Yuichiro Chino/Moment via Getty Images
Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Dashlane now lets you login to its password manager with a passwordless passkey.
- The feature is based on a draft standard from the World Wide Web Consortium.
- It’s not expected to work on the mobile version of Dashlane until early next year.
The vast majority of cybersecurity transgressions — many of which lead to the exfiltration of confidential information or financial losses — start with a password phishing scam.
Research shows that 98% of end-users continue to fall prey to phishers despite cybersecurity training. The only answer to the phishing scourge is an industry-wide effort to get rid of passwords (embellished with second-factor codes or not) as the primary means of authenticating with websites, apps, and other online services (collectively referred to as “relying parties”).
Also: How passkeys work: The complete guide to your inevitable passwordless future
And that’s what the FIDO Alliance’s passwordless passkey standard is all about: offering a new, secure way to login that doesn’t require you to furnish a secret like a password as a part of a typical authentication workflow. (See ZDNET’s series on how passkeys work.) The logic goes this way: If there’s no password to share with a legitimate relying party, then there’s no password to accidentally share with phishers and other social engineers.
Problem solved. Right? Well, sort of.
The last mile of credential management
In order to use passkeys, you’ll also need an interlocutor — such as a password manager — to handle their creation, secure storage, and presentation (at time of login). Historically, this has presented an intractable chicken-and-egg paradox when it comes to logging into the password manager itself. If you need to be logged in to your password manager so that you can login to everything else without a password, then how is a passwordless login to your password manager possible without the help of that password manager? After all, you’re not logged into it. And, if there’s one password you never want to get phished for, it’s the password to your password manager — the proverbial key to the kingdom.
Although this last vulnerable mile of credential management is technically addressed by a proposed extension (WebAuthn PRF) to a World Wide Web Consortium standard (WebAuthn: one of the key building blocks to the passkey standard), the draft standard has yet to be widely embraced with wholly passwordless implementations by third-party cross-platform password managers.
BitWarden is one of the early supporters of the standard in its password manager (here’s a video showing it in action) and the password manager in Google Chrome approximates the concept when users activate Google’s Advanced Protection Program).
Now, Dashlane has partnered with Yubico to join the list of WebAuthn PRF-compliant password managers to eliminate the need for a master password when logging into its namesake password management application.
Sounds like voodoo. How does it work?
When it comes to third-party password management solutions (officially referred to by the WebAuthn and passkey standards as virtual authenticators), the user’s password to their password manager actually serves a dual purpose. As is often the case with many other relying parties (especially ones that don’t yet support passkeys), the password serves as the basis for logging into the user’s password management account.
Additionally, in the case of most password managers, the user’s master password is a secret bit of material that also plays a role in the algorithms used to uniquely encrypt and decrypt the user’s password management vault. (This is a special software container that securely stores the user’s various website and app credentials — and sometimes other sensitive secrets like credit card numbers.) Wherever that vault resides — on any of your devices or in the password manager’s cloud– it resides there in encrypted form. The only way to decrypt it, particularly when your device first starts to run your password manager as a sort of background task, is with the master password to your password manager. This is one reason that your vault is safe from hackers when your password manager syncs your vault to its cloud for the purpose of syncing it to your other devices. Wherever it resides in encrypted form, it’s useless to hackers.
Also: The best password managers: Expert tested
As such, dropping your password in favor of a passwordless passkey as the basis for authenticating with your password manager actually presents two technical conundrums:
- There must be a way to recall the passkey to the password manager without the interlocution of the password manager itself.
- Another unique and unphishable secret must be substituted for your password as the confidential ingredient for vault encryption and decryption.
Enter Yubico’s Yubikey. Several models of this popular security key can connect to your devices via USB or, in the case of some models, via the wireless near-field communication (NFC) standard (the same industry wireless proximity standard that allows you to tap a point-of-sale credit card terminal with your credit card or smartphone).
Yubico’s YubiKey 5C NFC is enabled for USB-C and wireless NFC connectivity to desktops, laptops, and mobile devices.
Yubico
The WebAuthn PRF specification prescribes an industry standard method by which a physical FIDO2-compliant security key (officially described as a roaming authenticator by the WebAuthn standard) can take over both roles; first as a separate and secure container for the passkey that you’ll use to login to your password manager (thereby solving for the main chicken and egg paradox) and second as a source of the unique and secret material from which that passkey and the keys for encrypting and decrypting your vault are derived.
