Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Dashlane now lets you log into its password manager with a password-free passkey.
- This feature is based on a draft standard from the World Wide Web Consortium.
- Dashlane is not expected to work on a mobile version until early next year.
Most cybersecurity breaches – many of which lead to exfiltration of confidential information or financial losses – begin with password phishing scams.
Research shows Despite cyber security training, 98% of end users continue to fall victim to phishers. The only answer to the phishing crisis is an industry-wide effort to get rid of passwords (embellished with second-factor code or not) as the primary means of authentication with websites, apps, and other online services (collectively referred to as “trusted parties”).
Also: How Passkey Works: The Complete Guide to Your Inevitable Passwordless Future
and this is it FIDO Alliance’s Passwordless Passkey Standard That’s what it’s all about: providing a new, secure way to login that doesn’t require you to submit a secret like a password as part of the normal authentication workflow. (See ZDNET’s series on how passkeys work.) The logic goes like this: If there’s no password to share with a legitimate trusted party, there’s no password to accidentally share with phishers and other social engineers.
problem solved. Correct? Well, something like this.
Last mile of credential management
To use passkeys, you’ll also need a negotiator – such as a password manager – to handle their creation, secure storage, and presentation (at login time). Historically, this has presented a difficult chicken-and-egg paradox when it comes to logging into a password manager. If you need to log into your password manager so you can log into everything else without a password, how is passwordless login to your password manager possible without the help of that password manager? After all, you’re not logged into it. And, if there’s one password you’ll never want to get phished for, it’s your password manager’s password – the proverbial key to the kingdom.
Although this last weak spot in credential management has technically been addressed by a proposed extension (WebAuthn PRF) according to the World Wide Web Consortium standard (WebAuthn: one of the key building blocks of the Passkey standard), the draft standard has yet to be widely adopted with fully passwordless implementations by third-party cross-platform password managers.
Bitwarden is one of Early supporters of the standard In its password manager (here is a video showing it in action) and the password manager in Google Chrome anticipates this concept when activated by users Google’s Advanced Security Program,
Now, Dashlane has partnered with Yubico to join the list of WebAuth PRF-compliant password managers, eliminating the need for a master password when logging into its eponymous password management application.
Sounds like voodoo. How does this work?
When it comes to third-party password management solutions (officially referred to by the WebAuthn and Passkey standards virtual authenticator), the user’s password actually serves a dual purpose for their password manager. As is often the case with many other trusted parties (especially those that do not yet support passkeys), the password serves as the basis for logging into the user’s password management account.
Additionally, in the case of most password managers, the user’s master password is a secret piece of content that also plays a role in the algorithm used to uniquely encrypt and decrypt the user’s password management vault. (It’s a special software container that securely stores a user’s various website and app credentials — and sometimes other sensitive secrets like credit card numbers.) Wherever that vault lives — on any of your devices or in a password manager’s cloud — it stays there in encrypted form. The only way to decrypt it, especially when your device first starts running your password manager as a kind of background task, is your password manager’s master password. This is one of the reasons why your vault remains safe from hackers when your password manager syncs your vault to its cloud for the purpose of syncing it with your other devices. Wherever it resides in encrypted form, it is useless to hackers.
Also: Best Password Manager: Expert Tested
Thus, abandoning your password in favor of a passwordless passkey as the basis for authentication with your password manager actually presents two technical complications:
- There must be some way to recall the password manager’s passkey without having to interact with the password manager.
- Another unique and unrepeatable secret should be substituted for your password as the confidential component for Vault encryption and decryption.
Enter Yubico’s Yubikey. Many models of this popular security key can connect to your device via USB or, in the case of some models, via the wireless near-field communication (NFC) standard (the same industry wireless proximity standard that allows you to tap a point-of-sale credit card terminal with your credit card or smartphone).
Yubico’s YubiKey 5C NFC is capable of USB-C and wireless NFC connectivity for desktops, laptops, and mobile devices.
yubiko
The WebAuthn PRF specification sets out an industry standard method by which a physical FIDO2-compliant security key (officially described as a Roaming Authenticator According to the WebAuthn standard) can perform both roles; First as a separate and secure container for the passkey that you will use to log into your password manager (thereby solving the main chicken and egg paradox) and second as the source of the unique and secret material from which that passkey and the keys to encrypt and decrypt your vault are derived.
