Bitwarden may not offer passkey logins on all platforms just yet, like some of its competitors, but the password manager is definitely in it for the long run. The company approaches the novel login method from a holistic perspective. It’s looking into making it easy for both its users and websites that still need to implement passkeys. To that end, the company purchased Passwordless (often written as passwordless.dev), which provides an API framework that allows developers to add passkey logins to their projects within hours.



We sat down with Passwordless founder and director Anders Åberg, who joined the Bitwarden team along with his company earlier this year. Before that, he has already been an open source developer for the past decade with a background in engineering and encoding, so he feels like Bitwarden is a great fit for him thanks to the company’s focus on open source.


Related

6 best password managers in 2024

Protection where you need it most

The interview has been condensed and edited for clarity

Android Police: Hey Anders, what is passwordless.dev? Could you give us a quick summary about the company that has been part of Bitwarden for a while now?

Anders Åberg: Sure, so, a quick introduction about me: I’m the director of passwordless.dev at Bitwarden, with Bitwarden being traditionally a password manager that helps both enterprises and normal people keep their data and their secrets safe. Passwordless.dev is now also one of the products that they offer.

My background is in engineering and coding. By now, I’ve spent more than a decade writing and building things on the internet. Some of those things have been related to what is now referred to as passkeys. Before joining Bitwarden I was an open-source software developer. So, joining Bitwarden and building things for a company that’s very pro open source made a lot of sense and was a good culture fit for me.


Passwordless.dev is an API service that allows developers to build passkey support into their apps. If you’re a web developer that wants to add passkeys and help your users sign in securely, faster, and easier, so that they don’t forget their passwords, then passwordless.dev enables you to add that to your app in minutes instead of weeks or months spent researching and building.

How exactly can you achieve this for developers? It seems like a complicated and delicate thing to change the way people can log in. I’m curious to learn how it works, in layman’s terms.

Absolutely! Passwordless.dev is an API that serves developers and enables them to use passkeys. And passkeys is an open web standard that is defined by the W3C, which is a leading organization that basically decides how the internet works, how browsers render websites. So passkeys are designed and kind of owned by the W3C and an organization called the FIDO Alliance.



And the FIDO Alliance is just what it says; an alliance between many tech companies, many of them being leading, such as Google, Microsoft, and Apple. Those are all part of the FIDO Alliance and are all on board on making passkeys work.

I can also give a quick introduction on what a passkey is. A passkey is a replacement for your passwords. That is the main takeaway. They will be able to replace your password, so as a user you will not need to remember them, and you never need to go through the “forgot my password” flow.

Passkeys bring some very nice improvements over passwords. One thing is that a passkey is very phishing resistant, which means you cannot be tricked into typing your password into the wrong site. It’s also based on quite secure cryptography. Even if a hacker breaks into the websites themselves, they cannot steal your password. In cryptography it’s called asymmetric cryptography.



The passkey that lives on your device and what is shared to the website is very different from passwords. With the latter, you can currently hack a website and steal the database with all the passwords and then crack them offboards. With passkeys, it’s basically impossible to do that. And we’ve used the same cryptography that’s been around for a long time and actually makes the internet work, so it’s not like we invented something new; it’s quite old and battle-tested technology at its core.

In layman’s terms, some other benefit of passkeys is that it’s very, very easy to use them. If you go to a website and you need to register an account or use a passkey sign-in, it’s often as easy as unlocking your phone. So with passkeys, you’re able to sign into websites using, for example, your face recognition or Touch ID or whatever you have on your device. And it can fall back to other device authentication methods, like your PIN code on your phone or password on your computer if you don’t have anything else on that device.


So, this is basically the case when you use Google’s, Apple’s, or Microsoft’s first-party solutions. But how would you convince someone to use a password manager like Bitwarden for your passkeys instead? If someone sees a website with passkey support, they may just sign in with what they have on their device already.

As you mentioned, Bitwarden allows you to save your passkeys inside Bitwarden instead of saving it to Apple or Google. One of the main benefits is that you get less lock-in. Bitwarden currently runs on multiple devices. You can have it on your Android phone, your Windows desktop computer, and your MacBook. You can use that passkey you saved to Bitwarden across all of those devices, even if they’re not in the same ecosystem.



