The Identity Lifecycle with Passkeys
From Onboarding to Recovery
Everyone. Welcome to today’s webcast. I’m Megan Shamas, the Chief Marketing Officer at the FIDO Alliance. I’m here to talk to you in-depth about your road mapping pass keys from a project perspective. So in other words, you love passkeys. You want pass keys, don’t we all? But what are the real considerations and the decisions that you need to make when implementing passkeys? We’re going talk about workforce and consumer scenarios today. To help me out with this, I have with me today Eoghan Mulligan who leads product at Daon, who’s an organization that has assisted with many of the past key rollouts. Welcome Eoghan. Thank you, Megan. Lovely to be here. Hi, everybody. Nice to, be able to discuss passkeys with you today. Thank you for being here. We’re gonna run today’s session as a discussion rather than a presentation, so I would urge you to ask questions as they come to your mind and we’ll do our best to answer as many as we can and in the order that we can. Speaking of that, let me run through a few housekeeping notes to help you with your experience with us today. So welcome to on twenty four. On your console, have a number of widgets, so I would urge you to keep the media player open where Eoghan and I will be chatting. We will have some slides just to sort of back up the discussion points. So the slides widget and then, of course, the question widget should already be open for you. You are in listen-only twenty-four mode. We are recording this, so if you look anything or you wanna go back or have someone send it to someone else to register for and watch, we’ll have that available to you directly after we wrap up today. We’ll also be we’ll be distributing the slides, which, of course, there won’t really be many, but if you really wanna be able to recap what we covered in terms of the topic areas, you can definitely have those. And then please do take the survey that’s in the console at the end of the webinar because it’s really important to us at the Federal Alliance that we are addressing the topics that you want us to, and I build out our content based on your feedback, so please do that. Eoghan, thank you for being here. Can you help me to level set with our audience a little bit? So in our chat today, what are we going to talk about in terms of types of passkeys for implementation? Are we going to be talking about sync pass keys, device-bound pass keys, both? Yeah, absolutely. Thank you, Megan. I think it is prudent for us to cover both. I think in terms of setting the scene for attendees today, when we speak about synced pass keys, we’re looking at those device sorry, iPhone or Google-based pass keys that are synced to a cloud and synced and associated to a cloud account. And then in terms of device-bound pass keys, we’ve got thinking about that as the digital equivalent of a physical key. So that is locked to the device and is specific to the device. And in highly regulated industries such as the ones in which Daon’s customers operate, that is the one that we see most of. That’s great because we do research into both consumer, but especially on the workforce side, we definitely see that folks are considering a mixable. So that is good that we’re going be talking about both. Yeah, certainly I would Yeah, go ahead. I would certainly expect the considerations of what that end user audience is to have a big impact on which PASI types to be implemented. I think blending both based on the use case and based on the end user scenario and those types of patterns will be an important consideration for everybody. Yeah, exactly. So as we go through these different topic areas, we’ll be sure to specify nuances with consumer and workforce because we don’t want to confuse anybody on the call. So we will be as precise as we can. Eoghan, and we could see we sort of broke these down in the slide, if you could help me and our audience understand what are the main buckets that organizations should be looking at when they’re devising their plans for passkeys like the major decisioning areas, what are those? Yeah. I think as we think about it and as we work with our customers and clients to implement passkeys within their ecosystem, all of the key considerations come down to lifecycle elements. What we see with our customers is life cycle management is critically important, enrollment, migration. Those are really the processes that need to be planned, implemented and replanned when we’re thinking of implementing passkey solution as a strong authentication factor. Okay. So could you let’s dig into each of these areas, I guess, one by one. So can you just when we talk about life cycle, what what how exactly do you define that in terms of past? Because I mean, we know the word life cycle means because, yes, but and how to manage, you know, credentials. But when we talk about passkeys, what are the how do you define lifecycle management? Yeah. So like for us and for our customers during implementation and implementation design, we encounter lifecycle management as the like it is the real key security boundary of passkey architecture. We need to be in a scenario where initial registration, authentication, enrollment, migration, all of those pieces fall under lifecycle management and they are absolutely critical to ensure the security of the process. Like if, for example, the process of assigning or revoking a passkey is insecure, then you’re in a scenario where the bad actor or the fraudster doesn’t need to solve a cryptography problem. They have access to the passkey. It’s already been kind of made available to them and then they can actually kind of act on that without without too much difficulty. So that is why we say that lifecycle from