Video: 10 Minute IT Jams - An update from FIDO Alliance

Passwords could soon be a thing of the past.

That is the bold vision of the Fido Alliance, a global industry association dedicated to advancing authentication standards that enhance both security and convenience by moving beyond traditional passwords. Andrew Shikiar, executive director and chief marketing officer at the Fido Alliance, discussed the organisation's mission and growing influence in the Asia Pacific region during a recent interview on 10-Minute IT Jams.

"The Fido Alliance is an open industry body focused on reducing reliance on passwords," said Shikiar. As part of its mission, the alliance works to replace passwords with standards-based mechanisms such as passkeys and device authentication, aiming to tackle a core problem in cybersecurity: data breaches. "The vast majority of data breaches and remote account takeovers are due to passwords," he explained, "so if you solve the password problem, you start to tackle the data breach problem as well."

Founded more than a decade ago, the Fido Alliance now comprises over 250 member organisations, around a third of which are headquartered in Asia Pacific. The group collaborates to create technical standards, business best practices, and certification programmes, all with a common objective — eliminating the vulnerability of passwords.

"Some of the earliest innovation around Fido actually came from Asia Pacific, notably Japan, Korea, and China," Shikiar highlighted. Early adopters in the region spurred the development of passwordless authentication long before it gained global traction. "In Japan, NTT Docomo was the first mobile network operator to support Fido authentication, allowing mobile customers to sign in without a password," he noted.

Tech giants like Samsung have also championed Fido standards, incorporating them into devices, payment platforms, and mobile services. "Samsung has long been a stalwart founder and supporter of Fido, not just in its devices but for things like Samsung Pay and Samsung Pass," he added. Today, dozens of banks and service providers across Asia Pacific use Fido's specifications, with adoption now stretching into the broader ASEAN region and Taiwan. Here, governments integrate Fido authentication into national identity schemes.

The Alliance recently marked a major milestone in the region by staging its first ever Fido APAC Summit in Vietnam. "We saw dozens of case studies and speakers talking about how they're working with the Fido standards to get rid of passwords for consumer and workforce applications alike," Shikiar remarked.

The shift away from passwords is enabled by a concept Fido terms "public key cryptography". Rather than storing a password on a server and relying on users to memorise it, public key cryptography grants each user a unique key pair during account registration. "The public key sits on the server, and the private key stays safely on your device," Shikiar outlined. "When it comes time to sign in, you verify yourself locally to your device, and then the key is activated to have a secure dialogue with the public key."

This approach, he explained, is fundamentally different from traditional passwords: everything is done securely and locally on the device, with communications between device and server fully encrypted. This eliminates common opportunities for hackers — such as phishing or buying leaked passwords on the dark web — to compromise consumer or enterprise systems.

One of Fido's flagship achievements is the development of passkeys. Unlike passwords, which must be entered and managed separately on each device, a passkey can be securely used across all of a user's devices. "With passkeys, you've maintained the same level of security and phishing resistance but added significantly to usability," Shikiar said. "Unless intuitive technology is too hard to use, it won't get leveraged — your employees will work around it, your consumers won't opt into it. The user experience needs to be as seamless as possible, and we're laser focused on providing guidance and best practices to help companies implement passkeys with an optimal user experience."

For organisations across Asia Pacific, the benefits extend well beyond robust security. In the workforce, moving beyond passwords addresses both security risks and operational expenses. "If your employees are relying on passwords or old forms of two-factor authentication, there's a higher risk they'll need to reset passwords," explained Shikiar. "There's a hard cost associated with password resets, like the IT worker who's doing that, employee downtime, and all sorts of wasted resources associated with helping people log into systems and services."

Beyond the costs, password-based authentication has exposed organisations to attacks. Attackers frequently use social engineering to trick employees into divulging passwords or one-time passcodes, as highlighted by recent ransomware incidents in American casinos. "That's what happens when you're dependent on shared secrets for user authentication," Shikiar said, referencing major breaches where hackers exploited help desk vulnerabilities to gain access.

Passkeys, he argued, cut off these attack vectors. "The user must verify themselves to their device and that can't be spoofed out of the user," he said. "The only way to take over someone's account is to physically take their device, which eliminates the remote, scalable attacks and greatly narrows the threat vector."

For consumer-facing businesses, the promise of passwordless authentication is equally compelling. Data from Fido Alliance research, set for public release next month, shows that in the past six months, more than half of surveyed consumers abandoned a purchase because they forgot their password. "That's a remarkable number of people who are not making a purchase because they don't know how to log in and access their account," Shikiar noted. "Your typical e-commerce company has maybe a 70 to 80 percent sign-in success rate. Once someone's enrolled in Fido authentication, that sign-in success rate goes up close to 100 percent, and the time to sign in for two-factor authentication goes down by around 80 percent."

The shift not only saves on support costs, he said, but also boosts revenue as more customers are able to access content and complete purchases. "You're creating greater revenue and opportunity because more people can access the content and purchase services online," said Shikiar.

For those keen to get involved or learn more, Shikiar pointed to the wealth of information and case studies available through the Fido Alliance. "If you are a vendor or service provider, there are all sorts of resources. Vendors might be keen to understand how they can use the specifications in their products, and service providers might be interested in learning about other companies that have deployed Fido, reading case studies and things like that, so they can understand how to deploy passkeys instead of passwords to their consumers and the workforce," he said.

As organisations and individuals across Asia Pacific and beyond contend with the escalating threat of cybercrime, the Fido Alliance's passwordless vision for authentication is gathering momentum. "We're laser focused on providing guidance and best practices to help companies implement passkeys with an optimal user experience," Shikiar concluded.