Passwords die, long live security keys. Virtually the entire tech industry seems to agree that hex passwords must die, and the best way to replace them is with the cryptographic keys known as access keys. Basically, rather than asking you to type in a phrase to prove you’re you, websites and apps use a standard called WebAuthn to sign in directly to a token you’ve saved – on your device, in your password manager basically anywhere – and authenticate you automatically. It’s more secure, it’s more user-friendly, it’s just better.
The transition is going to take some time, however, and even when you can use access keys, it will take some time before all your apps and websites allow you to do so. But Dashlane is trying to shake things up by announcing today that it’s integrating passkeys into its cross-platform password manager. “We said, you know what, our job is to simplify security for users,” says JD Sherman, CEO of Dashlane, “and this is a great tool to do that with, so we should really think about ushering in that era. without password.
Going forward, Dashlane users can start setting up access keys to log in to sites and apps where they would have previously created passwords. And while systems like Apple’s upcoming implementation in iOS 16 will often involve taking a picture of a QR code to log in, Dashlane says it can make the process even easier because it has apps for most platforms and an extension for most browsers.
To demonstrate, Rew Islam, Software Engineer at Dashlane, shared his screen with me via Zoom and opened the WebAuthn website – so few apps support passkeys that the standard website is the best way to test them – and typed in his email address to register a new account. “At this point, you would do your dance with the phone, you would scan a QR code, but here in the corner Dashlane says to you, ‘Hey, you want to create a new key with Dashlane?’ And you click on confirm and it’s done.
Password technology works, says Islam. It’s been around for a while, and companies have been testing it and starting to implement it for several years. The biggest challenge for the industry has been to get everyone on board with the same model for the future of authentication, which has actually happened – Google, Apple, Microsoft and others bet all on the same underlying passkey technology, operated by the FIDO Alliance. Apple adds passcode support to iCloud Keychain, allowing users to log into their devices and apps simply by authenticating with Touch ID or Face ID; Google is also planning passkey support in Android and Chrome. Microsoft has been developing support for access keys for some time, using Windows Hello and other authentication tools.
Ultimately, competition with tech giants could be a problem for Dashlane and other password managers – it’s hard to top the built-in software that Google, Apple, and Microsoft may bundle with their devices. But for now, Dashlane is happy to have the world’s biggest companies, and their commensurately large marketing budgets, telling the world about security keys.
“FIDO and the big three platform providers have been doing a lot of marketing, a lot of messaging, to get people off this drug that’s ‘okay, type in my password,'” Islam says. “It has nothing to do with technology – it’s culture and user behavior.”
And yes, the competition will be tough, says Sherman, but isn’t that always the case? “Technology is changing and the big platforms have a lot of power. I have never worked in an industry where this was not the case.
As more platforms authenticate with passkeys, Islam says this will also facilitate adoption. He points out that most of these companies hate passwords as much as users and have plenty of incentives to make the switch. The main sticking point for now is mobile; Android and iOS have passkey support, but Islam says he expects third parties like Dashlane won’t have access to mobile passkey technology until next year at the earliest. .
The next few months will almost certainly be a season of security keys, as security apps of all kinds start supporting them, and apps start letting you use them. The FIDO Alliance is a who’s-who of companies you’d want to invest in, and with so much technology installed, it’s just a matter of implementation now. Passwords aren’t dead yet, but we know what will kill them. And it’s slowly coming to life.