Passkeys are Here: 3 Authenticate 2023 Takeaways
Passkeys are perhaps the biggest change the authentication world has seen.
Passwordless authentication with passkeys is the modern, more secure evolution of login methods such as passwords. While passwords aren’t going away any time soon, passkeys are gradually replacing them, offering phishing-resistant logins, lowered risks of data breaches, and an improved user experience.
Phishing-resistant passwordless authentication was the core topic at the FIDO Alliance’s annual conference, Authenticate 2023—a three-day event focused on user authentication. Dashlane’s Director of Product Engineering and Innovation, Rew Islam, along with members of our UX team, spoke at the conference, which also featured keynotes from companies like Google and Amazon.
As Dashlane’s Lead Product Manager, I’d like to share my 3 key takeaways from this year’s event.
#1: It took a decade and a village, but passkeys are finally here
Since the journey to enable passwordless logins began in 2013, the FIDO (Fast Identity Online) Alliance has brought together tech leaders across sectors, including government, healthcare, and enterprises, to collaborate on a secure, scalable alternative to passwords. The alliance developed FIDO Authentication, a global authentication standard based on public key cryptography.
Passwords have long been the weakest link when it comes to cybersecurity. According to the FIDO Alliance, passwords are the root cause of more than 80% of data breaches.
Of course, with password management solutions like Dashlane, which encourage users to create hard-to-crack credentials and give them a secure place to store them, passwords stand a stronger chance against hacks and breaches. Yet even with these solutions available, many people still use weak or reused passwords: 50% of passwords stored by users are reused, according to Dashlane research. Even if passwords are strong and unique, they can still be subject to phishing attacks, which plagued more than 89% of organizations in 2022 alone.
Passkeys, however, which are supported by Dashlane on both Android and iOS, offer a phishing-resistant alternative to passwords.
With Google and Apple already rolling out passkeys for users, it’s clear that the industry is betting on this solution with a high level of confidence.
#2: With passkeys, you don’t trade security for usability
As Expedia emphasized during their Authenticate talk, authentication has always involved one or more of these three security factors: Something you know (like a password or security question), something you are (like a fingerprint or facial features), and something you have (a device or authenticator tool).
When using passkeys, you don’t have to share a “secret”—such as a password—in order to access your account. Instead, an authenticator, which could be a password manager that supports passkeys or a compatible device, generates two cryptographic keys for your account. One key is public and stored on the site where you’re creating the account; the other is private and stored in your authenticator. Next time you go to sign in, your authenticator and the website communicate to authenticate your login without exchanging any actual secrets that a hacker could exploit.
This makes passkeys user-friendly: They’re generated automatically, meaning there’s nothing for you to remember, manage, or reset.
But are they secure? In short, yes. Each passkey is unique and can’t be entered into a fake site. The public key is no use to a threat actor, because they can’t access your account with that key. Early adopters are already agreeing that passkeys are safe and easy to use. As Google UX mentioned during their keynote, 76% of users who used passkeys are likely to use them again in the future.
Dashlane has already seen a 70% increase in sign-ins with passkeys compared to passwords, and Intuit shared that 77 million people have already registered with passkeys.
Passkeys have had a positive impact on businesses as well. With increased usability and security, there is less friction when it comes to workflow. Employees are able to quickly adopt a passwordless login with nothing to remember, and IT departments no longer need to spend time recovering and resetting passwords. This means reduced costs and fewer support tickets. For consumer-facing products, companies have seen lower churn and lower transaction abandonment rates with passkeys.
For a 2-minute summary on the why and how of passkeys, check out our video:
#3: The future of passwordless authentication is preventing attacks
In 2023, threat actors have a low barrier to entry. As pointed out by Ashish Jain, CTO of Arkose Labs, hackers rely on two main types of cyber attacks: volumetric (like credential stuffing) and low and slow (like social engineering attacks). Generative AI and communities like Open Bullet have simplified these methods, making volumetric attacks faster and scalable. At the same time, Cyber Crime as a Service (CYaaS) tools provide resources like fake browsers, cookies, and even fingerprint-generators to hackers at a low cost.
Though there is no foolproof solution to preventing account takeovers and breaches, experts believe that attackers will not immediately focus on trying to crack passkeys but look for alternative entry points instead.
Passwordless authentication addresses many weaknesses associated with passwords, meaning the risk of attacks is significantly lower with the use of passkeys. Here’s how passkeys mitigate some of these attacks:
Credential stuffing: Passkeys prevent credential stuffing, where hackers use stolen logins and try to access multiple sites with the same password, as there is no login to steal, and each site requires a unique passkey.
Phishing attacks: Threat actors may send an email or another type of message with a link to a fake site, where someone enters their credentials only to have them stolen. By contrast, passkeys will only work on the real website or app they were made for, so they can’t be phished.
Learn about passkeys from experts: Watch Dashlane's on-demand panel discussion with FIDO Alliance.
The transition from passwords to passkeys is underway, as multiple websites and apps now allow people to sign in with passkeys—and the list of compatible sites is growing. (Visit our Passkey Directory to find out which sites support passwordless logins.)
Passkeys represent a significant change to authentication as we know it. Dashlane is a board member of the FIDO Alliance, which has brought together leading minds in authentication and cybersecurity who continue to work collaboratively to finetune a secure, user-friendly solution to authentication.
Dashlane has played a key role in securing a passwordless future. The nature of our cross-platform password manager allows us to support passkeys seamlessly across various platforms. In 2022, Dashlane announced passkey support, offering the first in-browser passkey solution. In May, we added passwordless logins, and with iOS 17 and Android 14, Dashlane is now available as a passkey manager for desktop and mobile for all browsers and devices.
With Dashlane’s integrated passkey support, you can log in to any website or app automatically. Learn more about passkeys at Dashlane.
Sign up to receive news and updates about Dashlane
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.
Quentin Delory is a Lead Product Manager at Dashlane with nearly 20 years of experience in his field, a Master's in Business Administration, and a Master's in Science. He's a management consultant turned entrepreneur turned product builder who's passionate about bringing ideas and technologies to life as products and businesses. Originally from France, he currently resides in San Francisco.