PKI is used extensively in the U.S. federal government. However, it has not caught on in the business and commercial sectors.  Why is this the case?  In your opinion, what is the future of PKI?  Do alternate methods such as those proposed by the FIDO Alliance (URL: https://fidoalliance.org) offer a viable alternative to PKI?

---

PKI hasn’t caught on in business or commercial sectors because it has too many components, and requires too many resources to continually utilize it, and justify it being used in lieu of something else. PKI requires multiple Certification Authorities to issue certificates, which have to be protected by hardware security modules. The cost can range between $75k, and $125k, depending on how many of the components you need to set it up. The government has more resources available than the private sector, and can more comfortably use those resources on PKI. Since it allows for a high amount of security, and can be scaled to a level that the government might require, it can be more comfortably used by the government than by the private sector.

I think that as technology advances, better alternatives for generating public-keys and utilizing public keys, or something similar will be available. The security, and scale of it are currently sufficient, but eventually better alternatives will be found, potentially alternatives like FIDO. Essentially, FIDO seeks to expand on password authentication, and in most cases, be rid of it entirely. Thumbprint verification, two-step authentication, and in extreme cases, multi-step authentication involving facial scans, voice recognition, and security keys are examples of alternatives. While some of them can currently be fooled with technology, I think eventually it will advance enough it can make PKI be comfortably meshed with it to lower security costs without relying so heavily on PKI while still being secure enough to protect people, and networks.