I think the same argument can be made for any password manager. You might pick your provider that you choose to trust. We have some qualities that others don’t. For example, we’re open source. The same thing goes when we save passwords, right? We have millions of users that have been wanting to use our password manager. Of course, they could choose to use Google Chrome’s autofill or Apple’s iCloud Keychain. The same value we provide as a password manager we also provide as a passkey provider.

Biometric notifications for a passkey.
Source: Google

Here’s what passkey prompts look like on Android

I think a big question is how to convince people who have been reusing the same poor passwords on different devices to something that they feel like they have less control over, whether that is a password manager or a built-in passkey provider. How would you convince these people to stop relying on their tried and tested system?



It’s a very valid question, I think. Personally, it’s not like you’re looking forward to typing in a longer and more safe password or add more steps to unlock. I never look forward to seeing this text message that has a 2FA code in it. That’s never fun. So, traditionally, having something more secure has not been a positive user experience. Passkeys, however, make it a lot faster and easier to sign in. So, if you’re lazy, use passkeys — that would be the easiest thing to use to sign in.

If you’re lazy, use passkeys — that would be the easiest thing to use to sign in. I use it everywhere I can. I mean, I’m quite interested in IT security, but it’s mostly because I’m a bit lazy.

I use it everywhere I can. I mean, I’m quite interested in IT security, but it’s mostly because I’m a bit lazy. So, I can just sign in to most of the websites I access just by scanning my face or by scanning my fingerprint on my computer. I don’t need to ever reset or hit the forgot my password button. So, if nothing else, users can do this because they’re lazy. And I think that’s one of the core reasons why passkeys is a very good thing for websites to use.


However, as an employer or organization, where I am responsible for keeping other people’s data safe, passkeys are so much more secure than passwords, even passwords combined with multi-factor text messages or OTP codes. The anti-phishing qualities that passkeys has and the cryptography powering it is simply best in class.

How do you attack a company that’s using passkeys? You don’t.

I asked quite a well-known white-hat hacker called Rachel Tobac. She’s primarily focused on testing security companies, so she hacks them through either technical or social engineering. And I asked her, well, when you encounter a company that is using passkeys instead of passwords and push notifications or SMS codes, what do you do? How do you attack a company that’s using passkeys? Her answer was immediately: You don’t. When you discover they use passkeys you switch companies, you just switch the target. Because it’s so much harder to hack.


Are there actually already companies or websites out there that exclusively use passkeys? I have a feeling that a lot of them are doing both passwords and passkeys at the moment as the industry makes the switch.

I don’t dare to answer if there’s any company that allows you to completelydeleteyour password. So, passwordless.dev itself, we don’t have any passwords, so you can only use a passkey and you can ultimately fall back to a magic link that is sent to your email. So we are one of them. But, I mean, Google and Microsoft have both launched passkeys support. And I would be surprised if there’s not going to be options to turn off certain forms of authentication.

I don’t think you can remove your Google password just yet, but I wouldn’t be surprised if in the future that would be seen as a less secure way, and you might need a text message or you need to have an app or a known device. You know, all those extra steps that go into authentication for something that is as complex as Google.[Editor’s note: Google startedautomatically turning on 2FAfor many users in 2021 already.]


I should add that there are companies that use security keys, or passkeys. I think both Google and Cloudflare, another major internet company, reported on their success of only using passkeys internally. So all employees can only authenticate using a security key. Because they are major players they get hit with very sophisticated attacks, but they were able to report that since switching to passkeys, there was a zero percent success rate.

So, you mentioned that if you don’t have access to a device with a passkey stored on it there are options to fall back to a magic link to your email or something. Wouldn’t that just basically change the attack vector? Wouldn’t it make hackers attack the email service of the person that they want to get into rather than the password itself?



I think that would be quite a good outcome, right? Every website has different ways of doing threat modeling, to use the technical term, but if you’re a, you know, dog walking forum, then falling back to email authentication is quite secure. That’s probably within your allowed risk. If you’re a government agency, there might be other ways to recover authentication that are more involved. So, every website can choose its own way to allow account recovery.

I think we will see some kind of norm for how most websites allow account recovery. I think access to email will be one of them, and I think that’s very good. Attackers would need to break the authentication for your email provider, who is probably much better equipped to handle such attacks and do risk engine analysis. For example, hacking my Gmail or Google account would be a lot harder.

