Are you ready to replace your password with your face?
If the password is truly going to die someday, its replacement will have to get a lot simpler to use.
While major tech companies such as Apple and Google are pushing the notion of “passkeys”—in which your face or fingerprint helps you log into apps or websites without a password—the implementation is a mess right now. Every website handles these logins differently, and accessing your accounts across all your devices can be a pain.
How are these problems going to get solved? It might be with a password manager.
On June 6, 1Password is launching an open beta for its own passkey login system, which at least partly addresses the problems with going passwordless. Create a passkey for your Microsoft account, for instance, and it’ll sync across all your computers (and, eventually your mobile devices) where 1Password is installed.
Other password managers, including Dashlane and Bitwarden, are starting to support passkeys as well. Meanwhile, 1Password is also working with app and website developers to streamline their passwordless login flows so they’re less confusing to customers.
“There’s a lot that 1Password can solve that even the (big tech) platforms really struggle with,” says Jeff Shiner, 1Password’s CEO.
Passwordless logins are still a long way off from mass adoption, regardless of what industry cheerleaders insist, but 1Password is at least showing how we might get there.
Passwordless’ biggest problem
A recap on how passwordless logins work: When you log into a supported app or website, your phone or laptop stores a “passkey” in place of a regular password. This passkey is invisible to you and pairs with a random ID stored by the app or website. To unlock your account, the device uses biometrics—such as a fingerprint or face recognition—to confirm with the app or website that you are who you claim to be.
It’s all pretty elegant in theory. Users don’t have to worry about memorizing passwords or generating unique ones in a password manager, and companies don’t have to risk losing those passwords in a security breach. Biometric data never leaves your device either, as it’s merely a way to authorize the use of your passkeys.
The system has a bunch of issues in its early days, though, the biggest being that it doesn’t work well across platforms. Apple, Google, and Microsoft all have their own systems for storing and syncing passkeys, and moving between ecosystems requires a clunky QR code or Bluetooth pairing process for each login. Remembering which passkeys are stored where becomes a hassle as a result, and going passwordless becomes just another mechanism for platform lock-in.
That’s where password managers such as 1Password come in. If you store a passkey with 1Password on a Windows PC, you can use that same passkey via 1Password’s browser extension on a Mac. Mobile support is more complicated (more on that shortly), but users will eventually have access to their passkeys via 1Password’s iOS and Android apps as well.
The passwordless password manager
1Password’s new system feels a bit like a workaround, as it’s essentially tricking websites into thinking you’ve created a passkey on your computer. Behind the scenes, 1Password’s Chrome extension jumps into the sign-up flow to create its own passkeys, which it stores on its own servers. (As with regular passwords, this data is end-to-end encrypted.)
“What we’re doing is, we’re intercepting the creation of that private-public keypair at the website,” says Steve Won, 1Password’s Chief Product Officer.
This can lead to some awkward passkey setup steps. On Nvidia‘s website, for instance, users must choose the “Hardware Security Device” option on their account page to create a passkey, even though no extra hardware is involved. For Microsoft, users set up their passkey by selecting “Use your Windows PC” on the company’s account management page, even from a Mac.
The actual login process can feel pretty magical, though. After setting up a passkey with Best Buy, for example, users can just click the “Sign in with a Passkey” button, and 1Password’s browser extension does the rest. There are no extra forms to fill in, and no auto-fill buttons to click on. Just one click gets you into your account. Shiner says this ease of use is ultimately what will help passwordless sign-ins take off.
“People want to know that it’s safe, but they’re going to adopt it because it makes their lives easier,” he says.
Fixing the inconsistencies
Shiner acknowledges that it’s early days for passkeys, and that some challenges remain.
For one thing, 1Password’s passkey system doesn’t support mobile apps yet. The current versions of iOS and Android don’t allow third-party password managers to log in using passkeys, but support is coming in the next version of Android, and Apple may not be far behind.
A lack of consistency across apps and websites will be a trickier problem to solve. Right now, few websites support passkeys in the first place, and those that do may handle them in wildly different ways. Best Buy, for instance, hides its passkey setup option deep within an account settings menu, but has a “Sign in with a Passkey” button on its login page. With Nvidia, logging in with a passkey requires multiple clicks from the main sign-in page.
Password managers can’t solve this problem on their own, but 1Password’s acquisition of Passage last year might help. Passage offers passwordless sign-in tools for apps and websites, with the goal of increasing adoption and making things easier for users.
“One of the things we’re trying to do with the Passage launch is provide a way to have a really good experience, and a consistent experience . . . as opposed to making it up on your own.,” Shiner says.
As for the lock-in problem, Won says 1Password is co-sponsoring a portability specification for passkeys and hopes to get it ratified by the FIDO Alliance, the industry standards group that’s backing passwordless logins. This would allow users to move all their passkeys between Android and iOS, or to a third-party password manager, though there’s no timeline for when this might happen.
All of which reinforces the idea that passwords will be with us for a long time to come. While Shiner expects passkey support to become more widespread over the next year or two, most apps and websites aren’t encouraging users to remove password as a backup option. That transition is “years away,” he says.
In the meantime, the industry is coming around to the idea it’ll need password managers to help get passkeys off the ground. That wasn’t the case when 1Password joined the board of the FIDO Alliance last year, Won says.
“The initial reception was like, ‘We’re not sure password managers have a part to play within this ecosystem,’” he says. “Over time it’s been really heartening to see that the feedback has been, ‘Oh crap, y’all are actually the bridge for passkeys to be adopted.’”
(8)
