great implementations because they were using FIDO, using all the goodness that FIDO brings, but there wasn't any commonality to it. So with passkeys now, we have a term, right? That's why any FIDO credential is called a passkey. We have a term, we have an icon, and we're working to make sure that the user flows are as consistent and as optimal as possible, such that when someone sees a passkey, they know what they're getting, right? That first PASKEY experience needs to be enjoyable. It needs to be seamless, needs to be, you know, as smooth as possible, such that the user says, Oh, yeah, that's, that was cool. Um, I want that again.

[00:12:02] And they start looking for it from more service providers, or when someone, someone offers it, they know what it is. And they, they simply opt into it. So I think it's really, you know, making sure that experience is, is seamless. Beautiful, simple, um, and authentication becomes an afterthought, which is where it should be, not a, oh gosh, I have to figure out my password thing.

[00:12:21] I, I honestly, I have password fear, and I have a password manager, I have two password managers, I have a browser password manager, independent password manager. I love them both, but they tend to fight, and sometimes they're not quite right. Um, and so, when I visit a site I haven't been to for a while, I have a little bit of trepidation, like worrying about like, am I going to go sign in? Am I going to have, am I going to have to go through a recovery process? And I don't think that's uncommon. If I'm having that problem, I think the vast majority of consumers have the same problem. So instead of having that password fear, replace that with just not even thinking about it, signing in by doing the same gesture that you do again, dozens of times each day.

[00:12:59] Matt Duench: Yeah. I feel like your point about, you don't have any experience like that, like you said, is not unique to you, not unique to I it's a, it's something that I think everyone as an end user, as a consumer struggles with, right? Like, and, and that's, that's a really good point of making that sign in that login experience, completely, it's almost like, you know, the invisible hand that just guides you along. And so you don't even realize it's happening, but when it's not working, that's when, you know, I mean, it results in extreme frustration for the end user. Right? Like personally, I know there's a few applications that I've gone to use and they've done updates overnight. And then I have to enter my password. And like you, I've got a couple of different password managers. I have to remember where it's stored, you know, enter it in, do the, and then I don't remember it. So I have to do the password reset. It's just. It's such a, you know, it's, it's an overwhelming experience for, I think, a lot of people. And we're people in the industry, you know, I can't imagine, I can't imagine what it's like for, uh, you know, the average consumer, but it's not, like you said, it's not something they see. And that's some of the benefits I think that Passkeys bring, you know, to every organization, not even just the ones that in product or in software engineering or technology that are building these experiences.

[00:14:02] But marketers as well, right? This is going to bring huge benefits. I think to how we create better experiences for those customers and drive some of the, you know, the, the conversions, the, you know, the, the card abandonment, reducing those things and doing that in a secure way.

[00:14:17] Um,

[00:14:18] Andrew Shikiar: no, absolutely. And I think, I mean, uh, one last note on this whole password, you know, fear thing, you know, that's one reason why. People default to easy passwords, right? This, this is, this sums up the problem. Like, I don't want to forget my password. My password is going to be password or password one exclamation mark. All these things that are so easy to crack or hack into. Um, that's why people default to easy passwords because it is physically impossible, it's mentally impossible to manage passwords at scale. Um, and so that's why we're so focused on providing this passkey. That's very easy user experience. One other note on that though, something to consider for marketers or anyone implementing this and something that we're focused on is. That, you know, people do expect some level of friction, right? So we've become so acclimated to like, no one wants to pass a reset. That sucks, you know, but like it might be, we've tested this. It's somewhat disconcerting for some people to see how easy it is to sign in with a passkey. And so there might be a misconception. Wait, this actually is not secure because all I did was touch my, touch my laptop and I'm signed in. So there's education that has to happen on that front. And I think in the short term, you'll see some companies adding a layer of friction just to actually create confidence if nothing else.