registration, enrollment, authentication, migration, they are really what we talk about when we talk about lifecycle management. So you mentioned onboarding. I think that there’s an important point just that organizations should have in their back of their mind when they’re doing these plans is, okay, you are deploying passkeys. Passkeys are phishing resistant. Passkeys are secure, but there’s other pieces of the life cycle of an account that you really need to look at and make sure those are locked down because having passkeys isn’t the silver bullet for your entire security posture. Certainly, that’s absolutely the case. I think passkeys while incredibly effective and great from the user experience and security aspect because they are non phishable, we need to ensure that their security policies and architecture around that supports their security and their active security. So we would say, for example, let’s think about registration as part of that lifecycle. How do we prove a user is who they say they are before they register a passkey? So what is the process defined by our customers or by webinar attendees for registration of a passkey? In highly regulated industries such as the ones that our customers operate, in financial industries, Tier one clients, they have a key concern around this when it comes to passkeys. How do they proactively say at the or before the registration of a passkey that the user is who they say they are. We’re going to talk a little bit more about Oh, sorry, go ahead. No problem. In terms of the solution here and in terms of the considerations, we see that a complementary identity verification process with the capture and verification of a server side biometric is complementary to a passkey registration in terms of the security. So we’re gonna talk a little I know we were gonna sort of touch on the the onboarding recovery a little bit later, but I do wanna touch on that because we already have, like, some questions coming in with regard to that. Great. So understanding that, you know, a strong remote IDB solution makes sense and to onboard so that you can, you know, ultimately recover later, What is how do you recommend organizations kind of plan for this? And I’m specifically talking on the workforce side in terms of existing employees. I think that, you know, there’s definitely a a really easy path to like, with the once you have a solution in place with, like, IDV and pass keys to onboard new employees, but how how would you recommend organizations look at their existing user base and kind of plan for getting them on like onboarded or is it a re onboarded or how do you address that with your customers? Yeah, I think as we have been saying and as we have discussed, I think there’s differences in implementation and enrollment strategies when it comes to B2C and when it comes to workforce. As you correctly point out, for workforce, it is a very simple process when you can do enrollment at the initial device provisioning, for example. So when a device has been provided and given, that is when the initial establishment of a passkey can be completed. That is the very simple process. But when we think about what that looks like for the existing workforce, we need to implement a similar type approach that you would see for B2C. It needs to have that same user experience and considerations or where we are prompting the registration of a passkey after a successful login. So we’ve got the security element and it is low friction from that workforce employees perspective and it can be easily combined into the existing login scenario and login sphere that exists for that organization. One of the good things then about implementation of passkeys from the workforce scenario is that obviously the control and management is centralized, which can make tackling any exceptions or any issues far easier. But again, we do need to ensure that in the recovery process that there is a secure element to that recovery process too. So that also fits the bill of having the implementation of maybe the verification of a server side by a metric that’s previously been registered or maybe a more direct verification solution would be interaction with the help desk or with the IT team is required very directly, such as a video call some in person interaction where possible. And then so in terms of the lifecycle management piece of adding or removing devices or disabling devices. Now specifically, the question I have is with regard to device bound pass keys like, you know, FIDO security keys, for example. A workforce scenario, I think because there’s FP questions that we received about this, it’s a hey, but, you know, it’s a device that can get lost and that can be a sometimes a blocker for an organization when they’re trying to wrap their heads around, okay, what is that process when that device is lost even from the perspective of, like, okay, if it’s lost, I still need that employee to be able to get in while and then the other piece of either revoking or replacing that device. Can you touch on that a little bit? Yeah, of course. And it’s great to have that question and to understand the answer to this question in the context of the overall life cycle Because the recovery and the exceptions processes are one that we see as most critical in the successful implementation of a passkey infrastructure and a passkey rollout. In terms where the device completely lost, it becomes important then that you have implemented a scenario where passkeys is not the silver bullet, that there are fallback options and there are step up authentication options. So those might there’s a myriad of options available, it is not to be prescriptive about it, but it is important that those can be available to facilitate recovery and exceptions