Dashlane ditching master passwords | CSO Online

A top-tier password manager maker is ditching the use of master passwords and offering its users a totally passwordless experience. Dashlane made the announcement Wednesday, saying the feature allows new users to create an account without having to set up and remember a master password. It added that it intends to expand the passwordless option to existing users in 2024.

“Dashlane is the first credential manager to eliminate the master password as the underlying foundation of the passwordless account. This means we’re giving users the option to create an account and subsequently login without ever creating a master password,” says Dashlane CTO Frederic Rivain.

“It’s important to also note that our passwordless approach is different from WebAuthn-based passkeys,” Rivain adds. He explains that while Dashlane allows users to create, save, and sign into websites, like Google, Amazon, GitHub, and Kayak, with passkeys — which are cryptographic credentials stored on a user’s device — and supports them across all devices, they’re not used to encrypt the data in the Dashlane app’s vault. “This is because accessing Dashlane is not only about authentication, but also about accessing your data by decrypting your vault locally on your device,” he says.

Three MFA factors into a one-touch solution

With this announcement, Dashlane is bringing together two approaches to mitigating risk at the identity and access level, notes Karen Walsh, CEO of Allegro Solutions, a cybersecurity consulting company. First, they’re eliminating passwords using biometrics, she says. “Most passwordless solutions use FIDO2, a protocol that combines the multifactor authentication requirements of ‘something you own’ and ‘something you are’. By combining your face ID or fingerprint with a device under your control and removing the all-to-often risky password, Dashlane is essentially bringing all three MFA factors into a one-touch solution.”

They’re also incorporating zero-knowledge encryption, Walsh adds. “As soon as the user creates any information on their device, the data is encrypted and stays that way, meaning that even if Dashlane experiences a data breach, they have no unencrypted customer information,” she says. “By combining these two technologies, they’re attempting to respond to the way attackers increasingly target password managers, ultimately mitigating risks to themselves and their customers.”

Society may never get rid of passwords entirely

While Dashlane touts its passwordless architecture as “phishing resistant,” Craig Haber, a security evangelist at Open Systems, a global IT services company, cautions that the technology isn’t a silver bullet against threat actors. “Several security concerns must be mitigated for this technology to be a viable option in all operational scenarios, especially given the advancements in AI-generated deepfakes that could defeat advances in biometric authentication technologies,” he says.