[00:15:25] Matt Duench: Yeah, I, that's a really good point because I think especially with keeping things secure, you need to have that friction right there need, but there, but it's a balance and you need to be able to deliver that balance in such a way that makes sense. Where if it's scaling, you know, the, the access that you need, uh, where, for example, if I wanna log in, I should be able to do that really easily, really easily with little friction. But if I'm interacting digitally with a brand or changing, you know, parameters of my account. That's when I need to start introducing elements of friction to be like, okay, well, let's, you know, double check and make sure Andrew is Matt is who they say they are and, and actually have some elements there to do some of those, those verifications there as well. So it's not definitely not the absence of friction. It's more how you deliver friction in such a way that it's, you're able to balance the customer experience with the security that you're delivering.

[00:16:12] Andrew Shikiar: Yeah, absolutely. So I think that we're going back to like the marketer benefit. I think it really, you know, one thing is super interesting in my experience of FIDO Alliance, I've been with FIDO Alliance for around eight years now, um, the conversations, the conversations have shifted, about FIDO in general, from skepticism to curiosity to, okay, this is going to happen. You know, I've always had conversations with people implementing FIDO. And those conversations have shifted from coming from a, um, kind of a security centric point of view to a usability centric point of view.

[00:16:44] And a lot of the early adopters were driven by, early adoption was driven by security teams who like rightly realized that, holy blank, you know, I have, this is a gaping hole in my armor and like passwords aren't going to cost me tons of money. Um, to now people who are going to implement this at scale. And all of a sudden I went from having conversations with engineers to product leads and design leads, and they'd ask questions like, wait, what's my customer's experience going to be like? How are they going to react to this? Um, and so I think that really, and that, that shift started happening around three years ago, right around when we started focusing on, on user experience as a kind of working function within Fido Alliance. Um, and in general, I think it shows maturity that's happened in the market around FIDO, right? And passkey is just taking that to the nth level, um, as far as, you know, really driving adoption. Like the hockey stick adoption is fantastic to see, but the usability imperative grows with that increased adoption.

[00:17:40] Matt Duench: So what would you say some of the marketing related outcomes, those benefits that pass keys can support across the business would be? Wow.

[00:17:47] Andrew Shikiar: We talked about cart abandonment already, and that's a huge one, um, you know, when, when, again, half of people are abandoning purchases for the past six months, that's meaningful money on that note. Actually, one of our e commerce providers spoke recently and relayed that they had a sign of success rate. Um, of around, I think around 80%, which is actually quite high. Um, what they found is that the 20 percent of people who had to do a password reset, they lost most of those. And even those who were successful in resetting their password spent less money. So even those who went through the hassle of getting their password, they actually did not do the impulse buy on top of that. So even though they saved the initial purchase, there was, you know, opportunity costs associated with that. But aside from that, I think two key metrics are, um, Time to sign in and sign in a success rate, especially when compared to legacy 2FA. So passwords plus something like SMS OTP and SMS OTP is, you know, is, is, has its own flaws, but it's certainly better than a password alone. But when compared to that, we've seen companies find, um, you know, upwards of a 25 percent improvement of sign in success rate and over 75 percent time in reduction to sign in. Those are massive changes. Um, Google reported, they saw a, uh, four times improvement in sign in success rate versus passwords at half the sign in time.

[00:19:06] All right. So this is if you have any sort of, if you want people to be consuming your content, viewing your content, taking action with your content, you want to make sure that they can access it and access it quickly. If they can't, you know, there's zero switching costs, right? One of the best things and challenges of the internet is that brand loyalty is important. But if, you know, It's not that hard to switch. I can open a new tab and go to your competing site just like that. So if I'm frustrated with your site, I might just do that, right? So a marketer, you don't want to take that risk that someone's going to go ahead and, and, you know, dabble with competitor's site. This is why authentication is not just a security imperative. In fact, it's more and more a business imperative, right? So when we talk about bottom line and top line, it really hits both areas because authentication should be a competitive advantage. 

[00:19:55] Matt Duench: I love that point. I mean, there's, there's a lot of data around this as well, that the customer experiences, the new competitive battleground, and a lot of companies are starting to compete there too. One of the things I think you hit on is when you're able to make that, that sign in experience fast and also decrease signup failures or sign in failures, that actually becomes part of your brand reputation as well, right?