when they do occur. And much easier to do that in a workforce scenario than it is in a customer facing scenario. But still, it does introduce and present some process problems for our customers. So in terms of controls, you know, what should like, what should folks be looking for in terms of, okay, you know, for example, they’re gonna roll out pass keys with a vendor or they’re looking at vendors, like, what is the because these control this is like a control error on top of, you know, the the technical implementation. Right? So what what are the kind of features that they should look for that they might not know are available to them? Like, what is the kind of the ability to control these things? The ability to control the passkey, like, synced or device passkey itself, Do you mean, Megan? Like the controls around like revocation and issuance and things like that. Again, back to that definition of the life cycle management associated to it. I would say when we think about the associated controls, we think about the market and the ecosystem in which our customers or clients operate. So is it a regulated industry? If so, what is specified under regulation? So for example, in PSD2 we have regulation where we need to report on failed authentication attempts associated to the passkey. So those types of planning considerations prior to implementation will make a big difference. And then when it comes to the implementation, then contextual UI and contextual user experience associated to the registration is critically important. It’s made easier by the definition of what type of passkeys are acceptable, synced or device bound. And in terms of device bound passkeys, obviously mobile devices are a very suitable medium for that. Moving on then past the initial registration considerations, those authentication reporting considerations you’ve already taken into account. And then we look at account recovery as the next critical life cycle decision, what the supporting security architecture around recovery and exceptions is. And as I have alluded to, we do see the popularity of an associated biometric to the recovery. But also there’s a lot of there’s a massive amount of options out there for customers to implement. That’s great. Thanks. And I think just for our audience, we’re gonna talk a little bit more about recovery in a little bit, but so we can get to, you know, some of the specific perhaps some of the specific, like, user flows that they could think about putting into place. But for now, I wanted to switch over to the enrollment topic. So enrollment is my most important thing, right, because you can have pass keys all day, but if no one’s using them, it’s not gonna get you to where you’re trying to go. And I I wanna talk about, first, consumer use cases and kinda what you’re seeing out there. So what, you know, what you need to have happen is that your consumer users are are enrolling pass keys or opting into using pass keys. We do at the final lines do a lot of UX research with consumers and we have design guidelines that reflect like what we have learned from those things. But things like when do you prompt to enroll, what is the cadence, what is the you know, there’s so many different ways that you could go, at what point in time are you prompting, what channels are you prompting through in addition to the sign in screen? So what are you seeing out there with your customers in terms of on the consumer side, what is working best in order to get to scaling the enrollment? Yeah, absolutely. Far and away the most popular pattern that we see implemented when it comes to consumer enrollments is that post login prompts. So that will be the login at the point of successful login, the end user is prompted then to register the passkey for future authentication. That is by far and away the leading implementation pattern that we see when it comes to enrollment. I think is friction or sorry, the low friction aspect of that is complemented by the fact that you’ve had the verification securely made at that point. And then in terms of the user experience within browsers and how that is handled within the browser solution or within its presentation within the browser solution makes for a contextually relevant experience for the consumer, one that they can understand. It’s handled well within that UI where they can see and understand what it is that they’ve been asked to do and then the future benefits of that in terms of the progressive enrollment. Do you think that that might be based on the maturity of passkeys and that consumers maybe recognize them a little bit more? And the context behind that question is it’s definitely been there’s been changes in what from what I’ve seen in our research and what other folks that have large customer bases like you have told me where and when we first rolled out passkeys and, you know, the first couple of organizations were rolling it out to consumers, it was more like, oh, prompt them at account related tasks. So are you locked out of your account? What are you locked out of your account? Oh, hey. Well, you don’t wanna do that. You don’t wanna deal with that again. How about using a passkey? Or other things where they’re actually thinking about their account instead of, you know, the post sign in where it was like, we what are you what are you talking about? Like, why are you bothering me right now? But now we see more and more what you’re saying, you know, we’re several years in at this point where that post sign in prompt is actually working more and more, where more organizations are sort of going that way. Do you think that that has that the familiarity maybe with passkeys is lending to that rise in enrollment with the post sign in prompt? I believe so and I think that’s a very