Also: Best Security Keys: Expert Tested
Similar to the Secure Enclave found on all Apple devices and the Trusted Platform Module (TPM) found in hardware running Windows, Linux, and Android, each YubiKey is uniquely encoded with secret information that distinguishes it from other YubiKeys (as well as other FiDO2-compliant roaming authenticators such as the Secure Enclave and Trusted Platform Module (TPM) found on all Apple devices). titans of googleIn other words, no two roaming authenticators are exactly alike.
Once you remove your password manager’s password, and see that your password manager’s passkey, as well as the keys to encrypt and decrypt your vault, are derived from that secret bit of content, you will no longer be able to log into your password manager or decrypt your vault without connecting the same physical roaming authenticator to your device. For this reason, once you choose to use Roaming Authenticator to login to your password manager, threat actors can no longer phish or otherwise socially engineer you for your password manager credentials. No one – neither they nor you – can login without physical possession of your roaming authenticator.
But there are one or two hitches
While WebAuth PRF-compliant password managers are finally solving that last insecure mile, there are two gotchas, one of which virtually eliminates the chances that you’ll make the switch today.
The first and most obvious of these changes concerns the possibility that you may lose your roaming authenticator. If you only have one roaming authenticator and you lose it, you’ll lose access to any fully passwordless accounts – including your password manager – whose passes were stored on that device.
Also: I’m removing the password for Passkey for a reason – and it’s not what you think
Fortunately, because of the way the WebAuth PRF standard works, it is possible to use the first roaming authenticator to initialize one or more backup roaming authenticators to protect yourself from the loss of any of them. This is why backup roaming authenticators are not recommended. it’s urgent. Without such backups, there is no automatic recovery routine like the one that exists if your password manager password is lost or forgotten.
“You have to set up an extra key,” Dashlane’s director of product innovation Reeve Islam told ZDNET. “You put that key wherever you want or even go with multiple (roaming authenticators).” According to Islam, if Dashlane offered a recovery workflow that involved a secret phrase or email, it would completely undo the phishing-proof nature of the WebAuthn-compliant approach using YubiKey.
Also: Your passkeys may be at risk of being attacked, and everyone – including you – needs to take action.
“If we guarantee 100% availability of your account, there is really no security,” Islam said. Stating that most such automated recovery mechanisms are vulnerable to social engineering, Islam said, “I can get access to your account.”
However, managing backup roaming authenticators is easier said than done. For example, let’s say you’re going on a trip and you can’t lose access to your password manager while you’re away. How many roaming authenticators should you bring and what is your strategy for storing them so that the loss of one does not involve the loss of another? These are things you don’t need to think about when it comes to recoverable, even if phishable, passwords.
If that’s not enough to give you a reason to stop, another reason will.
Drawbacks: iOS and Android support
The idea behind Roaming Authenticator is that, once you’ve set it up, you can “roam” with it on any of your devices. For example, the same roaming authenticator should enable you to log into your password manager from your smartphone as well as your notebook computer. After all, you’ll need it to log into all your different accounts from both devices. Unfortunately, today, when it comes to WebAuth PRF compliance, there are differences in how the draft standard is supported on iOS and Android.
Islam said, “When these standards are in place, we have to wait for the platforms to decide what to do with them. Passkeys are successful because Microsoft, Google and Apple have signed up to implement them; implementing these things into their systems, their operating systems, their browsers.” “But that doesn’t mean they have to implement every single piece of the specification. So, what’s happened? On (iOS) and Android, some plumbing for (roaming authenticator) support is just missing.”
Also: This new cyber attack makes you want to hack yourself. Here’s how to recognize it
Islam hopes that, with the help of some new software development kits (SDKs) coming from Yubico, the gap will be filled by early next year. But right now, if you need access to Dashlane on your mobile device, now is not a good time to convert to a completely passwordless configuration of the password manager. This process, at least as it relates to Dashlane, is irreversible.
“We know this is creating a situation that is really not comfortable,” said Islam, who suggested that this small step was still necessary to achieve industry-wide adoption of the WebAuthn PRF standard. “We need that discomfort to move some things forward (in the industry). So it was a strategic decision. Now, it’s just a waiting game.”
Stay ahead of security news Tech TodayDelivered to your inbox every morning.