[00:20:15] If I'm perceived as. Being hard to do business with, then the cost to switch is really, really low. And especially in a digital age, I can go anywhere else I need. For a better experience. And I'm going to do that really quickly. So you're right. It does become part of your competitive advantage. It's something you need to think about, right? From a conversion perspective. 

[00:20:32] Andrew Shikiar: I think consumers will associate like a good authentication experience with a brand that's modern, that's cutting edge, that cares about them. Um, these are all attributes that I think I would want to have someone think about me, not old fashioned, stodgy, stuck in the past, difficult to work with. Um, these are all attributes, these are all positive attributes associated with a brand that is a competitive advantage. One other bottom line thing I want to talk about, which is really important. Um, you know, I talked about, you know, comparing past keys to legacy 2FA. SMSOTP is not free,

[00:21:03] Matt Duench: right.

[00:21:05] Andrew Shikiar: Right? So, so if you are a company that's, you know, with tens of millions of customers and you're using SMSOTP, you're spending a fortune. And, and Elon said the quiet part out loud when he, you know, abandoned, I'm not going to start talking about Twitter or X, but when he took away SMSOTP as a default option for 2FA for Twitter users, Um, he pointed out that, Hey, I'm spending a ton of money on SMS costs that are hard to really gauge. And so the answer to that, instead of not doing what he did, which is take away 2FA altogether, the answer is move to Passkeys. Because you have all that functionality built in the device that the user is using anyways, especially a mobile first audience like that. Right? So you eliminate all that cost and it's a better user experience. Like, there's really, you know, zero, you know, downside of making that switch from a CX standpoint and from a bottom line standpoint.

[00:21:51] Matt Duench: That's such an important point as well. And one that I wanted to make sure that we, we touched on is the operational costs that are associated with this. It's like, yes, you are able to benefit from the security, the, you know, the, the obviously enhanced security that you're going to get from Paskey's and the ability to, you know, enhance conversions and make it really seamless for somebody to sign in.

[00:22:08] But what that also does is on the operational side, I read something from Twilio, you know, in the past couple of months where they saw that 70 percent of all SMSs that are sent are password resets. They're one time passwords. it just shows you the volume of texts, text messages that are out there that costs, costs business money. And additionally, your password reset, if you think about that, most customer service companies, organizations anyway, Have 40 percent of their costs are associated with just handling password resets. Right? So if you're able to implement pass keys, not only do you reduce your dependency on 2FA or multi MFA in general, and have fewer of those one time password passwords going around, you know, the internet and around the world, but also you're making it easier to, you don't even have to reset a password anymore. Right? So you're completely getting rid of, of, uh, 40 percent of those sunk costs that are, uh, operational costs that are out there just because of how people are handling the password reset.

[00:23:03] Andrew Shikiar: A hundred percent, you know, so, so, Password Resets for a consumer focused company, um, are a hassle, they're an expense, and they're also an opportunity cost. Because again, I might not reset my password. I'll go to another site and just sign in and buy something else. Um, for an enterprise in the workforce, password resets are very expensive. It's dragging down your IT team, and it means your employees are not productive. All right, so on the run, you know, I don't know how deep we're going to go to workforce today, but that's a very real cost associated with workforce authentication. Passive resets are a huge issue. 

[00:23:33] Um, the related side of this is how easy pass keys can be to actually create accounts. All right, so when we create our UX guidelines, one thing we talked about was enable pass keys on account creation. All right, so whereas in the past, you'd go to a site, you'd get an email, you get an SMS OTP, and then you'd have to verify that to create your account. That's another link. That's another, that's another window. It might be another device. That's a click I have to do, so then I have to set a path. Why that friction? Why so much friction? Create a passkey, you know, and you can be done with it. So, you can create that account right away, and then you can get more information from them afterwards. Um, so the barrier to actually Getting new customers goes down with passkeys as well.

