Passkey Perspectives: Navigating FIDO Alliance’s Journey with Megan Shamas

Christine Owen:
Hi, and welcome to Identiholics, the podcast about the latest in digital identity. I know there's a ton of identity podcasts out there to choose from, so I thank you for watching ours. We decided to coin this podcast Identiholics because we find that identity folks tend to work hard and play even harder. We'll strive to be engaging and bring some interesting voices from the community that aren't always heard on podcasts. Thank you so much for listening, and I hope you enjoy this episode of Identiholics.

Hi there. Welcome to Identiholics. This is the very first episode. I am your guest host Christine Owen. And I'm here with Megan Shamas from FIDO Alliance. I'm so excited to have Megan. I'm wearing my FIDO Green for her today, and apparently she's wearing something for me as well. Thanks, Megan. So I'd like to start off by having a little bit of an intro of yourself. I know that some people know that you are the face of Authenticate for sure, and that you do some sort of marketing. But how did you get to where you are and what is it that you do at FIDO?

Megan Shamas:
Oh, thank you. I am obviously a big Christine Owen fan. If you don't have a Christine Owen T-shirt, just DM me and we'll get that set up for you.

I'm Megan Shamas. So I do run marketing for the FIDO Alliance, which to Christine's point is like, what does that even mean? And what that means is, because the FIDO Alliance is a nonprofit association, we're member-driven, I'm not a typical kind of marketer. My job is actually just to encourage market adoption of FIDO authentication, our standard certification programs, and just encourage stronger authentication around the world. So my role is probably better to call me the senior director of market adoption for FIDO Alliance and marketing, only because marketing sometimes has a connotation of a sales spin, which is not really what I do. So I do all of our external educational programs, market adoption programs, everything external to FIDO Alliance, and everything internal in terms of our member communications, member relations, kind of an arm to our members as well as a marketer. 1Kosmos is one of our members. But for us, our goal is to get our folks that are out there selling FIDO solutions to be successful. So I work a lot with our members as well to encourage their success.

Christine Owen:
I will say you have a really good and deep understanding of the standards and how they operate and also what your member companies are doing. And you have, I want to say, a gazillion member companies, but I don't think that's the right number, you definitely have in the hundreds, right?

Megan Shamas:
Yeah, a little less than a gazillion. We have 250 members, and that spans really everyone from folks that would deploy the technology. So major financial services brands, major tech brands, major e-retailers, folks like that, to the folks that build the solution. So all the platforms, Google, Apple, Microsoft, all the password managers that support FIDO authentication, the browsers, et cetera. And then of course, the folks that are developing solutions to FIDO specs and are out there working with these service providers to deploy the technology. Yeah, the thing about standards, and I've been doing standards adoption stuff my whole career, which is a little bit weird, but you can't really educate folks about things that you don't understand at a deep level. So yes, I do make it a priority to understand the specs, the tech at a really deep level, and try to up-level that for the different audiences that we have.

Christine Owen:
FIDO has a really good spec that is, generally speaking, passwordless and phishing-resistant, which is amazing. But there's a lot within FIDO. So in standards organizations, I feel like your job is just to travel the world, maybe I'm wrong, but you guys have a lot of plenaries, you also have Authenticate. What all is it that you guys do at FIDO to be able to help push adoption of phishing-resistant, passwordless authentication mechanisms?

Megan Shamas:
Yeah, that's a good question because I do a lot of presentations where it's like, "Do you know what the FIDO Alliance does?" And folks always raise their hand. I'm like, "But do you really?" "I don't know." So it is multifaceted. I am paid to travel the world, which is pretty amazing. But there's three things, three buckets essentially. The first one is specifications. The FIDO Alliance has been around since 2012. The mission has always been the same, which is reduce reliance on passwords, get rid of passwords. Passwords are the ultimate vulnerable factor of why phishing is so successful, account takeovers are so successful, and it seems so basic. It's like, no kidding, passwords are not great.

There's an answer to why we don't have something better what we do now, which is FIDO. But there's a reason why we've not had something to replace that in so long. You didn't ask me this question, but it's because passwords are just ubiquitous. Anybody can set up a login screen with a password anywhere. So with the specifications, so we do specifications. We've been evolving our specifications over time to become as ubiquitous as passwords could be, which means working with the W3C to make FIDO a web standard so that it could be built into every major operating system, every major browser to enable that same sort of functionality.
So that's on the specification side. So there's been an evolution there.

