When adopted by the W3C in 2019, the FIDO2 standard for passwordless authentication was touted as a replacement for passwords on the web. With FIDO2, users leverage passkeys (cryptographic credentials) to authenticate to websites. Even though major operating systems now support passkeys, compatible hardware is now widely available, and some major companies now offer passwordless options, both the deployment and adoption have been slow. As FIDO2 has many security and usability advantages over passwords, we investigate what obstacles hinder companies from large-scale deployment of passwordless authentication. We conducted 28 semi-structured interviews with chief information security officers (CISOs) and authentication managers from both companies that have and have not deployed passwordless authentication, as well as FIDO2 experts. Our results shed light on the current state of deployment and perception. We highlight key barriers to adoption, including account recovery, friction, technical issues, regulatory requirements, and security culture. From the obstacles identified, we make recommendations for increasing the adoption of passwordless authentication. _bs
Usenix Security Symposium (USENIX-Security)
2024-08-14
2024-10-08