With what looks like broad industry adoption of passkeys, are password management products doomed? Will passwords go away forever? Looking at my 1Password database I have … 854 logins and 352 passwords. Seems like a decade at least before password management would decline significantly.
On the contrary, password managers will be more relevant in the future, because they will be more important for people who don't use a pw manager today (most people aren't very good at 256 bit elliptic curve arithmetic).
Even though Apple (and likely a couple more) will provide their proprietary passwordless system with cloud sync, a lot of people don't want to rely on an iCloud account to be your backup in case you lose your phone. Which means that cross platform password managers are in an excellent position to compete in passwordless, since it can span all your devices and browsers. They are already keeping sensitive secrets, integrate with biometrics and device-specific soft-locks, audit logs etc – all they need to do is add some integrations for WebAuthn and certain platform APIs that Apple and friends have to provide.
The main adoption-risk with password-less is fallback for when the user's browser isn't fully integrated with a pw-manager. Not that it's impossible, but if you need a backup you now have a multimodal and more complicated system, and if that burden is shifted to individual web/app developers it will certainly delay or even stop the transition.
> Even though Apple (and likely a couple more) will provide their proprietary passwordless system with cloud sync, a lot of people don't want to rely on an iCloud account to be your backup in case you lose your phone.
This is the big one for me. The user story for logging in to a site on Windows with an iOS passkey is to scan a QR code with your phone, which sounds obnoxious.
I'd rather just have 1Password be the private key repository and those keys will sync to Mac/Windows/Phones through it instead of them being locked into iCloud Keychain, and it can handle logins just like normal.
That's a once type thing, the website is supposed to prompt you after that QR login whether you'd like to enroll your local authenticator (Chrome, Edge, Firefox,etc) after you login so you don't need to keep using the QR code.
The concept is that many people will frequently have multiple passkeys, thus not be 'locked in' to any one sync ecosystem.
> When signing in on a different computer, either the credential will already be locally present (if the computer is using the same sync fabric as the phone) and suggested by autocomplete, or else the user’s phone can be used to transmit the assertion to the computer. In the latter case, the service may invite the user to enroll a local platform authenticator for easier sign-in in the future. (Now the newly registered credential may be part of a different sync fabric, and thus enable local sign-in on other devices.)
It’s alright but it requires dismissing Windows Hello/FIDO2 every time and relies on establishing a BLE connection every time. (There’s no lasting BLE connection right now) So it’s also currently unusable on my desktop due to lack of Bluetooth.
I’d rather Windows Hello maintain a BLE connection itself and implement this (or the password manager suggestion).
Yeah that's why I think pw managers will be central to this story. Apple will try though, and they might have an edge and push the initial adoption, but eventually they'll come around. Their hubris usually calms down when their lock-in plans go further than they can handle.
I like Bitwarden more personally, but if the important aspects are standardized it shouldn't really make a difference.
Indeed, and Apple's pw manager is, as is typical, just a baseline implementation. I really need a full featured one so I can fix misfires (e.g. sign up on web, but the associated app doesn't set its domain properly), look for duplicates, get the info out for sites that can't auto entry (grr, js validation character-by-character) etc.
The calendar is another good example: adequate for many people, but trivially supplanted by a third party app (I use busycal) that apple treats as first class.
I think you're underestimating the threat. 1pass saw it and is acquiring a company in that space to figure out how to continue to add value in a password less environment that justifies their annual fees. Not a surprising move. I view 1pass is a secret manager and so it makes sense they add password less to their portfolio.
I don't think so, when I look at my 1Password vault, I have way more than just passwords. API keys, secure notes, security questions and anything else I want to keep "secure". I would imagine 1Password would integrate passkeys into it's app just like they did with 2FA.
I don't know why passwords would go away forever. The "technology" has existed, imperfect as it is, for thousands of years. Other forms of authentication have their own weaknesses which is why MFA is so important now. If passwords do get largely phased out, I know I'm going to be That One Luddite hanging on to the bitter end...
