Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Passkey Adoption Has Increased By 400 Percent In 2024 (theverge.com) 21

According to new report, password manager Dashlane has seen a 400 percent increase in passkey authentications since the beginning of the year, "with 1 in 5 active Dashlane users now having at least one passkey in their Dashlane vault," reports The Verge. From the report: Over 100 sites now offer passkey support, though Dashlane says the top 20 most popular apps account for 52 percent of passkey authentications. When split into industry sectors, e-commerce (which includes eBay, Amazon, and Target) made up the largest share of passkey authentications at 42 percent. So-called "sticky apps" -- meaning those used on a frequent basis, such as social media, e-commerce, and finance or payment sites -- saw the fastest passkey adoption between April and June of this year.

Other domains show surprising growth, though -- while Roblox is the only gaming category entry within the top 20 apps, its passkey adoption is outperforming giant platforms like Facebook, X, and Adobe, for example. Dashlane's report also found that passkey usage increased successful sign-ins by 70 percent compared to traditional passwords.

This discussion has been archived. No new comments can be posted.

Passkey Adoption Has Increased By 400 Percent In 2024

Comments Filter:
  • by 93 Escort Wagon ( 326346 ) on Tuesday July 30, 2024 @07:50PM (#64668488)

    Amazon.com just started trying to push a passkey on me, I noticed earlier today - but I'd just as soon stick with 2-factor authentication, at least for now. I feel more like I'm in control of the process that way.

    But I must admit, on my phone, to letting Bitwarden unlock with FaceID - so apparently I'm not being consistent.

    Maybe it's just resistance to change. But the way it presents itself kind of irks me... it feels like they're saying "don't worry your little head about this, we'll set it up and manage it". I mean, if my terminal app told me it was going to generate ssh keys and handle the private keys for me without my involvement at all, that would bug me too.

    • I think as password managers allow Passkeys to be exported to disk as a backup, my apprehension for them as the only way in will be less, but I find that having a Google Authenticator token is a solid fallback standard, just because a shared secret works and works well.

      Ideally, I like having a TOTP key for fallback, as shared secrets in BitWarden can be exported. Then, for the primary keys, a YubiKey and a PassKey. This way, there are multiple ways in, and if I don't have the YubiKey with me, I can always

    • by codebase7 ( 9682010 ) on Wednesday July 31, 2024 @04:03AM (#64668984)

      Maybe it's just resistance to change. But the way it presents itself kind of irks me...

      It should.

      Remember, passkeys are fair game for warrants as they are stored on the device and not in your head. Depending on your jurisdiction, that fact alone means they can also demand (via a warrant) that you unlock the device to get access to them. If you are unlucky enough to live in one of these places, expect judges for those warrants to be on stand by if passkeys become widespread enough.

      One device to rule them all, and in evidence bind them. It's the greatest legal fishing expedition various law enforcement types could have asked for.

      • by skegg ( 666571 )

        I'm with OP:
        there's *something* about passkeys -- that I can't quite put my finger on -- that's holding me from adopting any. It could just be in my head.

        Regarding your comment about being forced to unlock:
        how / why would that be any different to being forced to unlock a password manager?

        • how / why would that be any different to being forced to unlock a password manager?

          Some US jurisdictions have declared passwords to be products of the mind and therefore protected by the fifth amendment. (I.e. The government cannot compel the production of a password in those jurisdictions.) But there are some exceptions for passwords that have been written down. In that case, because the password is on a physical object, the production of that object CAN be compelled by the government. In addition to whatever means is needed to gain access to the written down password. (I.e. You cannot

          • TL;DR: Passwords stored in one's mind, and only stored in the mind, are more protected from governmental overreach than any physical object.

            Which in turn would imply (to me at least) that, if you're using a password manager to store your passwords, you should protect it with a strong password that's only stored in your head - NOT a passkey that's managed by your computer/device.

      • by AmiMoJo ( 196126 )

        Use Firefox, then you can set a master password that must be entered before Passkeys can be accessed.

        Passkeys are stored encrypted in Chrome too, the issue is that it uses your OS login password to protect access to them. I.e. they are encrypted on disk, but once you log in to your OS no further authentication is required.

        On Android Chrome does use biometric authentication for Passkeys.