succinct observation because the experience and understanding of PASkeys perspective, from that end user’s perspective is growing exponentially. I think if we look across scenarios in which consumers have been exposed to passkeys maybe in non or relatively non regulated situations such as with say if it’s with an organization within the U. S. Which is a large we can look within our synced pass keys now on our devices and I think many of us on the call will have registered pass keys for such a retailer as that. That type of adoption, that type of interaction grows the understanding hugely within the customer base and grows the understanding of the experience associated with it within the customer base. And that has a key impact on the adoption of passkeys at that post login because there’s a contextual understanding to it. And what about from a UX perspective? I think in terms of getting folks to so enrollment in passkeys but migrating away from something like a PasswordPlus OTP, how would you how do you recommend doing that without, you know, the experience for the user to be kind of different across their different, you know, apps and platforms that they’re using. Like, how to how to make how to make it as con more consistent. Now I would say I think it’s I think it’s I think it’s okay, but I, you know, I I’m biased. You know, It’s good. But it is these are different applications, there are different platforms, they have different ways of speaking, they have different ways of displaying things. So is there any methods that could be used to make that experience more consistent when they’re moving around different platforms or different applications? Yeah, I think probably the best solution here, the best prescribed solution here would be like the conditional UI and credential hint associated with the actual implementation of the passkey authentication. So at that registration and authentication. So that conditional UI that allows the browser to display the registered credentials, offer those to the user, that gives the context and then obviously there’s an autofill element to that as well, which is quick and easy and frictionless. And that helps them along the journey of replacing username and password and understanding the benefits and implementation associated or experience associated to replacing username and password. Yeah, I think the little pieces that WebAuth offers in terms of implementation, you know, are sometimes overlooked in implementation. I think most of the implementations I deal with on a daily basis as a consumer I think are pretty good from that respect, but if you do encounter one that’s glaringly different, that, you know, isn’t leveraging autofill, for example. And that can lend to problems with actually getting sign in success, I think. Within the day. Yeah. But Yeah. Like, the consistency of the of the experience across browsers, across operating systems when, you know what when an app key or app based passkey does come into account. It’s critical and has to be one of the most major concerns when implementing pass keys. Yeah. I agree with that. Now on the workforce side, can we talk about enrollment on the workforce side a little bit? I think there’s a there’s a little bit of a misnomer out there with with some folks where they if they’re not, you know, they’re not in charge of this within their own organizations that, oh, well, you can just sort of mandate it to the employees and that’s it. And that’s not actually what real life is like. So there are in terms of enrolling employees into PASS Keys, you know, there are there’s definitely a need to have them have them be in favor of that, first of all, you know, want to do it and want to enroll. And then there’s a second piece that, you know, as an organization, you really need those employees to be able to sign in. And so in reality, most organizations will remain with some, you know, backup options for signing in should something prevent the user from using their passkey. So what in your experience in terms of enrollment, what have you seen kind of be the best practices or what’s working on the work force side? Yeah, for the work force side, obviously like in a perfect world, it would be the enrollment that the initial device provisioning is what we would what customers want and the easiest or the path of least resistance. But of course that’s not possible with existing employee groups and while it is a critical consideration when planning out a PASI adoption process, starting and ensuring that there is enrollment at the initial device provisioning phase, that’s kind of the number one element. Then we need to look at the context of understanding for passkeys within the employee group and within the workforce. So it is just as important as it is for the end consumer adoption to have the workforce element to understand and be contextually aware of what they’re being asked to do, how they’re being asked to register and how they are asked to adopt passkeys. And that can be successfully done post login. The prompt can be displayed there. One of the benefits of workforce versus consumer is obviously that there’s far more touch points when it comes to the workforce itself. So there’s far more opportunity to prompt the enrollment and a greater an increased opportunity to have successful enrollment leading to authentication. That’s great to hear. The FIDO line so we are if folks aren’t aware of it, we have a site called PASI Central we have deployment guidance for b to c. This year, we’re really in this part of my conversations with Eoghan are part of our initiative to do the same for workforce deployments. So really provide this kind of guidance I can get workforces moving towards pass keys because to your point, you know, there’s so