The work that's being done on the specification is driven by our working groups. So these are members from all over the world that volunteered their time to work on specifications with the FIDO Alliance, and they are the primary drivers of our, what you would probably know as FIDO2 with WebAuthn and CTAP. We also have FIDO UAF, which is a mobile device specification. And then, of course, folks probably are aware of FIDO U2F, which was our previous spec that was kind of hugged into FIDO2. So that's the specification piece, all run by our technical working groups. I just want to mention also just briefly that we also have a spec for secure onboarding of edge devices and IoT devices, which is called FDO. And again, those specifications are driven by our working groups.

The second thing that we do is certification programs, which is as simple as compliance against the specifications that we have. We do security level certifications for our user authentication specifications as well as general compliance. But we also, we have certification programs for adjacent areas that there have been a gap in certifying these sorts of solutions, but they're adjacent to FIDO in that it's biometric component certification. For example, its document authenticity solution certification. And then we have one coming soon that we can talk about maybe later. So that's the certification piece. You can see folks that are deploying FIDO, asking for FIDO certified solutions. They want just to see that evidence that the solutions have complied with the specifications and that they will interoperate together as they're supposed to.

And then the third piece is market adoption programs, which is the piece that I run. And that is really, again, just to drive the adoption of the specifications and the certification programs. So that's what the FIDO lines does. And again, even on the adoption side, we have a number of working groups. I know, Christine, you're in some of our adoption working groups where the members are all working together to figure out ways to get FIDO adopted in different segments. So enterprise, consumer, government, regulated environments, financial services, et cetera, et cetera.

Christine Owen:
The working groups are pretty neat because this is not our day job, those of us who go to the working groups. So when we take on something extra for FIDO, it's kind of a hobby in some ways because we do it on top of our normal day-to-day things.

Megan Shamas:
Well, you just hit on the main thing, which is that, exactly, there is a worldwide commitment from these organizations and these people who dedicate their time to making this happen. And that I think is something that gets a little bit missed when the media or folks talk about FIDO, is that this is a huge endeavor from a group of companies and a group of individuals that have said, "We're going to work together to eradicate this issue." And I think that is just a hugely important part about what the FIDO Alliance is doing.

Christine Owen:
Yeah. I mean, I think the fact that you have the three major platforms all working together is really important because if you didn't have them all working together, we wouldn't have a set of standards that we'd be able to use. And really, I'd say everyone in FIDO just wants to get rid of the password. Right? We realize that it's such a bad idea that we need to get something better out there. So it's just, how do we do it? So about, I want to say it was two years ago, but it might've been three, I don't know, what is time? You guys, FIDO announced passkeys, and I feel like since then there's been a lot of momentum when it comes to FIDO. So what do you think has been your most successful thing that has happened with the FIDO Alliance in the past three to five years?

Megan Shamas:
Yeah, I think I was smiling because when we say we introduced passkey, it's one of those things that's like, "Wow, can FIDO Alliance just try to confuse people more? Is this a new spec? This is a new what? What is this?" So I love just explaining this very simply, which is that with FIDO specs and the way that we've approached authentication since the very beginning, a FIDO credential, which is a phishing resistant way to sign in based on public key cryptography, was bound to a device. So there's a lot of really great security benefits to binding a credential to a device. That thing is not getting phished. Right? So that's great, but when you look at the evolution of the way that people use the internet and the way that people use devices, especially on the consumer side, folks don't have just one device.

So what we saw happening, and again, this is a really looking at the consumer use case for FIDO, was that you would sign in with FIDO on your desktop, let's say for whatever service, and then you'd go to your phone and it would ask for a password. Well, that's very confusing because I have FIDO, right? And that's that sort of device-bound aspect of FIDO as it always was. So the real issue with that was for account recovery in the case of a lost device. So I have FIDO on my laptop and I lose that laptop and I want to go to sign into a service later. Well, guess what? I'm going back to a password. That's not what we're looking for here, everybody. So again, the basic principle of FIDO, always the same, but what passkeys introduced was the ability for those FIDO credentials to be synced across your devices.

