Companies aim to replace traditional passwords by introducing new authentication methods to verify the user’s identity. This helps combat the risk of phishing attacks, password theft, or keylogging attacks, enhances the security of users’ accounts, and makes the sign-in process more convenient. Companies aim to standardize sign-ins using a method that users already use to sign in to their devices, which is more secure than SMS one-time codes.
Tech giants are exploring more secure alternatives, one of which is passkeys that only use biometric data to unlock your device and access your account with a passwordless experience, which is the next big thing in online security. It’s still in the early stages, and top password managers like Dashlane and 1Password sync it to all your devices, but it will be a while before they become universal. Passkey doesn’t depend on an ecosystem or require a specific device.
Ahead of World Password Day, this has been announced as part of their initiative to move towards a passwordless future. This is faster, stronger, and more secure than passwords, which are vulnerable to hacking and cyberattacks. Also, passwords are often weak and easy to guess or steal, and they can be compromised in data breaches. The private key stored on your device can’t be intercepted, and hackers can’t use it to identify anything or log into your account.
With future updates and support for passwordless unlock using other authentications, biometric authentication will make the login process more secure and convenient for users. This is more convenient for users, as they no longer require or must enter a master password every time they access the password vault. This feature is quite similar to iCloud KeyChain, which uses end-to-end encryption to keep your password private. It was announced at WWDC 2022 in June and is rolling out to iOS 16, iPadOS 16, and macOS Ventura.
Dashlane’s Passwordless Login
The company teased this earlier, and now it is finally developing a new feature that allows access to passwords without requiring users to enter a password. Dashlane still has a master key, but with the new passwordless login solution, the company will use device-based or biometric authentication, which includes facial recognition or fingerprint scanners, which means this uses a cryptographic key to authenticate users without requiring them to enter the master key.
Dashlane’s passwordless login differs from passkeys, announced by the FIDO Alliance, backed by major tech giants Apple, Microsoft, and Google. Dashlane uses cryptographic keys, whereas Google’s Passkey uses the FIDO2 standard. The company’s CPO, Donald Hasson, said they hadn’t used FIDO2-based passkeys for passwordless login because it wasn’t ready for the masses. Dashlane is also available as a browser extension, which makes it difficult to offer because of ecosystem limitations. I’m talking about Apple’s iCloud Keychain, designed to work specifically within the Apple ecosystem. Dashlane opted for device-based or biometric authentication to avoid fragmentation and interoperability issues.
The company wants to avoid being locked into one ecosystem with passkey authentication, so they are finding a solution to start working across different operating systems. In the future, the company may add an option to allow users to unlock their vault using passcodes, similar to what 1Password plans to add in the coming months. It will be available on the mobile application, with multiple layers of authentication. First, users are prompted to enter a PIN, and then they can use the device’s biometric authentication. This eliminates the need for a master password while also ensuring that it is safe and secure.
The company is also taking other things into account. If users lose or change their device, they can recover their account from another device or use a recovery key option to have access somewhere else. Do note that free users can only have Dashlane on one device at a time. Google’s upcoming version of Android will support third-party password managers and passwordless authentication. After Google supports passkey protection, the industry will get a boost towards passwordless authentication.
Google’s Passkey for Passwordless Login
Google has been working on this for a long time. With the new authentication method, you don’t need a password; you just need to authenticate because the cryptographic key is locally stored on your device. This even works and doesn’t require 2-Step Verification (2SV), an additional layer of security where users need to enter a code sent to their phone or email address. As we mentioned, a locally stored key is used to verify your device using biometric verification, such as a PIN code, fingerprint, or face recognition.
Google launched its native solution as a secure alternative to traditional passwords. Passkeys brings support to Google Accounts and will soon be available to Workspace accounts (formerly G Suite, which includes business and enterprise users). This includes 2-Step Verification (2FA). The company recently updated its Google Authenticator with support for cloud sync to have a backup so you won’t be locked out of your account. By pairing your device, the device will generate two unique cryptographic keys. One is the public key registered with Google’s service; the other will be stored locally on your device.
This is quite similar to Microsoft account authentication. Additionally, if you want to enable it for your Google Account, you can head over to the Google Account website to enroll yourself. Once you have successfully enabled the Passkey, set it up on a supported device. For example, if you have enabled it on a Windows PC with a password for the first time, a QR code will appear that you can scan on your device to finish the setup. You will only be prompted to create a password on your PC that you can use in the future.
To set up a password:
- Open the Google Passkey page, which will prompt you to enter your Google account.
- After that, click on the “Use Passkey” button, and then click on “Create a passkey for your Google account.” Then tap the “Continue” button to create a password on your device. However, if you have already set up a password on a different device, click the blue “Use another device” button.
- They will ask you to authenticate using biometric data, a PIN, or a password.
- Then it will create a password. On the screen, tap on the blue “Done” button.
This is an optional security feature for Google accounts to log in on multiple devices. The company will start rolling out the passwordless sign-in process across all major platforms for all its services. This means the company will start promoting passwordless login and will have the option to use a password instead of a password when logging in. This will ensure that only logging in from trusted devices and their account credentials are not being shared or stolen. Google has rolled out Passkey support for Android and Chrome and appears in Android 14 Developer Preview 2.
Not to mention, Google’s apps and services still support passwords. You can still use your traditional password to access your Google account. If you lose your device, you can revoke this from the Google account password in settings, but it is also recommended to wipe it. Google Passkey is available on all devices by enrolling in their Additional Protection Programme, and this will also be synced across logged-in iCloud services for users of Apple devices, which makes it easier for users to upgrade from one device to another.
Supported devices:
- Google with Chrome 109+, Android 9+, and ChromeOS 109+
- Apple: Safari 16+, iOS 16, and macOS Ventura
- Microsoft Edge 109+, and Windows 10/11
Passkeys on iOS and Mac devices sync with iCloud Keychain. As it is a supported feature, the integration is compatible with Apple devices that support the feature and other devices that support the industry standard. This means it is also supported on Apple devices, where logins are authenticated with Face ID or Touch ID. Some other supported apps and websites include PayPal, Best Buy, eBay, Kayak, and Dashlane. Service-side support for passkey login is currently limited but will increase shortly.
You can also use a hardware security key like a YubiKey to make it more secure and convenient, or any physical security key like a USB key or Bluetooth-enabled device for users. Google’s Password Manager can also sync and save other Google accounts, like Gmail and YouTube, making it easier for multiple services.
1Password
The company has joined the FIDO Alliance, and this password management tool allows users to organize and promote passwordless authentication solutions. With the new solution, even if your account gets hacked, there is no chance the attacker will have access to the user’s vault since the encryption key for the user’s vault is not stored by 1Password. The company offers support for storing and auto-filling passkeys, which will be available later this summer.
Password Manager for Google Chrome
After all the passwordless logins, Google Chrome updated with a new password manager, which could be a good alternative to password managers since it has a native built-in password manager utility in popular browsers like Google Chrome. This free password manager could easily help you log in to your favorite websites without remembering each password.
This is not one of the most secure password managers, but you can save passwords on the Google Password website. To use this feature, download and install Chrome Canary v115.0.5742.0. You can find the new badge for the Password Manager in the settings. This includes the autofill and password menu and is expected to roll out to the stable version of Chrome.