Dashlane Debuts Passwordless Access To Its Password Manager - But Beware This Major Hitch

Yuichiro Chino/Moment via Getty Images

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Dashlane now lets you login to its password head pinch a passwordless passkey.
• The characteristic is based connected a draught modular from nan World Wide Web Consortium.
• It's not expected to activity connected nan mobile type of Dashlane until early adjacent year.

The immense mostly of cybersecurity transgressions -- galore of which lead to nan exfiltration of confidential accusation aliases financial losses -- commencement pinch a password phishing scam. 

Research shows that 98% of end-users proceed to autumn prey to phishers contempt cybersecurity training. The only reply to nan phishing scourge is an industry-wide effort to get free of passwords (embellished pinch second-factor codes aliases not) arsenic nan superior intends of authenticating pinch websites, apps, and different online services (collectively referred to arsenic "relying parties"). 

Also: How passkeys work: The complete guideline to your inevitable passwordless future

And that's what the FIDO Alliance's passwordless passkey standard is each about: offering a new, unafraid measurement to login that doesn't require you to furnish a concealed for illustration a password arsenic a portion of a emblematic authentication workflow. (See ZDNET's bid connected really passkeys work.) The logic goes this way: If there's nary password to stock pinch a morganatic relying party, past there's nary password to accidentally stock pinch phishers and different societal engineers. 

Problem solved. Right? Well, benignant of. 

The past mile of credential guidance  

In bid to usage passkeys, you'll besides request an interlocutor -- specified arsenic a password head -- to grip their creation, unafraid storage, and presentation (at clip of login). Historically, this has presented an intractable chicken-and-egg paradox erstwhile it comes to logging into nan password head itself. If you request to beryllium logged successful to your password head truthful that you tin login to everything other without a password, past really is simply a passwordless login to your password head imaginable without nan thief of that password manager? After all, you're not logged into it. And, if there's 1 password you ne'er want to get phished for, it's nan password to your password head -- nan proverbial cardinal to nan kingdom.

Although this past susceptible mile of credential guidance is technically addressed by a projected hold (WebAuthn PRF) to a World Wide Web Consortium modular (WebAuthn: 1 of nan cardinal building blocks to nan passkey standard), nan draught modular has yet to beryllium wide embraced pinch wholly passwordless implementations by third-party cross-platform password managers. 

BitWarden is 1 of nan early supporters of nan standard successful its password head (here's a video showing it successful action) and nan password head successful Google Chrome approximates nan conception erstwhile users activate Google's Advanced Protection Program). 

Now, Dashlane has collaborated pinch Yubico to subordinate nan database of WebAuthn PRF-compliant password managers to destruct nan request for a maestro password erstwhile logging into its namesake password guidance application.

Sounds for illustration voodoo. How does it work?

When it comes to third-party password guidance solutions (officially referred to by nan WebAuthn and passkey standards arsenic virtual authenticators), nan user's password to their password head really serves a dual purpose. As is often nan lawsuit pinch galore different relying parties (especially ones that don't yet support passkeys), nan password serves arsenic nan ground for logging into nan user's password guidance account. 

Additionally, successful nan lawsuit of astir password managers, nan user's maestro password is simply a concealed spot of worldly that besides plays a domiciled successful nan algorithms utilized to uniquely encrypt and decrypt nan user's password guidance vault. (This is simply a typical package instrumentality that securely stores nan user's various website and app credentials  -- and sometimes different delicate secrets for illustration in installments paper numbers.) Wherever that vault resides -- connected immoderate of your devices aliases successful nan password manager's cloud-- it resides location successful encrypted form. The only measurement to decrypt it, peculiarly erstwhile your instrumentality first starts to tally your password head arsenic a benignant of inheritance task, is pinch nan maestro password to your password manager. This is 1 logic that your vault is safe from hackers erstwhile your password head syncs your vault to its unreality for nan intent of syncing it to your different devices. Wherever it resides successful encrypted form, it's useless to hackers.

Also: The champion password managers: Expert tested

As such, dropping your password successful favour of a passwordless passkey arsenic nan ground for authenticating pinch your password head really presents 2 method conundrums:

1. There must beryllium a measurement to callback nan passkey to nan password head without nan interlocution of nan password head itself.
2. Another unsocial and unphishable concealed must beryllium substituted for your password arsenic nan confidential constituent for vault encryption and decryption. 

Enter Yubico's Yubikey. Several models of this celebrated information cardinal tin link to your devices via USB or, successful nan lawsuit of immoderate models, via nan wireless near-field connection (NFC) modular (the aforesaid manufacture wireless proximity modular that allows you to pat a point-of-sale in installments paper terminal pinch your in installments paper aliases smartphone). 

Yubico's YubiKey 5C NFC is enabled for USB-C and wireless NFC connectivity to desktops, laptops, and mobile devices.

Yubico

The WebAuthn PRF specification prescribes an manufacture modular method by which a beingness FIDO2-compliant information cardinal (officially described arsenic a roaming authenticator by nan WebAuthn standard) tin return complete some roles; first arsenic a abstracted and unafraid instrumentality for nan passkey that you'll usage to login to your password head (thereby solving for nan main chickenhearted and ovum paradox) and 2nd arsenic a root of nan unsocial and concealed worldly from which that passkey and nan keys for encrypting and decrypting your vault are derived. 