many touch points, but also it’s sort of like users are using it at work and they’re consumers too. They’re going to use it more in the wild when they’re doing consumer activities. So it’s really important to get this kind of guidance out on the workforce side so that it’s not as it’s a little bit clarified of what’s possible that you can do. Moving to there and there this is a good time for the the recovery section. And and, yes, we’re gonna talk about recovery, but what we really mean is really, we’re about, like, the initial onboarding more than more than anything because your recovery, when it comes to pass keys or I don’t know, pretty much anything, recovery is really only as good as what you have to re you know, reprove this person’s right to that account. And and a lot of times that boils down to how did you initially prove this person how do you initially onboard this person? If that is a sound mechanism, then you’re going to be able to more soundly be able to do recovery. And so but that’s kind of that’s the topic area that we’re gonna talk about. But there there’s a bunch there’s several questions in here around yeah. Okay. There’s several questions around here on the consumer side and the workforce side around this, so, like, we probably need to kind of distinguish, like, what the best practices are each. So let’s start with let’s start with kind of could you, like, just sort of level setting on, okay, what in what scenarios do we need recovery? Recovery? What scenarios would we mean recovery? And like what are the like basic tools that companies currently have to do that? Sure. Yeah, absolutely. I think your point is fantastic, Megan, in relation to the intrinsic link between the recovery process and the primary enrollment process. If we have a scenario where the recovery process is weaker than the primary enrollment process, you then will attackers will simply bypass that enrollment and look for the recovery channel to exploit. So that’s absolutely critical in terms of understanding the intrinsic link there. Now, when you say about the associated use cases for recovery, help me understand that a little bit more. Do you mean situations where the consumer or workforce operation or end user has lost their device or has a or an issue. Is that is that what you mean? Yeah. I mean, so I think that just to it might be helpful to sort of clarify sync pass keys versus device bound pass keys. Like in theory, if if you’re leveraging sync passkeys, there’ll be less scenarios where you’re like, there’s no passkey, right? A hundred percent, yeah. In a scenario where you’re leveraging synced passkeys, you can as a key element of the recovery process, then you can trigger a step up. With a synced passkey, the user is likely to have, say for example, they’ve lost one device but they have another. So for the workforce scenario, like if an employee has lost their workforce device, their iPhone, but they still have their corporate laptop, then there’s a synced passkey associated to that and it’s tied to the security key. They don’t need to start from scratch. You can then implement a recovery process in which step up authentication is associated to it. And there’s you can ask them to log in with that remaining trusted device and reestablish a passkey registration on the new device, say, for example. Okay. So let’s oh, and let’s back up because that sounds awesome. But so let’s back up to, like, what’s happening at that initial enrollment and to enable that. Like, what are the what are the things that are so what are the things that are being granted to the user? Like, what what do you have to put in place in order to get to that kind of scenario where they’re gonna have they should have some way. Right? We’re not gonna, like, get to that point of, like, I can’t I can’t I I have nothing. Yeah, and I think that’s one of the key considerations for the use of synced passkey. So at the enrollment of the synced passkey, you will be in a scenario where the end user has the opportunity to not just define that passkey, but also sync that in a cloud, sync that within the cloud across multiple devices and support that. So that obviously is a prerequisite to that type recovery scenario. When that does exist, then obviously that synced passkey is going to be available within the other device or on another device or available in the cloud infrastructure for step up authentication. So in a scenario where recovery occurs, the user is asked to log in with the other trusted device. Think I was just going to say that I think then we need to think about the scenario where the user has lost everything. Everything has been that there is no additional device which can be relied on or available or which is available to provide the syncing of the PAS key. And I think that’s where we must consider a reproofing scenario. And I think what our customers see and what they implement is an identity verification or an identity authentication flow that is in some way linked to the onboarding event at the registration of the passkey. So if we think about that like an identity verification flow capturing and verifying the biometric at that reproofing attempt, then we can link or we can capture another biometric and verify that it is that same user and establish that it is not a bad actor. It’s not somebody trying to trick the system, but indeed we have been able to validate that the biometric is linked to that in which they enrolled with. The reproofing is the best case scenario, but it’s not for all scenarios, right? So meaning that so there’s some questions, and these are really good questions. So and I think it you know, really more on the b to c side. How do you well, okay. I’m sorry because another I’m back up once before I move to that, I’m