The move is in response to a spike in credential-based attacks.
This summer, users of the popular 1Password password manager will no longer need to remember the master password that service requires today. The company already promised to go this route, but has now also given a timeline.
The Toronto-based company has announced that it will instead ask customers to create and unlock an account using passkeys. These are complex and unique tokens generated on a biometrically secured device. They are considered especially secure because they only work in physical proximity to the computer hosting the login attempt.
Apple, Google, and Microsoft jointly announced support for this open authentication standard last May. Nonetheless, a password manager offering passkeys as a primary authentication system represents a significant advancement in the authentication segment.
Faster and more secure
Steve Won, Chief Product Officer at 1Password, announced the move in a blog post this week. “Passkeys are the modern alternative to passwords”, he assures us. “They’re easier to use, harder to steal or crack, and built on proven, open standards designed to make logging in to your favorite apps and services faster and more secure”.
Won goes on to describe the emerging need for more security: “credential-based attacks are only accelerating”, he writes. “In 2022, it was rare that a month went by without a high-profile social, identity, or security service being breached”.
The advantage of biometrics
In order for passkeys to work properly, Won explains, a user must replace ALL their passwords. This includes the “Master Password” that 1Password users must enter to unlock the service.
The new, biometrics-based passkey solution is a logical step for 1Password, Won says. Indeed, the company already uses biometrics since it became the first third-party iOS app to offer Touch ID. Since then, they’ve added support for Face ID, Windows Hello, Android Fingerprint, and more, he adds.
“Unlike user-created passwords, passkeys are strong and unique by default”, Won explains. “They’re generated and stored on your devices, and they’re never shared with our cloud service”.