Will passkeys kill password managers?
As we march towards a passwordless future, an important question arises: What becomes of password managers? In this article we probe the relationship between password managers and the emerging technology of passkeys. This exploration takes us through the rationale behind integrating passkeys into password managers, the synergies within this combination and some actual plans of leading passkey managers.
1. Technology in transition: From passwords to passkeys
With the emergence of passwords, the need for password managers became evident. Subsequently, new authentication methods were introduced to enhance security and convenience, such as two-factor authentication(2FA), social login, email magic links or one-time passwords (OTP).
Now, with the advent of passkeys, authentication is progressing further. But as the digital landscape boldly strides towards a passwordless future, the role of password managers comes into question. How do they fit into this paradigm shift? Let's delve into the relationship between password managers and passkeys and explore how they're shaping the future of digital security.
2. Unpacking the basics: The difference between password managers and passkeys
Password managers are secure digital lockboxes designed to store and manage your online credentials. Acting as a personal security assistant, they auto-fill login details, manage unique passwords for all your accounts, and eliminate the need for you to come up and remember any passwords.
Meanwhile, passkeys represent a revolution in user authentication, offering secure authentication via simple biometric methods like fingerprints or facial recognition. With passkeys, forgetting your password is a problem of the past; you can't misplace your fingerprints or forget your face! Moreover, all password-related attacks, like phishing or credential stuffing, can be prevented due to passkeys’ underlying architecture.
3. Tech fusion: Why password managers are integrating passkeys
Now, while password managers and passkeys might seem like strange bedfellows at first, many password managers have plans to integrate passkeys into their products. This integration looks like that they take care of the private key management of a passkey. Instead of storing the private key in the Trusted Platform Module (TPM) or Secure Enclave of a device, it’s stored in the password manager. Consequently, the passkey synchronization via a device’s cloud account, e.g. via Google Password Manager or Apple iCloud Keychain, doesn’t necessarily take place. Instead, the passkeys are synced via the password manager’s synchronization feature.
But why are password managers even doing this step, which requires major engineering effort and breaks with a lot of common concepts? The following compelling reasons give you a better understanding:
Embracing the inevitable:
Passkeys are rapidly becoming the successor to traditional passwords. They offer a seamless user experience, reduce password resets, enhance productivity, and provide improved security.
According to recent statistics, a passkey login takes approximately 15 seconds, which is around twice as fast as a password login, that typically takes about 30 seconds. In Google's blog article "The beginning of the end of the password," they introduce passkeys as "the easiest and most secure way to sign into apps and websites" and a significant step towards a "passwordless future." To remain relevant and effective in the advancing landscape of digital security, password managers simply have to integrate passkeys into their offerings.
The leap from a world reliant on passwords to a passwordless one won't happen over night. There will be an intermediary period during which both forms of authentication will coexist. Password managers are bridging this gap by offering passkey support besides support for other authentication methods.
Reimagining master passwords:
In addition to simply supporting the transition towards passkeys, some password managers are also exploring the use of passkeys as a replacement for their master password. This approach not only aligns with the passwordless trend but also amplifies the security of the password manager itself.
4. A surprising symbiosis: Passkey providers and password managers
But to ensure a smooth transition, password managers and passkey providers – companies that integrate and manage passkeys on server-side – will need to operate in harmony. Let's see why that is and how this synergy takes shape:
Password managers handle the client-side operations. They provide secure storage and efficient management of credentials to make users’ login process effortless. Though, every user has to choose, set up and sync the password manager on his own responsibility. As the overall password manager adoption, especially among non-technical people, is still quite low (hardly more than a third), it’s evident that website and app providers cannot rely solely on password managers.
Meanwhile, passkey providers handle the server-side implementation, relieving app and website hosts from the tedious task of self-integration. By working together, these two entities can create a seamless and user-friendly experience while ensuring a strong security framework.
Novelty of passkeys:
Despite the advantages of passkeys, they are quite a new concept, and many websites and apps are in the passkey implementation phase. In this stage, in which - next to passkeys - passwords are still a thing, password managers continue to play an essential role in maintaining digital security, providing convenience for the use of passwords.
Versatility of login methods:
There is currently an array of login methods such as email magic links, OTPs, or social logins. Password managers are capable of managing not only passwords and passkeys, but many of these login methods in a single source of truth.
Not all users have the necessary devices or password managers with passkey capabilities yet. Password managers enable those users with non-passkey-ready devices to fill this void by providing efficient login management for non-passkey login options as well.
Compared to passwords, passkeys currently pose a challenge in terms of shareability, particularly for companies where multiple individuals need access to the same account. However, password managers are actively striving to address this limitation and develop solutions eliminating this downside of passkeys by offering to sync passkeys across devices and platforms. That means you are not bound to an ecosystem’s syncing via Google Password Manager or Apple iCloud Keychain anymore.
5. Progress snapshot: Password managers' evolution towards passkeys
After understanding the synergy between password managers and passkeys, let's now examine how exactly some of the key players in the password management domain are responding to the passkey revolution.
Headquarter: Boston, US
CEO: Karim Toubba
Users: 33m users and 100k businesses worldwide
Founding year: 2008
• For individuals: Free to € 3.90 monthly. (Free for unlimited passwords and devices of one individual.)
• For business: Free € 3.90 to € 5.70 monthly.
• All plans include passwordless login.
