I think that’s a good default, and it should also be possible to remove a password on an account with passkey login even if the account was started with a password.
Are there any ongoing implementations?
I am an IT professional, and I would love to see a Bitwarden account without the need to create a master password, especially for my friends and family, to make it as easy as possible.
I love the approach of Dashlane, they simply generate a recovery key to regain access to the account in case you lose any of your authenticated devices.
Bitwarden offers passwordless accounts for Business accounts leveraging SSO. The team is researching how we might bring a similar experience to personal and Families accounts.
I’d love to hear more about what you like about the Dashlane approach; specifically, what steps would you take to ensure you don’t lose access to your recovery key?
Thank you for sharing your perspective!
@dflinn @localhost127 … I’m not against the passwordless idea, so don’t get me wrong… but wouldn’t such a “recovery key” not be another form of a “master password” (but maybe not chosen by me but by a generator)?
Both definitely are shared secrets.
OTH, If you want to look more passwordless, you may have to implement the features so that a “master password” isn’t required, except for true recovery. As long as you think of it as a password, then you use it like a password, a mean of everyday authentication, and can’t claim to be passwordless.
I note, Bitwarden’s “login with device” 's feature still requires a password on initial use, which is unintuitive for many users. So at least in this area, Dashlane manages an implementation that is “more passwordless”. Passkey doesn’t quite provide this functionality, because “login with device” still allows 2FA, whereas passkey’s “correct implementation” doesn’t, which some people don’t like.
To the question, “Are you ready to break up with your main password?”
No.
A passkey or login with device is to me an additional convenience I may wish to implement. Biometrics are properly restricted to unlocking things rather than logging in (i.e. not a singular entry point to critical data). I do not wish to carry additional hardware when I have an excellent pass phrase, I type skilfully, and I remember it by frequent re-use, rather than having to stash it in a safe and accessible place – even when travelling.
Change which may be superfluous to users should not be forced, which is not to deny the option. Thus, I largely concur with some points by @grb and @neuron5569 above.
@dflinn
I am looking for a true passwordless experience for personal accounts, not business-related. Therefore, the recovery key must be written down or printed out for sure.
Dashlane is warning the users:
@Nail1684 Yes, the recovery key is some sort of master password (generated). However, the main point here is that the user should not have to think about which master password to choose at all. I still have to teach my friends and family not to use easy master passwords, including names and birthdates…
For non-IT people, it is more convenient to not have to think about passwords at all.
So far, the “login with device” feature is insufficient. For example, I cannot log in to my browser extension using my phone.
In addition, it should be clear that a passwordless experience should be optional.
I agree to that. But, as I was discussed above I think, security is one side - losing the account, not storing the master password (or recovery key then) is also a problem. If there was a generated recovery code, it had to be make sure, it was recorded. But how to do that?
I think I understand what you want to say, but, maybe as I just wrote: “having” to store a recovery code is not the same as “to not have to think about passwords at all”…
The last few days I had some problems with the “login with device”… but I can log in to my browser extension using my phone. Why can’t you?
At the moment of course… In 50 years or so - I’m not sure.