Also: The champion information keys: Expert tested

Similar to nan Secure Enclaves recovered connected each Apple devices and nan Trusted Platform Modules (TPMs) recovered successful hardware that tally Windows, Linux, and Android, each YubiKey is uniquely encoded pinch concealed accusation that sets it isolated from different YubiKeys (as good arsenic from different FiDO2-compliant roaming authenticators like Google's Titans). In different words, nary 2 roaming authenticators are precisely nan same. 

Once you destruct nan password to your password manager, and fixed really your passkey to your password manager, arsenic good arsenic nan keys for encrypting and decrypting your vault, are derived from that concealed spot of material, you cannot login to your password head aliases decrypt your vault without first connecting that aforesaid beingness roaming authenticator to your device. For this reason, erstwhile you elite to usage a roaming authenticator to login to your password manager, threat actors tin nary longer phish aliases different socially technologist you for nan credentials to your password manager. Nobody -- neither they nor you -- tin login without being successful beingness possession of your roaming authenticator. 

But there's a hitch aliases two

While WebAuth PRF-compliant password managers are yet solving for that past susceptible mile, location are 2 gotchas, 1 of which virtually eliminates nan chance that you'll beryllium making nan move today. 

The first and astir evident of these gotchas has to do pinch nan anticipation that you could suffer your roaming authenticator. If each you person is 1 roaming authenticator and you suffer it, you'll besides suffer entree to immoderate wholly passwordless accounts-- including that of your password head -- whose passkeys were stored connected that device. 

Also: I'm ditching passwords for passkeys for 1 logic - and it's not what you think

Fortunately, nan measurement nan WebAuth PRF modular works, it's imaginable to usage nan first roaming authenticator to initialize 1 aliases much backup roaming authenticators successful bid to protect yourself from nan nonaccomplishment of immoderate of them. This is why having backup roaming authenticators isn't conscionable recommended. It's imperative. Without specified a backup, location is nary automated betterment regular for illustration nan 1 that exists if you suffer aliases hide nan password to your password manager. 

"You've sewage to group up an other key," Dashlane head of merchandise invention Rew Islam told ZDNET. "You [stow] that cardinal wherever you want aliases moreover spell pinch aggregate [roaming authenticators]." According to Islam, if Dashlane were to connection a betterment workflow that progressive a concealed building aliases email, it would wholly undo nan phishing-proof quality of nan WebAuthn-compliant attack utilizing a YubiKey.

Also: Your passkeys could beryllium susceptible to attack, and everyone - including you - must act

"If we guaranteed 100% readiness of your account, past there's virtually nary security," said Islam. Implying that astir specified automated betterment mechanisms are susceptible to societal engineering, Islam said, "I tin summation entree to your account."

However, managing backup roaming authenticators is easier said than done. For example, let's opportunity you're going connected a travel and you can't suffer entree to your password head while you're away. How galore roaming authenticators should you bring, and what's your strategy for storing them truthful that nan nonaccomplishment of 1 doesn't besides impact nan nonaccomplishment of nan others? These are things that you don't request to deliberation astir pinch a recoverable, albeit phishable, password.

If that's not capable to springiness you origin for pause, nan different gotcha will be. 

The gaps: iOS and Android support

The thought down a roaming authenticator is that, erstwhile you've group it up, you tin "roam" it to immoderate of your devices. For example, nan aforesaid roaming authenticator should alteration you to login to your password head from your smartphone arsenic good arsenic your notebook computer. After all, you'll request it for logging into each of your different accounts from some devices. Unfortunately, today, erstwhile it comes to WebAuth PRF compliance, location are gaps successful really nan draught modular is supported connected iOS and Android. 

"When location are these standards, we person to hold for nan platforms to determine what to do pinch them. Passkeys are a occurrence because Microsoft, Google, and Apple signed up to instrumentality them; implementing these things into their systems, their operating systems, their browsers," said Islam. "But that doesn't mean they person to instrumentality each azygous portion of nan specification. So, what has happened? On [iOS] and Android, immoderate of nan plumbing for [roaming authenticator] support is conscionable missing."

Also: This caller cyberattack tricks you into hacking yourself. Here's really to spot it

Islam expects that, pinch nan thief of immoderate caller Software Development Kits (SDKs) coming from Yubico, nan gaps will beryllium filled by early adjacent year. But for nan clip being, if you request entree to Dashlane connected your mobile device, now is not a bully clip to person to a wholly passwordless configuration of nan password manager. The process, astatine slightest arsenic it relates to Dashlane, is irreversible. 

"We cognize that this is creating a business that isn't really comfortable," said Islam, who suggested that nan babe measurement was still basal successful bid to move industry-wide take of nan WebAuthn PRF modular forward. "We request that discomfort to push definite things [in nan manufacture forward]. So it was a strategical decision. Now, it is conscionable a waiting game."

Stay up of information news pinch Tech Today, delivered to your inbox each morning.