Dashlane Is Ready To Replace All Your Passwords With Passkeys (theverge.com) 37
Dashlane announced today that it's integrating passkeys into its cross-platform password manager. "We said, you know what, our job is to make security simple for users," says Dashlane CEO JD Sherman, "and this is a great tool to do that. So we should actually be thinking about ushering in this passwordless era." The Verge reports: Passwords are dying, long live passkeys. Practically the entire tech industry seems to agree that hexadecimal passwords need to die, and that the best way to replace them is with the cryptographic keys that have come to be known as passkeys. Basically, rather than having you type a phrase to prove you're you, websites and apps use a standard called WebAuthn to connect directly to a token you have saved -- on your device, in your password manager, ultimately just about anywhere -- and authenticate you automatically. It's more secure, it's more user-friendly, it's just better. The transition is going to take a while, though, and even when you can use passkeys, it'll be a while before all your apps and websites let you do so.
Going forward, Dashlane users can start to set up passkeys to log into sites and apps where they previously would have created passwords. And whereas systems like Apple's upcoming implementation in iOS 16 will often involve taking a picture of a QR code to log in, Dashlane says it can make the process even simpler because it has apps for most platforms and an extension for most browsers.
Going forward, Dashlane users can start to set up passkeys to log into sites and apps where they previously would have created passwords. And whereas systems like Apple's upcoming implementation in iOS 16 will often involve taking a picture of a QR code to log in, Dashlane says it can make the process even simpler because it has apps for most platforms and an extension for most browsers.
So... (Score:5, Insightful)
Re:So... (Score:5, Insightful)
... they want us to change from "something you know" to "something you have" (or rather, that they have.)
Came here to say this. How many loops of "cool convenient service -> annoying new feature -> evil now, but you're locked in" do we need to go through?
Re: So... (Score:2)
How many stupid people do we have?
Times 3
Because it will take on average 3 times for them to learn.
Re: (Score:3)
Fortunately a new crop of stupid people is born every 20 years. So this could go on forever.
Re: So... (Score:2)
Re: (Score:3)
Isn't this just private / public key pairing that has been around for decades? What *they* (the websites) have is the public half of your key pair. That doesn't give them any more power than having your password on file. In fact, it maybe makes them less dangerous, because if their database of passwords is stolen, people who use the same password elsewhere are put at risk. But a stolen database of public keys is just that; public keys, which are intended to be shared.
Re:So... (Score:5, Insightful)
No, but once they integrate with other companies they will be able to ID you. Also, unless you generate a new keypair for every single site, you'll be able to be tracked everywhere no matter where you login in from: pc at home, phone on a train, tablet in the hotel room with your other girlfriend.
Re: (Score:2)
This isn't necessarily a bad thing. It's how most of us protect our homes and our cars, and even how we get into our workplaces. In each case, we *have* a key. Sure, some places use a number keypad for entry, but this is less common. Generally speaking, something you *have* is a decent security mechanism.
Re: (Score:2)
Re: (Score:2)
Physical world keys have this same vulnerability. If you leave your house key on your desk, I can pick it up, take it to a hardware store, and duplicate it in 5 minutes. Despite that, we don't think of a house key as being vulnerable. Instead, we make sure we keep it in a safe place.
Every security method has vulnerabilities. "Something you have" is certainly not more vulnerable than "something you know." If in the digital world, someone gets a good enough look at your password, they can use it much more eas
Re: (Score:2)
The "something you know" part has proven to be a problem, because humans are not very good at knowing things like long, high entropy passwords. So instead they end up using a password manager, or the same password everywhere. The "something you know" part becomes the weak link.
Also note that many security keys offer PIN or biometric authentication too, so they are actually 2 factor by themselves. Pixel phones have such a key built in (which can be used over Bluetooth), and Yubikeys support unlock PINs (and
Re: (Score:2)
How is this different from them having a list of 20 character, random garbage passwords? My password manager has almost no human readable passwords in it - I couldn't tell you a single one of them without looking it up. The same will be true of these keys.