        In practical terms this should not be an issue if your security is half decent. Your OS drive should be encrypted (default

  • ... if it could be easier and more consistent to use on Android (logging in via an app or through Chrome), especially with a 3rd party password manager (not Google). Hopefully iOS is more straightforward, but Android seems like a mess here now. And from what I was reading, it may also vary by OEM. Supposedly OnePlus devices (like my Open) may not support passkeys saved to 3rd party apps yet at all.

  • 400% Hmmm ... (Score:5, Insightful)

    by ve3oat ( 884827 ) on Tuesday July 30, 2024 @09:39PM (#64668624) Homepage
    Whenever I see percentages quoted that are much over one hundred percent, I wonder how they were calculated. A 400% increase means that the "after" value is 5 times the "before" value. So, for every one hundred original users, there are now five hundred users. That is quite an increase in usage. Unfortunately, the original article does not give any actual figures, just these wonderful percentages. One could be forgiven for suspecting that the article is just a lot of advertising hype.
    • Whenever I see percentages quoted that are much over one hundred percent, I wonder how they were calculated. A 400% increase means that the "after" value is 5 times the "before" value. So, for every one hundred original users, there are now five hundred users. That is quite an increase in usage. Unfortunately, the original article does not give any actual figures, just these wonderful percentages. One could be forgiven for suspecting that the article is just a lot of advertising hype.

      When you see large increases, it almost always means the starting number was extremely small. And it was, as iOS 17, and Android 14, which were released late 2023, were really the first implementations that made things (mostly) just work on mobile devices (and macOS 14 also added the necessary support; Windows had it a bit earlier, but without the integrated mobile device support, it was not widely used by consumers (slashdotters may use 3rd party password managers, but the majority of consumers do not)).

    • by AmiMoJo ( 196126 )

      4x or 5x as many users, it's still a lot. It's probably because a few popular websites have added Passkey support, like eBay and Google/YouTube.

      It's good news, Passkeys are a big step up from passwords.

      • 4x or 5x as many users, it's still a lot.

        You're missing the point. It's not necessarily "a lot" by the metric of absolute users. If there were a dozen people using passkeys and now there are sixty, that's a 400% increase. But it's also "effectively nobody is using these".

        Nobody - myself included - is saying it's that low. But it's telling that the actual numbers aren't quoted, just the fantastic "400%" figure. Why? Because that's the impressive number, not the absolute number.

        • by AmiMoJo ( 196126 )

          TFA mentions that Google says Passkeys were used by over 400 million users, back in May. So whatever the actual number is, it's more than 400 million.

          It's probably impossible to give an accurate absolute figure, because the data is spread over many different websites that use Passkeys, and browser vendors are not collecting it.

      • Percentages by themselves are useless as are raw numbers.

        Let's say you're making 500,000,000 widgets a year and have a defect rate of 2%. That means you are either trashing, reworking, or selling at a discount 1,0000,000 widgets a year.

        On the flip side, let's say you are making 100 widgets a year and increase your production to 500. That's a 400% increase.

        Without both sets of numbers you can't draw any conclusions about what the changes in numbers mean. It does get more complicated depending on what is

    • by reanjr ( 588767 )

      This sounds like a very reasonable number to me. In the last year, I've encountered at least one site that now requires Passkey, which never even offered it before, and at least a few others who are now offering it when they did not before. While people reading tech news may have known about FIDO, it really seemed to start hitting mainstream over the last year, with the crystallization of some APIs and some support from big players.

  • ....then it's time for something different. I like passkeys. It's basically the "generate a strong password" thing but implemented better.
  • by TheNameOfNick ( 7286618 ) on Tuesday July 30, 2024 @11:18PM (#64668716)

    400% just means adoption is really low. You don't get those numbers with something that is actually being used widely.

    • by AmiMoJo ( 196126 )

      TFA says that Google alone has 400 million accounts using it. It also mentions Amazon as a big adopter.

  • Just what we've been waiting for. Yet another way to log in which is not universal yet still requires proprietary authenticator apps to set up or validate.

    • by Anonymous Coward
      Apparently "passkey" is just a fancy name for WebAuth/FIDO2.

      Yeah, I didn't get what it meant until now either, the term has always been used in such an ambiguous manner. "Like passwords, but better! Something something mobile!"

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...