gonna finish with the with the scenario that you just talked about. So is there some binding that gets done between the the user and the device and the passkey? Or, like, what is the what are you are you recognize you’re recognizing are you doing, like, a a what is the process for reproofing where you’re able to so which, like, the question is really, like, is it, like, a is it in a you have the is it just the biometrics or is there another piece that is bound to that account that you can look at to make sure that they’re the right person? Yes. There are like the certainly, there’s other contextual information that you can look at. When we see take a consumer use case, for example, of course the other contextual information is key to understand there as well. What what other information can we get from the device? What information can we garner maybe from location, maybe from other pieces? But to look at exactly what is taking place there. So at the point of registration of the passkey, we’re going to a situation where we have a high level of identity proofing. So we’re performing an identity verification on that end user and at that point we’re validating the biometric, ensuring that it is a real live true person, that it is not a bad actor or it’s not a video or deep fake or adjusted presentation. And then that biometric then is stored on the server in hashed format. So it’s available then when or if or when a recovery scenario occurs. At the point of that recovery scenario, then the end user is asked to recapture a biometric that is verified and then a comparison is completed between the biometric stored from their initial registration. Thank you for that, for clarifying that. But so on the consumer side, how do you recommend on the consumer side where it’s not they’re not able to onboard a user with that level of data because, you know, there there’s different consumer cases. Yeah. Are you are most of your customers in, like, more highly regulated industry where, you know, there’s, like, sensitive data enough where you the onboarding process is generally leverages like a, you know, an actual, like, remote IDV process? Is what we would typically see. That is what we would usually see from our customers in the industries in which they operate. Like if we look at the consumer based recovery options, I think really the important message is that we can’t have a scenario where we’re relying on potentially exploitable vectors. Like if you think if SMS OTP, if it’s knowledge based authentication via questions, those are very phishable and those are very easy to exploit. So it’s really important to kind of not to rely on those scenarios and ensure that you have more hardened solutions. So when it comes to consumer, obviously the friction or the lack of an existing server based biometric is a limiting factor and I would say then it’s more important to look at those signals to look at those additional signals like the IP address, the browser information that we can gather from the use of potentially a proxy, potentially any other telemetry that we can rely on. And then we need to think yeah. Go ahead. Sorry. I said good timing. You’ve finished. We’re yeah. To move to, like, what are the you finish and then we’ll talk about the, a little bit about adding signaling into the passkey flow. Yeah. Perfect. Please go ahead. I think that’s perfect time to do it. So, yeah, I think this is one of those things that, comes up all the time in terms of, well, are pass keys sufficient by themselves? Well, I think that most authentication systems, regardless of what credential was have been using additional contextual and risk signals, you know, since always that I don’t we never never intended to go away with the introduction of pass keys. So I think it could be worth I mean, if you could talk a little bit about, you know, how to layer on, you know, different signals onto that flow and then also, like, when and when and if and when do you actually ask for step up and what should that step up require? Yeah, absolutely. So I think thinking about signaling, let’s think about it in terms of registration, authentication and then the actual kind of life cycle signals, too. So in terms of registration, like the establishment of the synced device passkey at that point. What are the options there? What are the additional elements there? What’s mandated from a regulatory perspective? What is the actual attestation that’s taking place and the user verification that’s taking place during the enrollment? And then for authentication, obviously in a scenario where the authenticator, it’s not signing, let’s look at the metadata associated with the authentication data as well. So make sure the signals incorporate in those metadata elements too, whether they be user verified such as face ID, fingerprints, like if it’s Windows, Windows Hello, that type of element. And then in life cycle signaling then, like when we have a situation where the device communicated something to the server about what it was doing, what happens then in a revocation or a deletion scenario. I wanted so there’s one question that could that kind of lends into clarifying because you you mentioned like metadata or whatnot. So the question was, can I like, am I able to be able to tell as an RP that the passkey coming in is, you know, a device bound passkey versus a sync passkey so that I know that that authenticator that the device bound passkey meets my AAL three requirements? Yes, absolutely. Yes, can, but I thought you might want to explain that. Yeah, of course. Yeah, thank you. Absolutely, In a scenario where we need to define if it is a synced or device bound passkey that’s been utilized, is possible to say which is which and to be able to gather and process