Passwords are dying, long live passwords. Virtually the entire tech industry seems to agree that hexadecimal passwords need to go and that the best way to replace them is with cryptographic keys known as access keys. Basically, instead of you typing in a phrase to prove it’s you, websites and apps use a standard called WebAuthn to connect directly to a token you’ve saved, on your device, in your password manager, ultimately anywhere, and authenticate. you automatically. It’s safer, it’s easier to use, it’s just better.
However, the transition will take a while, and even when you can use access keys, it will be a while before all your apps and websites allow you to do so. But Dashlane is trying to help things move forward and announced today that it is integrating access keys into its cross-platform password manager. “We said, you know what, our job is to make security simple for users,” says Dashlane CEO JD Sherman, “and this is a great tool for doing that. So we should think about ushering in this passwordless era.”
In the future, Dashlane users can start setting up access keys to log in to sites and apps where they would have previously created passwords. And while systems like Apple’s upcoming implementation in iOS 16 will often involve taking a picture of a QR code to log in, Dashlane says it can further simplify the process because it has apps for most platforms and an extension for most browsers.
To demonstrate, Rew Islam, Director of Engineering at Dashlane, shared his screen with me via Zoom and opened the WebAuthn website (so few apps support access keys that the standard website is the best way to test them) and typed your email address to register. a new account “At this point, you would do your phone dance, scan a QR code, but here in the corner, Dashlane says, ‘Hey, do you want to create a new key with Dashlane?’ And you click confirm and that’s it.
Skeleton key technology works, says Islam. It has been for a while, and companies have been testing it and beginning to implement it for several years. The biggest challenge for the industry has been getting everyone on the same model for the future of authentication, which has actually happened: Google, Apple, Microsoft and others are betting on the same underlying passkey technology, managed through from the FIDO Alliance. . Apple is adding passkey support to iCloud Keychain, allowing users to sign in to their devices and apps simply by authenticating with Touch ID or Face ID; Google is also planning support for passkeys on Android and Chrome. Microsoft has been developing support for access keys for some time, using Windows Hello and other authentication tools.
Ultimately, competing with the tech giants could be a problem for Dashlane and other password managers: it’s hard to beat the built-in software that Google, Apple, and Microsoft may ship with their devices for convenience. But for now, Dashlane is happy to have the world’s largest companies, and their commensurately large marketing budgets, telling the world about passkeys.
“FIDO and the big three platform providers have done a lot of marketing, a lot of messaging, to get people to leave this drug saying ‘okay, type my password,’” says Islam. “That has nothing to do with the technology, it’s the culture and user behavior.”
And yes, competing will be tough, says Sherman, but isn’t it always? “Technology is changing and the big platforms have a lot of power. I’ve never worked in an industry where that wasn’t the case.”
As more platforms authenticate with passkeys, Islam says, that will also help with adoption. He points out that most of those companies hate passwords as much as users and have a lot of incentive to make the change. The main stumbling block for now is the mobile; Android and iOS are getting support for passkeys, but Islam says he anticipates third parties like Dashlane won’t have access to mobile passkey technology until next year at the earliest.
The next few months will almost certainly be passcode season, as security apps of all kinds start to support them and apps start to let you use them. The FIDO Alliance is a who’s who of companies it would like to invest in the project, and with so much technology figured out, now it’s just a matter of implementation. Passwords aren’t dead yet, but we know what will kill them. And little by little it comes to life.