[00:24:15] Matt Duench: Yeah, I posted something recently around the holiday timeframe there around Thanksgiving where, you know, I, I had, I was transacting with Realtor and they made it really difficult to create a new account and the guest option was available. I just signed out as a guest. And I think about, think about how many people are doing that just because like you said, the signup process. Uh, in an e commerce, it doesn't matter. The transaction is just, it can be so arduous that I didn't even want to go through that. I was like, I'm not going to spend any time there. I want to get through this transaction, created a guest account. And then as you know, as a user, as a customer, I'm completely blind to that organization. They have no idea who I am. 

[00:24:51] For folks that are either in a, maybe marketing or a digital role and those teams that are listening into this podcast and this episode specifically, what do you think some actions are that they could take to their companies to drive some of these better experiences with pass keys? What, what should they know?

[00:25:06] Andrew Shikiar: Well, I think, you know, first of all, you should understand the benefits of this. Right. And so the good thing is, you know, Fido Alliance, we're very focused on, like I talked about before, you know, creating resources for these people are talking about. So the product leads, the designers, the identity architects, we have resources on our website. We have case studies on our website. We have oodles of content. You could look to and point to as. Inspiration and justification for moving towards some sort of passwordless pilot to start off with. Um, so we have data, we have companies, probably a lot like your own that you, the audience, your own, um, who have, you know, moved with Fido and seen business benefits.

[00:25:44] So I'd encourage them to check out some of those resources on the Fido Alliance site, on the authenticate.com website. We have all of our archived Authenticate content. And then work from there to start, you know, engaging some stakeholders inside the company on, um, you know, scoping some sort of initial POCO. Um, of course, you know, the other important step to take is to work with a, you know, a trusted partner, service provider, someone like an Okta, companies who have experience doing this, who have solutions, who can help, um, you know, bootstrap your startup and help give guidance also. These are all good steps that a product lead can take to be in position to scope some work that will demonstrate value such that it can then grow into something that gets fully implemented.

[00:26:26] Matt Duench: Yeah. And you talked a little around value as well. And for those product leads, are there some metrics that we talked around conversions that we talked around, like cart abandonment, are there some other metrics that marketers could use to track the success of their password, their passkeys implementations that you feel they should know?

[00:26:43] Andrew Shikiar: Yeah, I mean, it depends on the line of business, right? So everyone's going to have their own metrics, what matters most. I mean, ultimately, I do think sign in success rate and time of sign in are going to be critical for anyone on a universal scale. Um, we have e commerce providers who, who are drawing lines between uptake of final authentication and decreasing fraud. I mean, that, that's, that's, you know, phenomenal, right? So if you can start drawing those connections, that's, that's a huge win. Likewise, increase defined authentication, increase revenue. So these are not, there's not data they've shared publicly, uh, but they are drawing those connections. And I think ultimately that's what you want to see.

[00:27:16] All right. So then, so when I invest here and move into a final solution, we're going to see the return there with, you know, more revenues basically, or decreased fraud costs. So I think those are key things. Plus the universal metrics of sign in success rate, um, sign in, time to sign in, and then also, you know, you could do some surveying the customers. Is this a delightful experience for you as a user signing into our site now using a passkey versus a password plus SMS? I think these are things that people should do as well. If they can invest in their own surveying and UX research to validate the path that they're taking.

[00:27:51] Matt Duench: I love the, the concept too, of even experimentation and A B testing as well as a marketer. I think that's something that you could even, you could consider as part of the experiences. You have obviously a, you know, a focus group that potentially you have other passwordless options and then you have a focus group where you have. Uh, options presented for passkeys and then that's exactly it is some of the metrics that Andrew mentioned here around, you know, time to sign in and, and generally, you know, failure rates as well. You'll be able to very quickly see what both of those are and even compare against each other. So you'll have a great idea of, uh, of how you can implement that and how you'll track success as well.

[00:28:28] Andrew Shikiar: Yeah. And if you, if you implement pass keys on the converged sign in site, you can give people different options, right? You can actually start seeing in real time what people, what people are choosing to do and how they're doing, what the success rates are. And then based on those metrics, you know, push, you know, whatever solution seems to be working the best for that segment.

