Dashlane study reveals massive spike in passkey adoption

The adoption of passkeys, a passwordless technology for authenticating user access to cloud-hosted applications, is continuing its upward trend, findings released this week from password manager maker Dashlane reveal.

While passkey use overall is still nascent compared to passwords, the company said, in a report outlining the top 20 fastest growing sites driving adoption, “growth continues to accelerate. Passkey authentications with Dashlane have grown to 200,000 per month, a more than 400% increase since the beginning of the year.”

The company, which added support for passkeys to its product two years ago, said that among the top sites driving passkey adoption during the three-month period between April and the end of June of this year, Amazon led the pack with 88.9% growth over the previous quarter. Others on the list included Target (70.5% growth) Github (33.5%), PingOne (31.7%), and Google (28.6%).

In other recent developments, in June AWS announced it has added support for FIDO2 passkeys, an authentication method under the Fast Identity Online (FIDO) framework, for multifactor authentication — and will soon make MFA mandatory for signing in to AWS accounts.

And last May, Google said that it had begun rolling out support for passkeys across Google Accounts on all major platforms, adding a new sign-in option that can be used alongside passwords and two-step verification.

Carlos Rivera, principal advisory director at Info-Tech Research Group, said in an email that, when it comes to passkeys, “many SMBs are looking to credential vault providers like Dashlane that support FIDO2 passkey synchronization and can be restricted to SSO logins. With the NIST SP 800-63B supplement released on syncable authenticators, I am seeing considerable interest from organizations in phishing-resistant MFA without the adoption barrier of needing to manage hardware tokens or Windows Hello endpoints.”

But there are downsides, said David Shipley, CEO of Beauceron Security, based in Fredericton, New Brunswick: “Passkeys balance convenience and security, but the challenge with (them) is they are still passwords, but they are passwords that only devices and services know. If you lose physical access to a device, or things like a YubiKey, that creates a whole new series of IT challenges for organizations.”

That is, he said, the biggest downside, in that there are “trade-offs between convenience and security, particularly if we are talking about remote or distributed workforces. One of the biggest challenges of what happened with the CrowdStrike issue was how do you restore all these devices at remote sites potentially where they require a hands-on keyboard to do it?”

According to Shipley, there is a “good use case for passkeys in highly valuable credentials. I am thinking about things like your IT administrators and others, who are also relatively savvy and knowledgeable. You are still going to want to have resiliency strategies related to the risk of the password reuse or passwords being captured by malware. But you are going to have a resiliency strategy for hardware failure, device failure, those types of things.”

The whole premise of passkeys, he added, is “over promised on certain elements of the security side. As Dr. Ian Malcolm said in Jurassic Park, ‘life finds a way,’ and so does malware.”

Shipley said that the high-tech industry in general has “this nasty habit of always looking for the next silver bullet. Instead, we need to be like my father. He had tools for the right kind of woodworking, the right kind of project.”

It is, he said, time to “stop looking for everything to be a hammer-and-nail combination. It is not going to happen. That does not mean that we cannot use new technologies in smart ways. But there are also old approaches that work for good reason.”

Jay Bretzmann, an analyst at IDC who covers identity and access management, said, “passkeys are clearly more secure than passwords, but how bulletproof are they? Conversely, is it true they may still be vulnerable to adversary-in-the-middle attacks? Well, as Sean Connery once said, “Never say never,” but for all intents and purposes, no.”

Passkeys, he said, “are built upon public/private key pair encryption. PKI is the same technology that protects data and networking (TLS) sessions. As always, Bruce Schneier has it right. One of the responses here echoes my sentiments: ‘Don’t let the perfect be the enemy of the good.’ Most things in IT and identity address current issues and may one day be superseded.”

Bretzmann’s advice to a CSO considering switching from passwords to passkeys is this: “Absolutely do it for all platforms and applications that support them. Two advantages over passwords: 1) key pairs are always unique to websites and applications; 2) a human does not have to generate and remember them.”