At RSA, our mission has always been to eliminate the weak links in digital security. Today, we’re thrilled to announce a significant milestone in this journey: the preview of our mobile FIDO solution, available in RSA Authenticator app V4.4 for iOS and Android. RSA ID Plus is a FIDO2-certified server, and with this milestone, our authenticator app for iOS and Android is now a FIDO2-certified authenticator.
This marks our commitment to pioneering secure, intuitive, and seamless user experiences—and our quest to eradicate passwords once and for all.
Passwords have long been a critical vulnerability in cybersecurity, relying on human memory and discretion, which often leads to weak, reused passwords. For a long time, we have supported passwordless solutions like QR code, biometrics, One-Time-Passcode, or FIDO2 certified hardware authenticators like the RSA DS100 to address these vulnerabilities.
This latest milestone brings secure passwordless to enterprises by adding device-bound passkey support (Mobile FIDO) to our RSA Authenticator app, providing a secure, user-friendly alternative that removes cybercriminals’ favorite vulnerability, enhances organizational security, and keeps users connected and productive.
Passkeys have received a lot of attention, both because of commitments from Facebook, Apple, and Amazon for a more consumer-facing solution and because the FIDO Alliance adopted the term ‘passkey’ for any type of FIDO credential. That’s led to some confusion about what exactly an organization means when it uses the word ‘passkey’ which we’ve tried to clarify.
The most important distinction we’ve found is the difference between device-bound and synced passkeys:
- Device-Bound Passkeys: This type of passkey is created securely and stored on a single device. The private key never leaves the device, ensuring a high level of security. Device-bound passkeys minimize the risk of key exposure and provide robust protection against phishing and other cyber threats. This means the passkey cannot be used on another device without manually registering it again, making it the ideal option for enterprise and public sector organizations. These solutions are phishing-resistant and offer a higher degree of security.
- Synced Passkeys: Synced passkeys are stored and synced across multiple devices via cloud services, providing the convenience of accessing services across different devices without needing to register each one individually. They also allow for passkey recovery if the host device is lost, stolen, or replaced, which is especially useful as users often upgrade their mobile phones every couple of years. While this improves user convenience, it requires robust security measures to protect the synced passkeys in the cloud. Synced passkeys may be suitable for consumer use, but they may not offer the same level of security required for federal and enterprise environments.
By implementing a device-bound passkey solution within the RSA Authenticator app for iOS and Android, we help strengthen our clients’ Zero Trust framework, ensuring a deeply integrated and straightforward path to phishing-resistant passwordless authentication. This technology eliminates the weaknesses of traditional passwords, offering a seamless and intuitive user experience.
Philip Corriveau, our head of UX, emphasizes why this development is important: “At RSA, we believe that security should not be a barrier but a seamless part of the user experience. With device-bound passkeys support within the RSA Authenticator app for iOS and Android, we’re not just enhancing security; we’re transforming how users interact with their digital identities.”
Device-bound passkeys provide several layers of security that neutralize common attacks:
- Phishing: Since the private key never leaves the device, attackers cannot intercept or steal it through phishing attempts. It is technically impossible to phish the passkey directly from a user’s device. While bad actors may attempt to phish access to the cloud to download a copy of the key, the private key itself remains secure on the device, preventing most attacks from succeeding.
- Social Engineering: With device-bound passkeys, the private key is not sharable or extractable. Users do not need to access, remember, or handle the private key, which significantly reduces the risk of social engineering attacks. Attackers cannot trick users into revealing something they do not have access to.
- Adversary-in-the-Middle: Even if an attacker intercepts the communication between a service and the authenticator, they cannot use the public key alone to gain access.
While nearly every organization in every sector can benefit from Mobile FIDO, the solution may be especially valuable for government agencies striving to meet the presidential cybersecurity mandate and comply with Executive Order 14028 by the end of the fiscal year.
EO14028 requires government agencies to use passwordless, phishing-resistant solutions to authenticate their users. It’s a critical component of modernizing and defending critical infrastructure—but it requires government agencies to act quickly and implement a proven solution.
“The FIDO2 certified, device-bound passkey from RSA is a significant asset for federal agencies striving to meet the presidential mandate and the FY2024 deadline,” said RSA Federal President Kevin Orr. “More than checking a box, RSA can bring decades of security-first pedigree and a unified, scalable, user-friendly solution that can enhance collaboration for the public sector.”
Our mobile FIDO solution is a crucial step toward delivering a consistent and seamless passwordless experience from start to finish.
RSA Authenticator app V4.4 for iOS and Android supports Mobile FIDO as a technical preview. Mobile FIDO capability will be generally available with the RSA Authenticator app V4.5 for iOS and Android. This version, due in Q4 of 2024, will include additional enhancements and a streamlined user experience.
If you’re interested in testing the preview mode or want to know more about our plan for general availability, please contact us.
At RSA, we are at the bleeding edge of passwordless technology. Our relentless commitment to innovation drives us to create solutions that redefine digital security. We’re paving the way for a more secure and user-friendly world by transitioning to a passwordless environment.
We are excited to continue this journey with you and look forward to making our Mobile FIDO solution generally available as part of V4.5. Together, we can set new standards for the industry and lead the charge toward a future where security is both secure and intuitive.
Stay tuned for more updates and insights as we continue to lead the charge toward a passwordless future.