This is what, in our view, we saw essential for scale on the consumer side. Is syncing a passkey appropriate for every use case, every scenario in the enterprise or everywhere? Not necessarily, but it is an additional piece of functionality that can be very useful for consumer use cases, and I would argue for certain other use cases, even on the enterprise side. So passkeys is really just FIDO credential that enables passwordless authentication. So we haven't done any new specs, it's all FIDO2, it's WebAuthn and CTAP, but this is just a net new functionality that allows us to scale, particularly on the consumer side. And look, if you want to introduce FIDO to your consumers, passkeys is a nice consumer-friendly term. FIDO credential is not, right? So some of this was really just what's going to be a better terminology for us to go mass market with this technology.

So passkeys can be device-bound or they can be synced, and there's passwordless FIDO credentials. So I just felt like I needed to explain that because I do think folks get a little confused of when we bring up the term passkeys. Is this yet another new thing from FIDO Alliance? And no, it's not. So I would say that making that pivot for us is probably the most monumental change for us in adoption since I've been working with FIDO Alliance, which has been since 2016. So this pivot has required a lot of it, new education. Now I'm reiterating this on this talk with you and not even letting you get a word in edgewise at all, which is weird if you've ever met Christine.

Christine Owen:
Usually it's the other way around. Yeah.

Megan Shamas:
I mean, it's weird. You never know what the two of us, who's actually going to be like. But it's just important that we reiterate that the principles are always the same, the phishing resistance is always the same, but now we can actually replace a password at scale, which is huge. So I think just making that pivot is probably the most important thing that we've done. But I would also say that the programs that we've put in place have really driven adoption. And I don't take any credit for this. It's really, our membership is so excited about this. Our deploying organizations are so excited about this. There's companies like amazon.com who has rolled out passkeys, who as soon as we announced that this functionality was available, they were like, "Yeah, of course we're going to do this. We've been waiting for this." And if you look at just the huge numbers of consumer service providers that are just rolling this out, it's a testament to really the soundness of our approach and then our ability to have evolved to market demands.

Christine Owen:
Yeah. So I talked to random people on the street about things like passkeys because I'm weird. What I found, I actually thought that nobody knew what a passkey was or what the concept was, and when I talked to people out in the wild, I guess, to non-identity people, they actually know the concept, they like the concept, and they are all in on the concept. Those who have Apple is like, "Oh, the Apple Keychain. Yeah, absolutely. I know exactly what that is. I know how it works, and I would like to have more applications using this." So it's really quite remarkable that ... I think we've known each other for a while, and I feel like FIDO really blew up after that RSA passkey discussion.

Megan Shamas:
Yeah.

Christine Owen:
And I think you're right. I think it's just the rebranding from FIDO to passkeys really helped push that needle forward, plus the idea of a synced passkey, which does help with the account recovery. It's very important. We have passkeys on all shapes and sizes, and we love them and that's something that we really think that all of our customers should be using because they are phishing resistant and they're just a stronger mechanism. So it's pretty awesome. It's pretty awesome. I think FIDO is doing just such great stuff. What do you see happening with the FIDO Alliance in the next five years? What's your roadmap to get to the next iteration of adoption or of authenticator?

Megan Shamas:
Yeah, I mean, I think that right now I look at our periods of time, our trajectory as awareness building into enablement. So I generally think to the point of even consumers understanding what passkeys are that we generally have the level of awareness that I would think is appropriate at this point in time. Is there still some areas that need more awareness? Of course, but largely that piece is I know I need to do passkeys, I know I want passkeys, how do I actually do it? So now it's about enablement. Doing this is not ... I know it looks like some of these folks deploy this stuff overnight, some can, some have more challenges.
For us, we really want to be the sort of central source of enablement materials, and we're laying out plans to be able to provide more of that documentation, whether it's, how do I get internal buy-in at my organization to make this happen? All the way till, how the heck do I implement this? Do I buy, do I build, how do I assess my tech stack in order to make decisions about this? What does a project roadmap look like? These are the things that we want to ensure we're getting out to folks just to make this easier. Because I mean, I say all the time passkeys are a no-brainer, just a no-brainer. But there are some brains needed to figure out how to make it happen within these sort of unique organizations, particularly on the enterprise side. I mean, enterprises and workforce implementations are very not straightforward. So it's really about enablement.