Funding: Total of $ 30m
• Last funding: Nov 15, 2018
• Investors: Post-IPO equity
• Funding stage: PE investment (before: Series C)
Passkeys: LastPass is adapting to the era of passwordless security by incorporating passkeys as a substitute for master passwords. This strategy is not only innovative but also enhances the user experience by making it smoother and more intuitive. This feature is already live and available for use. Additionally, LastPass plans to introduce other FIDO2 compliant elements along with authentication mechanisms that support biometric face and fingerprint authentication later this year.
Headquarter: Santa Barbara, US
CEO: Michael Crandell
Users: 17m users worldwide
Founding year: 2016
• For individuals: Free to € 3.33 monthly (Free for unlimited passwords and devices. Excludes only premium features.)
• For businesses: Free € 3.00 to € 5.00 monthly. (Free for unlimited accounts, passwords and devices. Excludes only premium features.)
Funding: Total of $ 100m
• Last funding: Sep 6, 2022
• Investors: PE
• Funding stage: PE investment
Passkeys: One goal of Bitwarden ist to integrate passkeys and passwordless authentication into existing applications. The acquisition of the open-source passkey provider passwordless.dev is a strategic move to elevate their offerings in the passwordless space. Along with the acquisition, Bitwarden announced a passwordless.dev beta program for which enterprises and developers can sign up. But while they're actively working on passkey support, the integration of passwordless.dev into their core password manager isn't on their immediate agenda.
5.3 Keeper Security
(Edit: June 20th, 2023)
CEO: Darren Guccione
Users: >1m users worldwide
Founding year: 2009
• For individuals: Free to € 3.47 to € 7.44 monthly (€ 3.47 for unlimited passwords and devices. Excludes only premium features.)
• For businesses: Free € 2.00 to custom monthly (€ 2.00 for up to 10 individuals.)
Funding: Total of $ 60.3m
• Last funding: May, 9 2023
• Investors: PE
• Funding stage: PE investment
Passkeys: Keeper Security recently rolled out passkeys storage capabilities, similar to how they currently manage passwords. This will expand the password manager's capacity to handle a newer form of secure data. As of their statement on June 5th, Keeper security now supports use of passkeys in browser extensions for Chrome, Firefox, Edge, Brave and Safari. Along with their announcement they published a detailed documentation about passkey technology and how to utilize them in their tool. In addition to that, they compiled a list of websites that support passkey login, which will be updated regularly.
Headquarter: New York, US
CEO: John Bennett
Users: >18m users and 20k businesses worldwide
Founding year: 2009
• For individuals: Free to € 2.75 monthly (Free only for one device.)
• For businesses: Free € 2.00 to € 5.00 monthly (€ 2.00 for up to 10 individuals)
Funding: Total of $ 210.9m
• Last funding: May, 30 2019
• Investors: FirstMark and Bessemer Venture Partners
• Funding stage: Series D
Passkeys: Dashlane is adopting passkeys by creating a dual 'key' system to secure user connections. To navigate the transition to passkeys, they use conditional UI. Currently, Dashlane’s extension supports passkeys on Chrome, Firefox, and other Chromium-based browsers, enhancing the safety and convenience of browser logins. Dashlane aims to take this feature to mobile apps, extending multi-platform security. See also our Dashlane passkeys analysis.
Headquarter: Toronto, CA
CEO: Jeff Shine
Users: 15m users and 100k businesses worldwide
Founding year: 2005
• For individuals: € 2.99 to € 4.99 monthly (Free for unlimited passwords and devices of one individual.)
• For businesses: € 7.99 monthly
Funding: Total of $ 920.1m
• Last funding: Jan 19, 2022
• Investors: McConaughey and Lightspeed Venture Partners
• Funding stage: Series C
Passkeys: 1Password's roadmap is ambitious. They're planning to generate passkeys, support multiple devices and platforms, enable cross-platform synchronization, facilitate passkey sharing, and ensure data portability. They've acquired Passage to assist in this major shift. These features are currently under development and are set to launch in 2023. See also our 1Password passkeys analysis.
5.6. NordPass (Nord Security)
Headquarter: Vilnius, Lithuania
CEO: Tom Okman
Users: 14m users worldwide
Founding year: 2019
• For individuals: Free to € 1.69 monthly (Free for unlimited accounts, passwords and devices. Excludes only premium features.)
• For business: Free € 3.59 to custom monthly (€ 3.59 for up to 250 accounts)
Funding: Total of € 100m
• Last funding: Apr 6, 2022
• Investors: Illusian Family Office and Matt Mullenweg
• Fundings stage: Series unknown
Passkeys: NordPass is formulating a strategy to store passkeys, intending to maintain a high security and convenience standard for users, regardless of their chosen authentication methods. They announced the integration of passwordless multi-factor authentication. Next to that, NordPass plans to integrate passkeys as the substitute to their master password.
6. The future blueprint: password managers in a passwordless landscape
To conclude, even in a passwordless future, password managers will maintain a key role (at least for the hybrid time being). Their capacity to integrate passkeys enables them to adapt to the evolving digital security landscape. This adaptability will provide users with a more streamlined and secure online experience.
By managing both traditional passwords (during the hybrid time), they link the past and the future of online authentication methods. Moreover, by replacing the master password with passkeys, password managers not only follow the industry trend towards passwordless authentication but also increase their own security.
Status of the analysis is May 2023. Passkey features are subject to change by companies on an ongoing basis. If functions change in the future, we will update the article accordingly.
Enjoyed this read?
Stay up to date with the latest news, strategies and insights about passkeys sent straight to your inbox!