Co-authors: Rew Islam and Corentin Mors
We just got back from the Authenticate 2022 Conference, which is “the industry’s only conference dedicated to the who, what, why, and how of user authentication, with a focus on the FIDO standards-based approach.” If that sounds complicated, it’s because it is. But we soaked up some great insights about passkeys, passwordless authentication, and multifactor authentication, and as Dashlane’s authentication experts, we’re here to help you make sense of it all.
Here are our top five takeaways on the future of authentication.
One of the biggest changes happening in authentication is the move from passwords to passkeys. Simply put, a passkey is a passwordless login. This new standard uses public-key cryptography to authenticate your access to websites and apps. Instead of having to create a password for your account, you set up an “authenticator” to generate a passkey—a pair of related cryptographic keys.
An authenticator can be your smartphone, another mobile or desktop device, or a password manager that supports passkeys. The important thing is that it’s something that stays with you—and only you.
While no authentication method is completely foolproof, several factors make passkeys more secure than passwords:
Few websites currently support passkey-based authentication, but that is expected to change as major tech companies implement it on their platforms. Apple has already implemented passkey support in both iOS 16, iPadOS 16, and macOS Ventura for apps and websites, and Google has announced plans to implement passwordless support in Android and Chrome OS as well.
There’s no need to panic about abandoning all your passwords and changing your authentication methods right this second. There will likely be a long transition period between passwords and passkeys, so using either of them is a valid option for the foreseeable future.
For those who are interested in the new technology and want to get a jump on it, certain websites, like Paypal, have already started supporting both passwords and passkeys on Apple devices. If you’ve logged in to Paypal in the U.S. recently, you may have noticed a prompt suggesting you migrate to a passkey, and new users will be guided to passkeys first.
Many platforms that don’t yet support passkeys are already starting to do something similar: apps like Discord, Outlook, WhatsApp, and more use QR codes to allow cross-platform logins. Password managers that support passkeys could simplify this flow even further in the future.
User experience is always crucial, and nowhere is this more true than the passwordless experience. Delivering a painless experience could make or break adoption as passwordless authentication gains more steam. While password managers already make things simple by autofilling your logins, it remains to be seen what the passwordless user experience will be on each platform and password manager.
The good news is that the major passwordless players are already taking this into consideration. The FIDO (“Fast IDentity Online”) Alliance—a group that has been working on authentication standards and technologies since 2013—recently shared its new design system to help the industry get on the same page and simplify the experience to increase adoption.
Password managers will continue to be an essential tool for keeping your accounts safe in the passwordless future.
There are a few key differences between authenticating on mobile devices and desktop devices. Apps are the go-to method to access content on mobile, while most content is accessed with a browser on desktop. Typically, the first time a mobile app authenticates, it will use a passkey. After that, authentication will be based on local device biometry, like fingerprints, which is a method most mobile users are familiar with.
On desktop browsers, using passkeys may be more confusing. There are a variety of browsers available, and each combination of browser and operating system will have its own unique passkey experience. This is where password managers can help provide a consistent user experience across different browsers and operating systems.
For this reason, some authentication experts think password managers should have more control over the experience of passkeys on desktop, and we agree.
Multifactor authentication (MFA) and 2-factor authentication (2FA) provide an added layer of security, but this technology could be improved. Many people are used to approving push notifications every time they pop up and tend to do it on autopilot (this is often called MFA fatigue, which was partly responsible for the recent Uber breach).
To combat this fatigue, MFA should be combined with a requirement to confirm intent, so users need to stop and think for a second before moving through. For example, during the push notification process, Google shows three numbers to pick from (sort of like a CAPTCHA). It’s really simple, but it’s just enough of a process to make you think, “wait a minute, I’m not trying to log in to Google right now…so who is?!”
Authenticate 2022 was an insightful conference and the information that was discussed reinforced that Dashlane can help you future-proof your logins. We recently launched integrated passkey support, making us the first in the industry to offer an in-browser passkey solution.
Whether you use passwords or passkeys, you can store them in Dashlane and automatically log in across websites. And our patented zero-knowledge architecture means no one except you can access your logins (not even us).