And I think for us moving forward, we don't see this work being done at all. We want to see this adopted in mass at scale, so enablement. And then of course, we're always sort of looking at where are there gaps in standards or gaps in certification programs where we may be of service because we do have this great membership and folks that are all at the table really dedicated to this. So we do have other strategic programs that we run and we look at whether it has to do with remote identity verification or wallets and how FIDO can fit in with identity wallets on a global scale, things like that, which are important adjacent work. Our core mission is still what it's always been, which is get rid of passwords. So I do see us working on this enablement piece for a while still.

Christine Owen:
Yeah. So you brought up certification again. I know that there's a couple of new certification programs. Can you walk through what they are and why you guys decided to add those to your repertoire?

Megan Shamas:
Yeah. So identity verification is obviously so closely coupled with authentication. I mean, if you're not, you need to onboard folks onto new accounts in a way that is sound. You don't want synthetic folks making new accounts. You also don't want folks taking over other people's accounts. So it's at the beginning and it's at the end. When I say the end, I mean account recovery. So with account recovery, I mean that is really the place where folks have the most success with passwords, but also through identity proofing technologies, which we would think of as basic KBA. All that information is available wherever. So if you knew where I lived when I was 15, great, you can get into my account, which would be weird, but you could probably find that information somewhere.
So, for us, that authentication is going to be phishing resistant. That's only a sound of these other pieces. So for us, we see really great remote identity verification technology that's available such as remote dock off paired with the selfie match and liveness detection for example. There's a lot of solutions out there around that, but there's not ways to certify these products. So you can't really, if you're somebody who wants to implement this, kind of separate the good from the not-so-good perhaps, and you'd have to kind of evaluate on your own, on a one-to-one-to-one-to-one basis. So with our remote IDV certification programs, the first, which is the document authenticity piece, and the second, which is the face piece, which we're going to announce soon in a couple months, it's not really a secret, we're going to announce in a couple months, is meant to be able to certify these products. So for us, when we're out here and we're talking about the entire life cycle of an account credential management, these are the solutions to look to in order to build out the full rounded out security for the whole life cycle of this.

So that's why we're so keen on working closely with the remote IDV vendors and getting their solutions certified so that we can really round out the whole life cycle, which is what I just said. So the other one that we do, of course, certify against FDO, which is our edge computing piece. And again, these are machines that are coming into your network. And again, we're trying to add phishing resistance and secure onboarding practices that do leverage public key cryptography again to ensure that these devices that are coming into your network are not going to be able to be intercepted or attacked, etc. So there's specific reasons why we look at these adjacent pieces and fill in those gaps. So that's what we're really sort of striving to do with the certification.

Christine Owen:
Yeah. I mean, that makes sense because for that, for machines, they're passing secrets back and forth, so it's better to pass actual certificates than a long string password, which usually is what it is.

Megan Shamas:
Yeah.

Christine Owen:
Yeah. And then I love that you guys are realizing that identity verification is important when it comes to not only account onboarding to make sure that it's a real person behind the FIDO credential, because a lot of FIDO credentials are truly given remotely, but also on the-

Megan Shamas:
It's purely that. Again, we've never said we're proving identity. We're just, we're authenticating whoever enrolled in the first place, but we're good at that, but still, these other pieces need to be found.

Christine Owen:
Exactly. And that's actually a piece that I think has been lacking for a really long time, regardless. I mean, it's a piece that is now coming into fruition, and people are waking up and realizing, "Oh, if I give this person a credential, it should probably know that that person should have that credential." Right? And then for account recovery, I think it is just exactly what's needed because the secondary options are either an ability to socially engineer the help desk, which is what we've been having a lot lately with attacks, or we can have password default or OTP default, which really then, what's the point? If that's going to be-

Megan Shamas:
I mean, they're going to be started on the help desk.

