Passkeys are a more secure, convenient way to access websites and apps than passwords, and they’re phishing-resistant by design. We were the first password manager to support passkeys back in 2022, and we remain enthusiastic about ensuring our customers can benefit from the latest and greatest developments in credential security.
This is why Dashlane attended the Authenticate 2024 Conference, which was dedicated to the topic of user authentication with a focus on passkeys, on October 14–16 in Carlsbad, California.
In addition to co-sponsoring the conference’s Passwordless Party alongside Google, Dashlane sent representatives from the Product, Design, Engineering, Marketing, and Sales teams. As a Lead Product Manager, I had the opportunity to speak during one session, as did my colleague Rew Islam, Director of Product Innovation. In addition, Nuno Silva, Lead Product Designer, participated in a panel discussion of the FIDO Alliance Member Plenary held after the conference.
So much was covered in just three days, so I’ve compiled the top Authenticate 2024 takeaways from myself and my colleagues about the present and future of user authentication.
#1: Passkey adoption is growing but not there yet
We’ve progressed in our collective passkey quest, but there’s still a long way to go in terms of increasing adoption, reducing phishing risk, and transforming the login landscape.
- Synced passkeys were announced in June 2022. Synced passkeys can be used to access services from any device, in contrast to device-bound passkeys that grant access from a specific physical device, such as a hardware key. (Dashlane saves and autofills synced passkeys that you can use to log in from any desktop or mobile device.)
- Passkey adoption has grown. Keynote talks reported 1 billion people enrolling in and using passkeys around the world. Multiple conference participants spoke about observed benefits of passkey usage, such as reduced login time, fewer account lockouts, and lower operation costs (due to removing the need for SMS OTP services, for example, which also create phishing risk).
- Despite these encouraging numbers, the overwhelming consensus is that we’re still early on in the passkey adoption journey. This was expressed not only in multiple conference sessions but also in casual conversations with conference participants. Sure, we have 1 billion people using at least one passkey, but the majority of their logins likely still involve a password.
Dashlane was the first password manager to support passkeys on the web, Android, and iOS. Look back on our journey.
#2: Users are more likely to adopt passkeys when nudged
The development of secure authentication standards and implementation of passkeys on your service is not enough. Changing user behavior at scale is necessary to truly remove phishing risk and reap the promised benefits of passkeys, and nudges are a potential pathway to achieving this behavior change.
- Passkey adoption could be improved by developments that further remove the burden on individual users to change their credential security habits, such as auto-generating passkeys on supported websites and apps (and saving them automatically to your Dashlane vault—coming soon!)
- Nudges were everywhere at Authenticate! The concept of gently prompting users to improve login habits was mentioned in talks from representatives of Google, Microsoft, Amazon, and many others.
- Relying parties (websites and apps that support passkey login) mentioned improved passkey adoption when they implemented proactive passkey registration flows in context. One example is hiding the option to create a password and keeping “create a passkey” as the default option at account registration. Nudges were highlighted as a way to prompt users to switch to more convenient (and secure) sign-ins in context.
- Conference speakers reported that there was no such thing as too many nudges. Their users were eager to enroll in and start using a more convenient and secure sign-in method. Some great passkey nudge opportunities found in user research include: during account recovery or password reset; while registering a new account; and even when logging in with an existing account using a password.
Dashlane helps organizations nudge their way to higher Password Health scores. Learn how.
#3: The industry is eager to embrace Credential Exchange Protocol (CXP)
Credential Exchange Protocol ensures secure data transfer and offers the flexibility to accommodate various use cases beyond bulk movement of vault items.
- The specifications are still working drafts, but we expect more mature versions to be available in Q1 2025.
- The Credential Exchange standards have been developed by several companies within the FIDO Alliance, including Dashlane. This level of cross-company collaboration is a clear sign of how the industry at large is prioritizing user choice and data portability.
- We’ve made great progress despite the challenges typically encountered with standards development.
We’re working within the FIDO Alliance to create CXP and another public standard, Credential Exchange Format. Learn more about both.
#4: Account recovery continues to stump organizations and aspiring relying parties
Account recovery continues to present a challenge to passkey players. This is true not only for websites and apps looking to replace passwords with passkeys for their users but also for organizations trying to help their employees go passwordless with internal passkey rollouts.
- FIDO is well-placed to explore phishing-resistant recovery solutions in the future.
- A secure and user-friendly account recovery flow is a prerequisite to going truly passwordless. Passkeys are phishing-resistant by design, so switching from passwords to passkeys creates fewer openings for cyberattackers. The account recovery flow then becomes the “lowest-hanging fruit” for cyberattackers trying to gain access to an account.
- Some passkey stories shared at the conference are only partial successes. Passkeys are meant to replace passwords, but some organizations that rolled out passkeys still offer passwords for every account and will not remove them until acceptable recovery options are available.
Dashlane has a secure and user-friendly account recovery solution. Learn all about the Account Recovery Key.
Another insightful Authenticate Conference has come and gone, but the work of improving user authentication security and convenience continues every day. As passkeys grow in popularity and technology evolves, my fellow Dashlane experts and I remain focused on the task at hand: optimizing user authentication for all.
Sign up to receive news and updates about Dashlane