[00:28:47] Matt Duench: Yeah, absolutely. Um, switching gears a little bit to innovation and thinking about, you know, even some future looking things. Obviously the past keys, we still have a lot of work to do there, I think, from adoption. Um, and we're seeing some really great traction as well from providers, but how do you think about innovation at the FIDO Alliance and what do you think, uh, what do you think is really important in driving towards that, that, uh, innovative state?

[00:29:09] Andrew Shikiar: Yeah, that's a great question. You know, FIDO Alliance is a pretty unique organization. We're a standards body at the end of the day. Right. So we pull together, you know, volunteer contributors from our hundreds of members and that they meet in different working groups to advance the work areas of FIDO Alliance, which are the core work areas are going to user authentication.

[00:29:27] We're doing work in embedded IoT and also in identity verification, but our eyes always on like what's next, right? So make no mistake, our focus is on driving adoption of user authentication. And, and, you know, and, and device onboarding and identity, but what else can we be doing? Right. And so we foster that innovation by, um, we have member meetings three times a year, once in Asia, once in North America, once in Europe.

[00:29:51] In those meetings, we have kind of ad hoc sessions where people can bring new ideas and basically bring them in front of the whole membership who's attending that meeting. And that's how new ideas start getting socialized within Fido Alliance. Like, Hey, I think we should be looking at, um, well, several years ago, I think we should be looking at device onboarding and IOT.

[00:30:07] And so I think we should be looking at biometric certification. And they're like, okay, well, people are all ears. Like, oh, this makes sense. It gives a chance for someone to have a position and present a business case. And then if it lands, then we can start moving on that. Right. So that's how I've actually adopted new work areas is through this initial kind of ad hoc.

[00:30:25] BOTH process in our plenary meetings to then, you know, forming a formal study group and then deciding whether or not to move forward on it, and then eventually investing and launching that work area within Fido Alliance. So as an industry body, that's how we do it. It's somewhat regimented. I mean, it's, it is somewhat structured because it's, we are a standards body.

[00:30:43] So there's going to be some, you know, standards body ness to it all, but that's how we've managed to foster innovation within Fido Alliance.

[00:30:50] Matt Duench: I think it's important as well, because it needs to be done in a standardized way so that the implementation is, is known. It's understood. There's reference architectures, reference implementations. Getting to that password, the state becomes easier because you have, you know, uh, these, these case studies and these, uh, these implementations previously that where folks have done it really well.

[00:31:09] Andrew Shikiar: Yeah, in general, we try to be more nimble than your typical standards body. Um, and I think we are, one thing that's really, I think, special about Fido Alliance is that a lot of the, the core contributors into our technical working groups are very close to their product set, right? So you sit in a lot of standards bodies where you have like professional standards people, they're probably in the R& D team, CTO's office. There's nothing wrong with that. But they tend to be a little bit more removed from real business outcomes. Then Fido Alliance, the people say like from the platforms, for example, from Apple and from Google and from Microsoft, they're working on their sign in technologies. Right. And so this, with past cases, this has been so critical. In the sense that, you know, we've launched this very ambitious and very important and invested in this user experience testing. Um, but the same, the people on their teams who are in charge of their sign in pages were taking part in our UX testing group. And there was this really nice interplay between the testing we were doing, the results we were getting, and what they were actually implementing in real time in their platforms. You know, so there's this real time feedback loop that allowed us to very iterate and innovate very quickly, you know, both within the Alliance. You know, just in refining the way we're doing things and then roll that out like immediately to the world at large. And so is that having the people who are so close to the products inside Fight Alliance has allowed us to innovate and implement far faster than other standards bodies would.

[00:32:30] That's

[00:32:31] Matt Duench: Absolutely. What about as a marketer? Cause I think, I think about this all the time, even, you know, joining Okta three, three years ago. When I first got here, and as a marketer, I looked at identity and I said, I cannot believe that I have never looked at identity as a way to provide more value for my customers, right? To improve that experience, to make it more secure. Um, what are some things that maybe you personally, um, that you wished you knew, uh, and that other marketers, you know, should, should benefit from? What, what don't they know about identity that they should?