Christine Owen:
So yeah, I think that's really wonderful. And I love that you guys are realizing that. As much as FIDO, your mission is authentication, well, that's great, but authentication is one piece of a very large ecosystem that's all really important. So all right, well, I talked about RSA a little bit about how you get, a couple of years ago, every year you guys put on a little mini event at RSA. That is coming up. So what's the little teaser for what you guys are going to be doing at RSA this year?

Megan Shamas:
Yeah, RSA is a great show for us, and it's really interesting because RSA is such a broader show than our show Authenticate or Identiverse, which I know a lot of your listeners or watchers attend as well. It's broader. So for us being at RSA, we get a lot of "Who the heck are you?" at the booth. "What even is this? What are you talking about?" But over time, way less of that. So I love seeing that, whatever, from 2016 until last year and hopefully this year as well, is a lot more familiarity. I think FIDO was mentioned in one of the keynotes at RSA last year. I just like seeing that, it's just a broader ecosystem of folks.

So for us, we are running a half day seminar on the Wednesday, which is May 8th, I believe. We're adjusting our program because of that. Our program in the past, it's like four hours, so sitting through four hours of sessions is a lot to ask for anyone, including me, including who has to run it. I'm like, "Eh, it seems like a lot." So dividing the time between ... It used to be just awareness educational sessions for four hours, but for this year I divided the program up into half of updates and education. So you'll get the passkeys 101, you'll get some case studies, you'll get some updates on the platform side of support and things like that. And then the second half is really about enablement, which means folks can come and really just ask questions to our SMEs that are going to be sitting on stage. And I think we're going to do a couple of break out things so that folks can really get their actual more technical questions answered, whether it's implementation or specification related.

It's just a nice opportunity for people to just sort of gather with these folks and be able to meet them and interact with them. Because typically with a four-hour session, everything is cut in a way that there's not a ton of time for questions. And I know we'll get more attendance for either one or the other because you might fall in one bucket, you might fall in the other bucket, but you won't have to wait for four hours to ask questions. So any kind of questions we would get in the booths that are of technical nature, we just will be pointing them to this session and saying, "This is the place to be because there's going to be all the people that you'll want to talk to there." So that's how we're running that, and it's always hugely successful. It's at Moscone. I'm doing an ad for this right now, it's at Moscone on the Wednesday afternoon. Reserve your seat because we only have room for I think 300 folks, and it always is packed.

Christine Owen:
Yeah, I think the year that I went, it was standing-room only and-

Megan Shamas:
Which isn't even allowed per the fire code, so.

Christine Owen:
I mean, it was just really packed and there was no standing in the room. But yeah, and you do get, I would say, some of the superstars of identity which is really exciting too. They're a lot of fun, and they talk really fast, and then you don't understand what they're saying when they talk about technical things.

Megan Shamas:
This will give you an opportunity to ask them to clarify because we'll have more time.

Christine Owen:
Yes. Yeah. Yeah. Can you slow it down a little bit? You're talking a little too fast. But no, I think that's great. So your booth usually, I love your booth. I usually get kicked out of your booth because I hang out there too much. Will your booth have the white leather couch?

Megan Shamas:
Will we be having the lounge area? Yes, we'll have the lounge area. It's the same. We like the lounge area, and then we have the little area for meetings, so for the people that don't want to lounge. It's funny, we do get people just stopping by and just sitting on that couch. I think we had two couches last year, just people we don't even know, just hanging out there.

Christine Owen:
Yeah, you did have people we didn't know.

Megan Shamas:
Yeah.

Christine Owen:
But no, but it's good though because I would say a lot of the friends of FIDO come and hang out, and then you have people who come and ask questions and you end up having members who can answer the questions in the booth, which is really cool because it's like, "Don't just listen to me as the alliance person. Go talk to a member who has similar issues who can explain it to you as well."

Megan Shamas:
Yeah, we typically will set up office hours for certain folks that are ... For example, Shane Weeden, he is with IBM and he is just an expert in all things FIDO and having him be there to answer questions. It gives them an opportunity to also meet folks, and we do it different topics, certification, specifications, whatever. We just have different SMEs come and hang out the booth just to answer those questions. However, I still want folks to come and ask their questions.