Just for fun, a Hanko is the name of the stamp that Japanese citizens used to authorize documents and prove their identity on documents. Cool project name and cool logo!
Hanko.io is an open source authentication and user management solution that is optimized for passkeys as the upcoming default login method. The frontend (login box for now, user profile coming soon) is a web component, allowing for a simple and flexible integration to websites and apps built with a wide range of web frameworks.
We decided to go with email passcodes as fallback method because of the limitations we identified with magic links. The biggest issue was the inability to sign in on devices where the users don’t have access to their email account to click the link.
With that being said, we (or someone else) may reintroduce magic links as another login alternative of Hanko though, because we also think that it is a better UX to click a link than to type a code.
In any case, our take is that the importance of the fallback auth method will diminish over time due to the omnipresence of passkey support.
If someone's signing into a mobile app, quite a good backup option for magic links is to show a QR code containing the current URL, on the callback URL.
Assuming you're using universal app links, if they open it on a device with the app installed, it'll go straight there. If not, it'll show the QR code and the user can just scan that with their default camera app on the device they're trying to use.
I solved this for django-tokenauth[1] by making the token short and easy for humans to type in. Depending on how many tokens you have in flight at once, you can use very few digits.
Have you decided upon a minimum entropy level for the low digit tokens that prevents brute force attacks being feasible? I think easy to type in is something you can do with longer tokens, so long as it's readable as a sentence. "1676226" is harder to type in than "TotallyAgreeableCatPants" for example.
“passwordless” is a great term, but I can't imagine going through my day without ever having to login to something using traditional password/username combos.
Really? I feel like I don’t know any of my passwords at all except 1Password, and the step from having 1Password fill out a form to 1Password doing auth in the background feels very natural
I'm the same, I don't even know the password of my work machine. During the week I just use TouchID. Then on Monday when it prompts me for my password I need to look at 1Password on my phone.
This is more of a product for developers building passkeys into their apps. Though they will benefit from Passage's expertise in building out their passkey stores in their apps.
Huh? You can literally do those things in 1Password. Every item has a notes section where you can type plain text. Custom fields are supported. List view is there.
I am an ardent user of 1password and can do all the tasks you desire:
- I frequently add notes to the logins / items I've created (adding information about security questions or why I created an account to begin with)
- I add tags to every single item in 1password, detailing if it relates to a "website", "app", for "personal" or "work", etc...
- The primary presentation of items _is_ in a list
I would highly recommend you review 1password as perhaps you have not used it in some time or were using something else.
I had to read your comment 3 times to make sure you were actually talking about 1p cuz as others have said, these features exist (and have existed for years)
Maybe a physical notebook. Still infinity better than increasing your threat surface by a third party holding a bunch of keys that might be encrypted well.
Let's try it this way. I'll use a third party if they indemnify me. You screw up, you pay me?
I had 1Password for a while but I found it clunky and not very user friendly. On the other hand, I've been using bitwarden, which is free, and seems to be a completely smooth experience on all devices. I don't really understand why the premium product that is 1Password feels worse
I've tried a few password managers over the years, but I have stuck with 1Password because it has been the easiest for my non-technical family to use as well, and I would rather have a solution that works for them more easily. We've completely stopped sharing passwords over text and email and sticky notes on the fridge over the years in favor of 1P and links, particularly now that they can deep link in. I want to revisit BitWarden, but it would have to be pretty great (and pretty cost similar) to move my family plan.
I feel like the quality of the 1Password app has dropped over time. When I first started using it, the experience was sublime compared to apps like LastPass. I have more issues with passwords failing to prompt to save and general UX weirdness and slow response times than I used to. It's at the point where I'm seriously considering moving to something like BitWarden and I likely would have already if it was just me but I've got five family members using this as well and the migration annoyance has put me off.
It's up to personal preference. I use Bitwarden for work and 1Password for everything else and find 1Password to do a lot more than Bitwarden, and it now has a consistent UI across all platforms. Bitwarden is usable as a password manager, but 1Password can do ssh keys (including for git commit signing), Privacy.com cards, and I've found it to have better integration with browsers and the operating system.