[00:33:00] Andrew Shikiar: a super interesting question. I've been in the identity space, since really it's creation and not to be that guy, but, um, I started doing identity back in 2001 at Sun Microsystems and part of my job, and there was no concept of identity management back then, really. So part of my job was doing pre sale stuff and going out and talking to some of our top 100 customers that sit around the table with the C suite.

[00:33:24] And I remember these slides. And of course, the slides are like in the star office, which is horrible. Another conversation, not PowerPoint, but the slides would say like, the first one was like, what is identity? And then there's bullets like, what does identity mean for your customers? What's it mean for employees?

[00:33:36] What's it mean for your business partners? And these are very thought provoking conversations to have, you know, 22 years ago, 23 years ago, and, but the same questions hold true, you know, what does identity mean for. Your business, what's mean for your customers and do your consumers, you know, think about their identity as pertains to their interactions with you as a service provider, as an e commerce merchant.

[00:33:59] Um, but I think the core things are understanding the attributes of the identities that you want to target, right? So you have different personas, no matter what business you're in. If you're selling to consumers, you have different types of consumer profiles, you can get that psychographic data, and then you want to make sure that you are delivering them the offers that they want or the, the, the content that they want.

[00:34:18] And those are all things well outside of FidoScope, but that's basic, you know, marketing 101 is to deliver people what they want. Now tying that back into authentication, you know, I think you have, again, different types of people who will want to access services in different way. Different ways that you'll have some customers who are more keen to move forward with passwordless than others. But ultimately you want to get all these people moving in that direction because it protects them and it protects you. And it's a net benefit to the community at large.

[00:34:47] Matt Duench: Love it. I think that's a great point to, to end on. I would say this has been an amazing discussion, I think. One that's super interesting and one that anyone listening in on this podcast, you know, look for those, look for those past key options. If you're building really great experiences for your consumers, for your, for your end users, even for your employees, look at past keys as a way to securely do that and really to enable those, uh, those, uh, those experiences. A couple of really quick things just before we leave here, Andrew. Would love to get your insight into maybe some things, your favorite thing that you're reading or watching right now. I know that you just had a big trip to Asia. Anything that you read, read on the plane.

[00:35:22] Andrew Shikiar: Actually, I watched on the plane, I have to admit. Um,

[00:35:24] Matt Duench: I do that. I do that as

[00:35:25] Andrew Shikiar: a growing, so I don't watch as much content as I'd like to. I'm so jealous of my friends, right, comparing TV shows. I'm like way, way back. I'm like decades back, but I've been enjoying Righteous Gemstones. It's like super funny. And reading, I go through different binges where I'll read like Pulp Fiction or biographies or, you know, finance books, or it might be right now in the, in the midst of reading a few kind of Explorer type books. Um, so I just finished one called a Lost City of Z, which is about an Explorer by the name of Percy Fawcett, who's seeking existence of like a mystical civilization in the Amazon 1920s. Super interesting, and they're always good stories of perseverance and determination. And lots of interesting history as well. 

[00:36:03] Matt Duench: Absolutely. Some great lessons in perseverance there as well. Um, one last question. Where can folks find you online?

[00:36:11] Andrew Shikiar: Yeah. So find Fido Alliance, um, on all the social networks. So I think on Twitter slash X at Fido Alliance, LinkedIn, um, that's where we, we have presence. Myself, I'm on LinkedIn. And Twitter as well. Um, with a name like Andrew Shikiar, there's only one of me. So you can find me pretty easily, um, on any, any site or service.

[00:36:31] Matt Duench: Awesome. Well, with that, again, Andrew, great conversation. I want to thank you for joining the Mistaken Identity Podcast today. Uh, and thanks again.

[00:36:39] Andrew Shikiar: Matt, thank you so much. It's really awesome to be here.

[00:36:40] music break

[00:36:41] Matt Duench: Well, that was Andrew Shikiar, Executive Director and Chief Marketing Officer at the Fido Alliance. We dove into trends in the passwordless world, looked at the benefits of passkeys and how to remove user security hurdles. Thanks for listening today. That's a wrap on season one of Mistaken Identity. Join me next time as we dive into season two to share strategies from product leaders on how to leverage customer identity to your advantage.