A top-tier password manager maker is ditching the use of master passwords and offering its users a totally passwordless experience. Dashlane made the announcement Wednesday, saying the feature allows new users to create an account without having to set up and remember a master password. It added that it intends to expand the passwordless option to existing users in 2024.
“Dashlane is the first credential manager to eliminate the master password as the underlying foundation of the passwordless account. This means we’re giving users the option to create an account and subsequently login without ever creating a master password,” says Dashlane CTO Frederic Rivain.
“It’s important to also note that our passwordless approach is different from WebAuthn-based passkeys,” Rivain adds. He explains that while Dashlane allows users to create, save, and sign into websites, like Google, Amazon, GitHub, and Kayak, with passkeys — which are cryptographic credentials stored on a user’s device — and supports them across all devices, they’re not used to encrypt the data in the Dashlane app’s vault. “This is because accessing Dashlane is not only about authentication, but also about accessing your data by decrypting your vault locally on your device,” he says.
Three MFA factors into a one-touch solution
With this announcement, Dashlane is bringing together two approaches to mitigating risk at the identity and access level, notes Karen Walsh, CEO of Allegro Solutions, a cybersecurity consulting company. First, they’re eliminating passwords using biometrics, she says. “Most passwordless solutions use FIDO2, a protocol that combines the multifactor authentication requirements of ‘something you own’ and ‘something you are’. By combining your face ID or fingerprint with a device under your control and removing the all-to-often risky password, Dashlane is essentially bringing all three MFA factors into a one-touch solution.”
They’re also incorporating zero-knowledge encryption, Walsh adds. “As soon as the user creates any information on their device, the data is encrypted and stays that way, meaning that even if Dashlane experiences a data breach, they have no unencrypted customer information,” she says. “By combining these two technologies, they’re attempting to respond to the way attackers increasingly target password managers, ultimately mitigating risks to themselves and their customers.”
Society may never get rid of passwords entirely
While Dashlane touts its passwordless architecture as “phishing resistant,” Craig Harber, a security evangelist at Open Systems, a global IT services company, cautions that the technology isn’t a silver bullet against threat actors. “Several security concerns must be mitigated for this technology to be a viable option in all operational scenarios, especially given the advancements in AI-generated deepfakes that could defeat advances in biometric authentication technologies,” he says.
In addition to sacking master passwords, Dashlane announced a patent-pending method to securely transfer the key required for vault decryption from device to device, enabling seamless cross-platform use. “Cross-platform sync allows users to seamlessly access the Dashlane vault across their devices via a secure key exchange,” Rivain explains.
“To ensure smooth key exchange across platforms, we developed our device transfer method to ensure that all three of our core platforms — iOS, Android, Web Extension — could utilize consistent and compatible cryptographic mechanisms,” Rivain says. “To safeguard the data and protect this process, we leverage Elliptic-curve Diffie-Hellman (ECDH) to perform the key exchange.”
Despite the rise of alternatives, Rivain acknowledges that passwords remain popular among users. “Passwordless is moving us in the right direction, and the rate of websites and services offering passwordless solutions, such as passkeys, over the last 18 months is happening even faster than many of us anticipated,” he says. “There are many use cases still to be expanded upon, including cross-platform compatibility, sharing, enterprise usage, and legacy on-prem solutions. Society may never get rid of passwords entirely, but their use will be broadly diminished over the long term.”