Yep. Like, if your Google account is protected by passkeys as well, then that leaves even fewer ways to get into it in the future.

It’s a weird thing to say, but I think most people should use passkeys in most cases. But I don’t think the end goal is to have exactly zero passwords for everyone. There are use cases for some passwords, like as a fallback mechanism. For example for your Bitwarden account, or your Google account if it’s your main provider.


I think most people should use passkeys in most cases. But I don’t think the end goal is to have exactly zero passwords for everyone.

But the point is that you would be able to have, similar to Bitwarden, one very secure long password. That’s the only one you need to memorize to access your Bitwarden and your passkeys. And I think that that’s where we want to end up, where you use passkeys for mainly all of the sites, but you have a kind of trusted way to gain access if you lose all your devices in an accident or something. There needs to be a way to get back into those accounts.

And storing passkeys inside Bitwarden allows us to end-to-end-encrypt it and store that backup for you up in the cloud and sync it to all your devices. But you can still gain access to those passkeys even if you need to go out, buy a new phone and download Bitwarden on it, you will still have those passkeys within minutes. And I think that’s how passkeys should play out. You should have them for almost all sites.


I’m also wondering about legacy support. For example, on Android, you can only use passkeys on Android 9 and higher, which still leaves out a few devices. That’s why I’m wondering, will we ever be at a point where we can really get rid of passwords 100%? You said that’s not the end goal, but it’s still the goal for most accounts. So that’s what I’m trying to imagine — how it’s possible to completely overhaul something that’s so integral to account security on the internet. It seems like a daunting task.

So, that task is quite centric to me since I’ve been on this mission since 2016, when I started my open-source project that was related to passkeys. I think the mission statement was to defeat phishing and make sure that everyone has access to passkeys.

I don’t think every application on earth will use passkeys. There are all the applications that are no longer maintained but are still used. Those might still use passwords for a significant time. But I think we will see many, if not most of the applications that are maintained move to passkeys, simply because they’re easier to use.


For e-commerce sites, it gives better conversion to have people sign up for the members club. They don’t need to remember or forget their passwords and look for the reset email that ends up in spam. You see all of those kinds of business values that are also attached for passkeys for e-commerce sites.

Google Account passkey setup notification window.

Creating a passkey on Chrome for desktop

It’s also a better conversion for apps that, you know, do something for you. It’s a higher sign in rate, and people actually get back into their accounts more easily. So maybe you used an app a couple of years ago and now tried to sign up again, and your email is already used. It’s those kinds of places where you get locked out. Those scenarios also become easier. So for many apps and systems, this is a not only a good feature to give to users — it actually makes sense business-wise.


That’s something that’s going to help. And I think with a service like the one that I’m building, we’re trying to remove all friction for developers to offer passkeys.

Let’s do one last question. What you think you’re going to be at in five years, password-wise and passkey-wise.

I think most people will use passkeys to sign into most websites without thinking about it. And the few times where you’ll need to use a password, it will feel a bit awkward and inconvenient. And there will be those places, right? All websites that, for one reason or another, can’t or haven’t upgraded. I think it’s quite clear that we’re moving towards using passkeys as the default. I don’t want to give false hopes. Passwords will be around. They will stick around.



If you’re an enterprise looking to go passwordless — you know, I’m not objective here — my strongest recommendation is to get a password manager. That will allow you to move passwordless and use passkeys, but for that long tail. It’s going to be a journey. You can store your passwords securely inside that password management. Bitwarden will autofill those passwords. Passkeys might be even simpler and faster, but it gets you close to being fully passwordless, even today.

In the future, hopefully for many websites, you won’t need to wait for that SMS code to arrive and then look at your phone and then look back at your computer and vice versa. So hopefully we can do away with some of these less secure multi-factor authentication methods and use passkeys instead, for all the moms and dads out there in the world who forget their passwords every now and then.

There’s been considerable accessibility testing with passkeys.



Another worthwhile mention is that there’s been considerable accessibility testing with passkeys. I heard just the other week at a conference in San Diego from one of the people who works in the accessibility work group of passkeys. She’s visually impaired, and she confirmed that authentication using passkeys is a lot simpler on many websites than using passwords and multi-factor authentication. So there’s definitely an accessibility improvement for all the moms and dads but also people who might have vision impairments or others, so definitely a win for all kinds of users.