Also: The best security keys: Expert tested
Similar to the Secure Enclaves found on all Apple devices and the Trusted Platform Modules (TPMs) found in hardware that run Windows, Linux, and Android, every YubiKey is uniquely encoded with secret information that sets it apart from other YubiKeys (as well as from other FiDO2-compliant roaming authenticators like Google’s Titans). In other words, no two roaming authenticators are exactly the same.
Once you eliminate the password to your password manager, and given how your passkey to your password manager, as well as the keys for encrypting and decrypting your vault, are derived from that secret bit of material, you cannot login to your password manager or decrypt your vault without first connecting that same physical roaming authenticator to your device. For this reason, once you elect to use a roaming authenticator to login to your password manager, threat actors can no longer phish or otherwise socially engineer you for the credentials to your password manager. Nobody — neither they nor you — can login without being in physical possession of your roaming authenticator.
But there’s a hitch or two
While WebAuth PRF-compliant password managers are finally solving for that last vulnerable mile, there are two gotchas, one of which virtually eliminates the chance that you’ll be making the switch today.
The first and most obvious of these gotchas has to do with the possibility that you could lose your roaming authenticator. If all you have is one roaming authenticator and you lose it, you’ll also lose access to any wholly passwordless accounts– including that of your password manager — whose passkeys were stored on that device.
Also: I’m ditching passwords for passkeys for one reason – and it’s not what you think
Fortunately, the way the WebAuth PRF standard works, it’s possible to use the first roaming authenticator to initialize one or more backup roaming authenticators in order to protect yourself from the loss of any of them. This is why having backup roaming authenticators isn’t just recommended. It’s imperative. Without such a backup, there is no automated recovery routine like the one that exists if you lose or forget the password to your password manager.
“You’ve got to set up an extra key,” Dashlane director of product innovation Rew Islam told ZDNET. “You [stow] that key wherever you want or even go with multiple [roaming authenticators].” According to Islam, if Dashlane were to offer a recovery workflow that involved a secret phrase or email, it would completely undo the phishing-proof nature of the WebAuthn-compliant approach using a YubiKey.
Also: Your passkeys could be vulnerable to attack, and everyone – including you – must act
“If we guaranteed 100% availability of your account, then there’s literally no security,” said Islam. Implying that most such automated recovery mechanisms are vulnerable to social engineering, Islam said, “I can gain access to your account.”
However, managing backup roaming authenticators is easier said than done. For example, let’s say you’re going on a trip and you can’t lose access to your password manager while you’re away. How many roaming authenticators should you bring, and what’s your strategy for storing them so that the loss of one doesn’t also involve the loss of the others? These are things that you don’t need to think about with a recoverable, albeit phishable, password.
If that’s not enough to give you cause for pause, the other gotcha will be.
The gaps: iOS and Android support
The idea behind a roaming authenticator is that, once you’ve set it up, you can “roam” it to any of your devices. For example, the same roaming authenticator should enable you to login to your password manager from your smartphone as well as your notebook computer. After all, you’ll need it for logging into all of your different accounts from both devices. Unfortunately, today, when it comes to WebAuth PRF compliance, there are gaps in how the draft standard is supported on iOS and Android.
“When there are these standards, we have to wait for the platforms to decide what to do with them. Passkeys are a success because Microsoft, Google, and Apple signed up to implement them; implementing these things into their systems, their operating systems, their browsers,” said Islam. “But that doesn’t mean they have to implement every single piece of the specification. So, what has happened? On [iOS] and Android, some of the plumbing for [roaming authenticator] support is just missing.”
Also: This new cyberattack tricks you into hacking yourself. Here’s how to spot it
Islam expects that, with the help of some new Software Development Kits (SDKs) coming from Yubico, the gaps will be filled by early next year. But for the time being, if you need access to Dashlane on your mobile device, now is not a good time to convert to a wholly passwordless configuration of the password manager. The process, at least as it relates to Dashlane, is irreversible.
“We know that this is creating a situation that isn’t really comfortable,” said Islam, who suggested that the baby step was still necessary in order to move industry-wide adoption of the WebAuthn PRF standard forward. “We need that discomfort to push certain things [in the industry forward]. So it was a strategic decision. Now, it is just a waiting game.”
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