Christine Owen:
Yeah, I mean, I love it. I love Shane too. I'm so glad you have him coming, so that's great. All right, so if there's one thing, or it could be multiple things, that you accomplished this year, what would you be most proud of accomplishing? Or have you already accomplished it? Because it's April, I don't know.

Megan Shamas:
Oh, geez.

Christine Owen:
You did it all and you're done for the year? You already accomplished your goals?

Megan Shamas:
I would say making it through it. I'm just kidding.

Christine Owen:
Same.

Megan Shamas:
I want to say something, I can't be too specific about it, but there is a major asset relating to this enablement piece that is hopefully going to be available by the end of the year. So I would say that. And again, it's about really listening to the folks that are out there deploying this technology, seeing what they want and need, and providing that to them just to make their deployments easier because they want to do it. So that.

And then, of course, Authenticate is always, we call it like our Super Bowl. Authenticate, I really try to focus ... I do run the content for our conference in October in Carlsbad, California. Registration opening soon. Actually, it will be open by the time this airs. But I think, again, focusing that content to be way more focused on individual pieces of a project journey rather than general awareness, kind of educational sessions, but really more focused tracks on each of these pieces and how to make this happen for our audiences. If I can have folks fill out the survey after, come up to me and say, "I've got so many good takeaways from this show, I'm ready to go do this," that would be amazing for me this year as well. That's a good question. Thank you.

Christine Owen:
Yeah, I think I'll say, I have gone to your show every year since its inception, and I love the show. It's a lot of fun. There's a lot of really good activities outside of the conference, but it's a great location and the people are really great who go there, and there's a lot of really good knowledge base that you guys put on, so it's really good.

Megan Shamas:
Yeah. Well, yes, it is at a resort. It is a beautiful, beautiful place to be. And that's really actually purposeful because there's so much more than sitting in sessions, talking in an expo hall. Those things are essential to a successful show, but it's the side conversations. It's inspiring a sense of community where you can go and all be in sort of one enclosed space. You go to the bar and you see whoever. You go to the gym, because we're all working out every day when we're there. It's a sense of community, and it really is, again, everyone is really dedicated and focused to this. We even had 50 ... I think half the folks were new last year, and it's really about embracing our new friends and making them part of the community, which is why we have it at that specific location. It's really ideal for that. So yeah, thank you. I know we enjoy the things that happen outside of the sessions as much as inside the sessions.

Christine Owen:
Yeah, no, it is a great place. Like you said, the people, I mean, I talked to people who I hadn't talked to before and I've been going for years and years, and you get to have stronger bonds with the people that you know. So it's really good.

Megan Shamas:
Yeah. We don't want to have a sense of exclusivity. All are welcome, all are part of this awesome community, and great just, again, group of people. I think we're going to facilitate more newbie meetups, or even have a mentor, not a mentor, but somebody to sort of be your person on site to help you, like Christine Owen, for example, to help you to navigate your way through a show like that and meet folks, and just want people to feel like they're part of this community because they are.

Christine Owen:
Yeah, no, I think that's wonderful. Well, I'll say, so this has been a lot of fun, and this is called Identiholics. So one thing that I asked you to do was bring on something, one of your favorite drinks. I think you have brought on one of your favorite drinks. What did you bring on today? It's a Coke Zero, but really it should have been a Diet Coke. Let's pretend like it's a diet Coke. Megan, especially at shows, if you see Megan, you're going to see a Diet Coke in her hand.

Megan Shamas:
Yeah, it's a thing. It is a thing. I will have it on stage with me. Is it a healthy habit? It's really not for you to make judgments about that, but it is what it is and it's a drink of choice.

Christine Owen:
Yeah, it is your drink of choice for sure. It makes me think of all the old-school Diet Coke commercials and I love it. So I today am drinking tea from an alcove because I am recovering from a very rough weekend and also an illness, so.

Megan Shamas:
Thank you for ... Yeah, I couldn't even tell, so.

Christine Owen:
I appreciate that.

Megan Shamas:
Your hostessness.

Christine Owen:
Aw. Well, Megan, as always, it's so great to see you. I can't wait to see you again at RSA, for sure. Have a wonderful rest of your week. Thank you for joining.

Megan Shamas:
Thank you for having me.

Christine Owen:
Yay.