the metadata associated to the passkey to be able to define that for us. And obviously that is situations where that might be important is usually it’s usually a scenario where from the regulatory standpoint, it’s mandated that you are differentiating between synced and device bound. So how do you what are the how can you do the so back to the step up topic. So is there are there ways to do like, understanding k. You’re leveraging. You’ve got the passkey, you’ve got all these signals, there’s some anomaly in the matrix, something seems untoward, if you will. How like, what how can you, you know, then request a step up, and what should that step up be without it being a huge hassle for the user? Yeah, there’s certainly an element of friction introduced as recovery and at step up some of that is unavoidable. When we think about the consumer, think obviously friction is a key consideration. But from the security aspect, we need to think about implementing an identity proofing scenario. There has to be an identity verification situation that occurs where the user is proving who they are, that they are who they say they are and that can be relied upon. So maybe that will be the establishment of their identity with their identity document and with their biometric. Another option for recovery then in terms of the step up associated to it would be maybe a time delayed recovery. So we do see implemented in some scenarios by customers in which the end user has almost like a cooling off period or a waiting period and the account recovery is initiated, but it’s not possible to complete that at that point in time. So that might look like a twenty four hour window. Obviously that’s something that’s definable and that process can be constructed based on the customer’s needs. I will say that I think that if organizations are you know, if you’re a if you’re a service provider for, you know, like a financial institution, for example, and your your customers are doing more sensitive transactions within your infrastructure. What we see actually from our UX guidance and just from our other research is that most consumers actually are okay with having friction added when they’re doing something that’s really sensitive and they actually get a sense of comfort from that because for I mean, it seems like obvious reasons, but I do think that there are situations where consumers are actually surprised. Like, they do want speed. They do want fast sign ins across the board, but when it comes to doing, like, a highly sensitive transaction or, like, you know, you’re moving a lot of money or changing a beneficiary or whatever it may be, they’re actually, like, surprised if you don’t. And so I think, you know, ensuring that you’re giving that you know, giving the extra security but also it actually gives a little bit of comfort to the customers. Certainly. And as we have discussed and as you have said, Megan, it really brings to the fore how context is key and how you’re instructing and communicating to that end user, whether they be a consumer or whether it be workforce, the benefit of what they’re being asked to do. So if it is in recovery and there’s a friction associated to it, if they understand the potential security impacts of not following that method, there is better adoption there because there is a more inherent understanding of the benefit that they’re getting from that. Okay. Okay. Let’s move to operations and measurements. So KPI is my favorite three letters, obviously. I think that most of our conversation today was about the nitty gritty of the planning But of course, there’s a whole thing that happens before that where you need to get that, like, organizational buy in for the project. You need folks to be aligned on things. But then, of course, as you move forward through your project, like, there are measures of success, right, that organizations should be looking at. But we do get a lot of questions over, like, what what should those be? And I think that there’s security, but what else I mean, so is it security? I mean, I hope so. But is it security? And then what other things should organizations be tracking to see that they’re making improvements in the organization? Yeah, thank you. Think it’s definitely worth tackling that in two pieces because the understanding within the organization or the level of understanding that we see our stakeholders wanting to create is really around that account takeover risk. So establishing an understanding within the organization as to what the risks of account takeover are and how great they are from the regulatory perspective, what the reputational risk associated to those are, the obviously obvious monetary risk associated to the customers and that too. It’s very important that that is established prior to the communication of the potential rollout of a passkey solution. Because what we have found is that you will obviously massively influence account takeover risk. And that then to the second part of the question becomes the key KPI. What is the reduction in account takeover situations that are encountered via a past key adoption rollout and adoption by the organizations? Is the it almost seems too simple an answer to say it, but that is the key KPI. That is the ultimate KPI, I should say, when it comes to passkeys. We do have some other associated KPIs as well when we look at passkey authentication, and that’s the reduction in the time to log in. So the data shows that end users, be they workforce or be they B2C, they have far more or a far reduced time to log in when it comes to the utilization of passkeys. So those I would say are those two top KPIs, the reduction in account takeover and obviously the time to log in for the end user. And then there’s other non direct KPIs