These keys are somewhat better though, because the place I log on to won't have the same password. They'll have the public part of the key, and we'll exchange a bit of encrypted data. Thus, if they get hacked and lose their entire user database, a hacker s
Who the hell uses hexadecimal passwords? (Score:2)
Practically the entire tech industry seems to agree that hexadecimal passwords need to die
That seems like they're artificially limiting the available key space.
Re: (Score:3, Funny)
You mean G to Z are useful to you? /sarcasm
Lose the phone? (Score:5, Insightful)
So when you lose your phone, the finder can log in to all your saved bookmarks, access your bank account, email, message history involving your wife, message history involving your girlfriend, Bitcoin wallet and so on without even having to guess your password.
Or maybe we protect all this with a hugely complex master password that you'll never remember so you have to write it on a sticky and keep it on the back of your phone.
Re: (Score:1)
Re: (Score:3)
Or maybe we protect all this with a hugely complex master password that you'll never remember so you have to write it on a sticky and keep it on the back of your phone.
Or a master passkey -- that you'll have to store in another app, that will require a passkey to access ... :-)
[Turtles all the way down.]
Re: (Score:3)
Writing passwords on a piece of paper is actually not terrible compared with all the other alternatives.
For a start, it's not visible to hackers, and a trivial bit of obfuscation would puzzle most thieves, even if they found the piece of paper.
I agree a note stuck to the laptop/phone is a bad idea, that's kinda like taping your house key to the door!
Phones lock fairly well with fingerprints, a numeric key or gesture. This is pretty secure, if hardly unbreakable. But certainly a reasonable defence against ca
Re: (Score:3)
If you have an Android phone, take a look at Wasted on the F-Droid repo. You can set a duress password that wipes your phone. Write that on a bit of paper and stick it in your phone case or somewhere else a thief will find it.
Re: Lose the phone? (Score:2)
If they weren't so desperate to lock you into their closed garden, they could just use a a BIP39 type of way to generate a key with paper backup.
They could still cosign responses with a manufacturer key if the site wants to make sure you are using an approved security device, but that should be optional. AFAIK U2F does allow self signed manufacturer keys, but even solokey doesn't have a function for backup of your keys.
Re: (Score:2)
I use a long password and fingerprint to unlock my phone, but even so all my banking apps require me to enter the password or fingerprint yet again before they will let me in. So if someone steals my phone there is basically no way they are getting into any of my stuff, let alone bank accounts.
Of course, as soon as I notice it is missing, which will be very quickly, I'll remotely lock out the fingerprint and start tracking its location, with the info handed to the police. Their only hope is to wipe it via t
Malware and Password wallets? (Score:1)
Re: (Score:2)
I am assuming the passkeys are only as safe as the password manager granting access to them.
And you would be right.
But is there a better way?
No, thanks. (Score:3)
My mind is the ultimate password vault that is reliable, resilient and cannot be broken into unless I'm being interrogated by the best Russian agents using torture.
More user-friendly... how? (Score:2)
How can you call this more user-friendly?
Re: (Score:2)
I absolutely abhor the 2FA's that make me use a secondary device to log in.
So do I. My dog goes beserk when my phone rings to tell me a passcode.
Re: More user-friendly... how? (Score:2)
So Apple, they sync passkeys across devices.
Re: (Score:2)
Parent talks about about when you open your email in a browser tab and it asks you to enter an authentication code sent as SMS or obtained in an application. Using Apple or Android or else does not reduce the annoyance.
Re: (Score:2)
Getting rid of that mess is the whole point of webauthn combined with cross device syncing of passkeys.
Webauthn turns the phone authentication into authentication on a single computing device, with either a dongle or an integrated secure domain. Cross device syncing allows multiple registered devices sharing passkeys without having to move dongles around, with higher authentication requirements for registering a new device.
Authentication with what you have, a registered device, combined with what you know,
Re: (Score:2)
This is why I like Yubikeys or FIDO authentication. Use your username, password, press button on the auth token, done. As an added bonus, there are no shared secrets for a site to steal. From there, having a TOTP backup key is nice, just in case you misplaced your YubiKey.
Dashlane Never heard of them (Score:2)
Re: (Score:2)