(Credit: JuSun/Getty Images)
One of the better-known password managers is now inviting people to try it without having to create yet another password. Instead, Dashlane is now inviting people to try opening a new account secured only by a USB security key compliant with the “FIDO2” authentication standard; FIDO being short for Fast Identity Online.
Emphasize “try.” The company’s support page for this “early access” program notes that it supports only Google Chrome and Microsoft Edge, not Dashlane’s mobile apps. For now, it doesn’t let you create an account secured only by a passkey, the form of FIDO2 security more people use.
The page also highlights a warning that this is an early-days exercise: “Important: Accounts created as part of the early access program are for testing purposes only. We recommend using your primary Dashlane account to store and manage your data.”
(Credit: Dashlane)Dashlane’s announcement by CTO Frederic Rivain notes that FIDO2 authentication can’t get spoofed by phishing scams. Passkeys and security keys are cryptographically bound to the domain name of the site in question and will ignore a lookalike.
Any login method that depends on a human entering the right credential into the right site, even if it’s a one-time code generated by an authenticator app, remains vulnerable to those attacks.
As Rivain observes, somebody as versed in security as Troy Hunt, maintainer of the HaveIBeenPwned data-breach resource, got fooled in March by a phishing scam that bamboozled him into entering a two-factor-authentication code on a malicious site.
FIDO2 credentials also can’t be reused, unlike passwords. Last fall, a Dashlane study of its own users, based on on-device analysis of passwords saved in its apps, found that almost half of the passwords US users had saved in their vaults were recycled.
Dashlane’s support page about the program notes that USB security keys used for this require you to confirm their use by typing in a PIN (please don’t make that your birthday) or, if the key supports it, fingerprint authentication.
It doesn’t cover the ugly scenario of losing or breaking that key. A list of “upcoming enhancements” in Dashlane’s post includes support for multiple keys “that ensures users aren’t locked out if a key is lost or damaged.”
In a quote included in Dashlane’s post, the head of the organization behind the FIDO2 standard commended its efforts. “Dashlane is showing tremendous commitment to protecting its users’ most sensitive data in a manner that is both convenient and phishing-resistant,” said Andrew Shikiar, executive director and CEO of the security trade group FIDO Alliance.
In daily use, especially on mobile devices, this may not make much of a difference: Password manager apps generally let you log in with whatever biometric authentication unlocks your device, although some will require you to enter their master password after a device restart or after a set period of days or weeks of use.
Dashlane plans to expand access to this option. The New York-based company’s announcement says it plans to make this “generally available later this year for both personal and business users”; it doesn’t specify if that will include free accounts, which feature significant usage limits, or if you’ll need to pay for service, starting at $59.88 a year for a personal subscription.
Other password managers are moving in the same direction. Notably, 1Password announced in February 2023 that it would let users set up accounts secured only by passkeys. But more than two years later, that option remains in beta and confined to test accounts. So we won’t be too surprised if Dashlane takes a little longer than advertised to roll out this feature to more customers.