that we see interest in from certain customers such as the reduction in help desk tickets, the reduction in administrative work associated to password resets or to the definition or redefinition of acceptable login scenarios. Right. I think that those understanding that we we we see passkeys as, oh, this is a security project, but I think that and and it should be. It should be, of course. But what we see actually from that perspective of organizational buy in is that you might need to be convincing your CRO, you might need to be convincing your CMO, you might need to be convincing folks that are really looking at the revenue side of things, and if you could tell that and sometimes it becomes, just from an organizational buying perspective, really valuable to have those kinds of KPIs to be tracking. And we have some data around the workforce side, on the consumer side, you know, we have a lot of organizations that come and say, especially if they have some sort of revenue generating thing behind the sign in, like after the sign in, like we are making more money because we deployed past keys. Exactly. And that can be a really a really good way to get our project moving because at the end of the day, like, you’re you’re improving security, but all these the faster sign ins and more successful sign ins keep people, you know, on their way to do what they wanna do. And a lot of the times that could be a transaction or for employee, it can be, you know, getting their work done which is what, you know, you need. So I think Exactly. That’s it. Yeah. And I think it’s we’re gonna be providing more KPIs out on the business on the workforce side. Like, we’re gonna be providing that out to the community so that they can leverage that for getting that internal buy in on projects because there’s a lot of demand to have that because that’s what they’re being asked for. Certainly, yeah. And I think it’s really important to understand exactly as you say that this tends to be a security project. This implementation adoption design tends to be a security project. But we must not forget that ultimately everything is a user experience project as well. So the benefits that you talk about, the reduced time to log in, ease of use, removal of friction, those are massively impactful and will probably have just as much of an influence on the overall success of the process and project implementation. Absolutely. So wow, we coming to the close of our chat today. I think you I mean, I think that we probably could spend another we probably could have spent most of the time on just one of these topics, but it has been really beneficial to chat with you. I think there are so there are some, like, questions that I think you’ll want to answer that. So we’ll we’ll follow-up with you if you have, like, you know, a specific question for Eoghan of, like, what your what his thought is on, like, a specific thing. And, like, these are really great questions, and I’m sure that Eoghan has a has the right answers to them. So we’ll make sure to give them over to Eoghan so he can follow-up with all of you on on these specific questions. But I guess, like, to sort of wrap things up, Eoghan, is there is there anything that you wanna make sure that our audience comes away with today in terms of their ability to deploy passkeys? Yeah. Think I would link back that. So first of all, thank you for the opportunity to answer those questions. Sorry, I didn’t get to everybody’s today, but I would be delighted to respond directly to the questions following the conversation today. Secondly, I think to your question Megan as to what the takeaways would be, would like everybody to leave here with an understanding that that life cycle management that we spoke about at the start and the establishment of what that life cycle management looks like is really the key pillar to success for the implementation of passkeys within the organization. We need to look at those pillars of registration, authentication, enrollment, registration, migration and recovery and the plans and processes associated to those and the models of implementation associated to those will lead to the success of passadoption and rolling. Thank you so much for being with me today, Eoghan. Like I said, we’ll be following up with you all if you had specific questions. Love your questions, by the way. It sounds like we have a very captive and informed audience over what the little particulars are around their decisioning around passkey, so that means that we’re helping I hope. So please do take the survey and just give us your feedback on the content or any content that you hope to see from us in the future. And thank you so much, Eoghan. This has been a great conversation. I love that we can dig into like a little bit more of the kind of the real nitty gritty of the decisioning around this because I think that’s kind of where people are from a project planning and implementation perspective. So your experience in this realm has been really, really helpful to me. So thank you for being me. It’s a pleasure. Thank you very much for the opportunity. And exactly as you say, we do have a really keen understanding of what our stakeholder problems are and what they’re solving for. So I would be delighted to have contact from anybody who I can I can assist and and help with past key adoption and rollout following the our discussion today? Eoghan’s email address is in the is in the console. Don’t sign him up for any don’t sign him up for any, like, pizza deliveries or anything like that, but please feel free to contact him. But we’ll be in touch with all of you, and thanks again for joining us. And I hope that we’ll see you on a future Vital Alliance webcast. Have a great rest of your day. Bye. Thank you, bye.
