I tried two passwordless password managers, and was seriously impressed by one

0
11


Fingerprint for biometrics

Andriy Onufriyenko/Getty Images

Password management apps have been around for decades. These days, there are dozens of legitimate candidates for the job of wrangling your online credentials, and they all start with the same basic architecture: Your usernames, passwords, and other secrets are stored in a database (often called a vault) that’s protected with strong encryption. To unlock that vault, you enter a master password.

In fact, that model is so pervasive that it’s inspired the names of some leading products in the category. There’s 1Password, for example, which promises that you’ll only need to remember one password instead of dozens or hundreds. LastPass claims that your master password will be “the last password you’ll ever need.”

Also: Why you can still trust (other) password managers, even after that LastPass mess

The best products in the category offer passwordless options as an alternative to typing that master password to unlock your password vault. Typically that means using biometrics (face recognition or fingerprint ID) or a hardware key on a trusted device. But in all those cases, the master password is still available as a backup decryption method.

And that’s where some people get nervous about entrusting all those secrets to a password manager. If someone can steal your master password, they can take over your entire online existence. You can make an attacker’s job considerably more difficult with multi-factor authentication, but it’s still a weak point, architecturally.

But what if you could get rid of the master password completely, using only passkeys to prove your identity? That option’s available today for anyone creating a new account with Dashlane, and rival 1Password is offering a public beta to allow its customers to test a similar feature. (Both companies say customers with existing personal accounts and anyone who wants to set up a business account will have to wait till sometime in 2024 to make their accounts completely passwordless.)

Also: How long should a password be in 2023? You’re asking the wrong question

Should you ditch your master password completely? I took the plunge with both Dashlane and 1Password, setting up free test accounts to see what the experience is like. 

My conclusion: There’s a passwordless password manager in your future, but only technically sophisticated customers should plunge in today.

Setting up a passwordless account

Both products follow a similar workflow to enable passwordless accounts. For Dashlane, you start by installing the Dashlane app on a mobile device (iOS or Android) and then setting up a new personal account using the passwordless option with an email address that becomes your username. (It doesn’t have to be a primary email address, but you do need to confirm the address before completing setup.)

dashlane-passwordless-setup

Dashlane was the first developer to ship a completely passwordless password manager

Screenshot by Ed Bott/ZDNET

1Password requires you to join the public beta by using its mobile or desktop links; after creating a new individual account, you can follow the prompts to create a passkey. (If you’re on an iPhone, make sure you’ve set up iCloud Keychain as a place to store passkeys. If you have an Android device, keep reading.)

1password-passwordless-setup

1Password uses passkeys to enable passwordless accounts, which causes some problems

Screenshot by Ed Bott/ZDNET

With those tasks out of the way, you can import your existing passwords and add new ones. More importantly, you now have a device that you can use to set up access to the password vault on other devices, with no master password required.

Setting up additional devices

Most modern password managers store the encrypted password database in the cloud so that you can sync and share credentials across devices. Dashlane and 1Password take very different approaches to the task of configuring additional devices.

After setting up my passwordless Dashlane account on an Android device, I found it easy to set up other devices, including an iPhone and iPad, a MacBook Air, and multiple PCs running Windows 10 and Windows 11. Here’s how it works.

Also: The best VPN services: Expert tested and reviewed

On a mobile device, install the Dashlane app; on a PC or Mac, install the Dashlane browser extension. Then start the sign-in process by entering the email address you use for the account. On the device that’s already signed in, go to Settings > Add New Device in the Dashlane app and confirm that yes, it’s you trying to sign in. 

On the new device, Dashlane displays a security challenge consisting of five random words, taken from the Electronic Frontier Foundation’s Large Wordlist for Passphrases; that same list appears on the device where you’re already signed in, with one box empty. Fill in the missing word, tap Confirm, and your new device is set up.

dashlane-security-challenge

Dashlane requires you to pass this challenge by typing the missing word displayed on the other device 

Screenshot by Ed Bott/ZDNET

I wish I could say the process was equally simple using 1Password’s beta, but it most emphatically is not, at least not in my cross-platform world. 1Password uses passkeys to enable passwordless logins, which means you need a way to share passkeys among devices. 

If you have Apple’s iCloud Keychain enabled, it’s pretty easy to do that on Macs, iPhones, and iPads, but Windows PCs and Android devices present a problem. 1Password’s documentation, in fact, notes that you need Windows 11 22H2 or later (sorry, Windows 10), and that “[e]ven on supported versions of Android, some devices may not support saving a passkey for a 1Password account.”

Also: Windows security: How to protect your home and small business PCs

I had no problem using a QR code to set up my iPhone, but when I tried to set up the 1Password extension on Microsoft Edge for the Mac, it took me easily a half-dozen tries to get things working. First I had to explain to 1Password that there was no passkey on my Samsung phone, after which it popped up a QR code I scanned with my iPhone to enable a passkey prompt from the Keychain. Then I had to approve a pop-up confirming it really was me. 1Password then showed me a code that I was supposed to enter in a dialog box on a browser window that was hidden behind some other windows.

But setting up a passwordless account on Windows or Android added a whole new level of frustration. This was the default error message when I tried to sign in on a Windows 11 PC.

1password-passkey-error-windows

Windows doesn’t offer a way to share passkeys, making 1Password harder to set up

Screenshot by Ed Bott/ZDNET

I might have been able to use the Google Chrome Password Manager to share my passkey, but does it really make sense to use someone else’s password manager to enable a 1Password feature? 

It turned out that the best way to activate my passwordless account was to save a passkey in 1Password using my current account on the Samsung device I started with, then attach that account to 1Password on the new device using its master password and secret key, and (finally!) add the new account there. Because 1Password supports attaching multiple accounts to a single device, this works, but it’s extremely kludgey, and it helps explain why this app isn’t close to being release-worthy yet.

Also: Beyond passwords: 4 key security steps you’re probably forgetting

The dealbreaker for me, though, came when I tried to export my passwords from the new passwordless account. 1Password’s beta app insists that you type a master password (which doesn’t exist for this account, of course) before it will begin an export. A tech support rep confirmed that this feature is missing in the current beta.

Given those beta headaches, I decided to delete my passwordless 1Password account and try again in a few months. But Dashlane was impressive enough to make me seriously consider switching.

What’s the risk?

When you have a passwordless account, the only way to access your passwords is to establish your identity with the help of a trusted device where you’ve already confirmed your credentials with the password management servers.

So, what happens if you can’t access any of those trusted devices? You’re locked out, probably for good. The whole point of zero-knowledge credential managers is that you and only you can unlock that vault. Without a master password, you don’t have a fallback method to restore access to your encrypted vault.

Also: Stop using weak passwords for streaming services – it’s riskier than you think

Both Dashlane and 1Password offer an alternative in the form of a recovery key. That’s a randomly generated alphanumeric code (Dashlane’s key is 28 characters long; 1Password uses a 56- character recovery key) that you print out and store in a safe place. If you’re ever in a situation where you don’t have a PC or mobile device that’s signed in to your account, you can break the glass and use that recovery key as a last resort. But you’ll never need to type it under normal circumstances, meaning it’s resistant to phishing, keyloggers, and other hacking tools.

Should you switch to a passwordless account?

There’s no question that passwordless accounts represent the future, but not the present. At this point, only one company, Dashlane, is offering the feature on a shipping product, and then only for new personal accounts. If you’re happy with your current password manager, it’s not time to think about switching yet.

I was impressed enough by Dashlane that I’m going to use my new passwordless account for a few months and see if it’s a worthy replacement for 1Password. I’ll keep you posted.





Source link