Interview: Is It Time To Replace Passwords With More Secure Passkeys?
John Bennett, CEO of Dashlane, explains why passkeys are more secure than passwords, and what is needed to achieve a passwordless future.
Is it finally time to ditch passwords? For decades now, the default security for devices and online accounts has been a username and password. But passwords can be a major headache. They’re a hassle to remember and manage, but – thanks to compromise by password cracking malware and phishing scams – they’re also not very secure.
Password theft can be absolutely devastating in the enterprise, where a data breach can lead to major reputational damage, costly remediation actions, and large fines from data privacy regulators. “Companies increasingly are spending enormous amounts of resource and investment in technology and security solutions,” John Bennett, CEO of password management provider Dashlane tells Expert Insights. “But a single compromised password can bypass or undermine all of that investment.”
Listen To John Bennett On The Expert Insights Podcast:
Dashlane is a member of the FIDO Alliance, a consortium of hundreds of companies working together to push the industry toward a passwordless future. Last year, FIDO members Apple, Google, and Microsoft took a major step toward replacing passwords by announcing support for a new system that enables a completely passwordless login process: passkeys.
What Are Passkeys, And How Are They More Secure Than Passwords?
Using passkeys, you can login to online accounts without ever needing to create or remember a password. When you set up an account with passkeys, a pair of cryptographic keys are generated; one public and one private. The public key is stored by the online app, while the private key is kept secure and secret by your chosen authenticator. This authenticator can be your Windows, Android, or Apple device, a FIDO-supporting hardware key, or a password management service.
“Passkeys are designed to be phishing resistant, and a replacement for passwords,” Bennett explains. “Their intent is to provide not only a more secure, but a faster and more seamless login to websites and applications across user devices… What I’m really excited about passkeys is, if we can really make this a seamless, delightful user experience, it’s going to make people’s lives so much more secure.”
For hackers, passkeys effectively close the floodgates for password-theft attacks. For a hacker to bypass passkeys, they would need to physically steal the local device and be able to unlock it, Bennett explains: “You’ve got to compromise the users’ device and the biometrics and pins they’re using, to get to those passkeys.” For this reason, they are by their very nature “phishing resistant.”
Can Passkeys Replace The Password?
We’re on an exciting journey with passkeys, Bennet says, but it’s still early days. Since Google, Microsoft, and Apple made their joint announcement, adoption of passkeys by online apps has been slow, and more work is needed to push end users towards adoption of passkeys.
“Like a lot of technology adoption, it’s not going to happen overnight,” Bennett says. “Passwords and passkeys are going to co-exist for some period of time. Think about how long it took for us to go from primarily making purchases with cash, to credit cards, to now using things like Venmo and digital wallets. It’s taken decades to make that transition.”
One of the most important factors in the widespread adoption of passkeys is ensuring they are completely seamless for the user. Unfortunately, one problem with passkeys today is that they are not easily transferable across different operating systems. Android and iOS devices, for example, need to store and maintain their own set of passkeys for each application. There are work-arounds, such as sharing passkeys via Bluetooth between devices or using QR codes––but this is hardly a seamless user experience compared to the ease of typing a password.
There are three critical things the big tech providers need to do in order address these concerns and improve adoption of passkeys, Bennett argues.
First, a firm, continued commitment to the FIDO alliance to drive user confidence. Second, accepting the reality that passkeys will need to be seamlessly available across different eco-systems and building that into the technology. Finally, and most importantly, is to continue working with smaller authentication providers like Dashlane, who can help improve the user experience of passkeys by enabling seamless cross-platform support.
“There’s still a lot of things we have to work through in terms of some of the technology. Commitment to listen to the smaller players like Dashlane, that have more user experience in terms of how to allow users to manage these credentials and manage these passkeys—I think that’s going to be really important.”
Big tech providers are now enabling support for users to store passkeys directly in a third-party service. Apple, for example, is going to introduce third-party passkey support in the next version of iOS. This means users can store Passkeys in a third-party credential management service, and seamlessly login from app to app without having to re-authenticate their passkeys across different devices and operating systems.
Passkeys In The Enterprise
Cross-platform support will be absolutely critical to driving passkey support in the enterprise, where users need to be able to share credential access and log in on multiple devices, and admins need to be able to govern access policies. Passkeys are a natural evolution of existing enterprise trends away from passwords—including single sign-on solutions and other identity management solutions—and there are some “significant advantages,” for businesses and organizations that can adopt passkeys, Bennett explains.
“When we talk about bad actors, we think about nation state sponsored actors who are organized, but a lot of threats comes from internal employees or former employees. And one of the things that facilitates that is that it’s fairly easy to take credentials. As you leave the company, you can bring credentials with you.”
Passkeys can make it much easier for IT admins to have granular control over onboarding and offboarding, ensuring that access to corporate accounts is revoked when an employee leaves a company. Support from organizations like NIST (National Institute of Standards and Technology) will be important for driving business adoption, Bennett argues, but so too will be credential management functionality offered by password managers already trusted in the enterprise space.
“A lot of businesses today go to companies like Dashlane and other password managers to […] manage these types of credentials,” says Bennett. “They trust […] our ability to come into a business and to be able to allow for the creation, support, and management of passkeys […] to be able to allow their employees to have this great user experience.”
The big tech players have got to allow companies like Dashlane, and other credential managers, to play an important role in terms of driving the adoption of passkeys in the enterprise, Bennett says, to facilitate those key enterprise features such as passkey sharing between teams and credential management. “It’s encouraging because there are businesses already that are saying, yes, you can use passkeys to authenticate into a service, and that’s exciting to see.”
The Future Of Password Management
Passkeys represent the future of credential management, Bennett says, and the Dashlane team will continue to support their adoption in the industry.
“We all know the risks around passwords. You’ll see from us continued product investment and product innovation around supporting within our product experience. In terms of direction, we’ve announced passwordless login to the Dashlane vault, and we’re going to continue investments in the rollout of [passwordless] technologies for our consumer users and business users.
“We want to be part of the solution in terms of providing a path for businesses and websites to move to a passwordless future, to go to passkeys. We’re going to continue to be a strong member of the FIDO Alliance, to work alongside this ecosystem of large tech players and companies like Dashlane, so we can continue to evolve the standards around passkeys and answer some of these questions that haven’t been answered.
“We’re enthusiastic about the move to passkeys and I think you’ll see it as another aspect of what you’ll be able to manage within your Dashlane vault.”
Listen On Spotify:
Listen On Apple Podcasts:
About Expert Insights
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.