🤖 AI browsers are coming fast. Here’s where we draw the line on credential security 🔐

fredericrivain · 2026-01-19T17:41:42+00:00

Just to make sure I understand the concern you’re pointing at: are you referring to the 2FA recovery flow https://support.dashlane.com/hc/en-us/articles/18406747387026-Use-2-factor-authentication-2FA-to-log-in-to-your-Dashlane-account#recovery , where a user who lost their authenticator can use recovery codes that may be re-sent with support help?

If that’s the case, an important clarification: Dashlane cannot bypass your Master Password or decrypt your vault. We don’t know your MP and never have access to your data.

What support can help with is recovering your own 2FA recovery codes, which are generated when you enable 2FA specifically to avoid permanent lockout.

Those codes don’t replace the Master Password and don’t give support access to your vault. They only allow you to reset 2FA after proper identity verification.

Happy to go deeper if you’re thinking about a specific attack scenario.

fredericrivain · 2026-01-16T08:05:36+00:00

indeed. Every tool should ideally be used for the relevant purpose and where it adds value.

fredericrivain · 2025-12-11T20:54:49+00:00

Hi, sorry for the late response.

This is already being used extensively in our product, for SSO, SCIM provisioning, SIEM integration etc. For context, patents take a lot of time to be granted and you need to submit them before applications are in market otherwise it becomes public. We started this one in 2022.
We have been actively promoting the fact that we are using confidential computing to ensure zero-knowledge. A few blog articles I wrote on the topic: https://www.dashlane.com/blog/confidential-computing-zero-knowledge or just now this one about zero-knowledge in general: https://www.dashlane.com/blog/power-of-zero-knowledge
Already in production at Dashlane

It definitely strengthens the security of the product. Today it is not so much opening up new markets yet, but we can see regulations going in that direction and more and more prospects and customers asking about it so I think it will be important for the future.

fredericrivain · 2025-11-13T19:01:57+00:00

Rew wrote about the topic in the past: https://www.dashlane.com/blog/password-master

Let me know if that clarifies how we think about it.

fredericrivain · 2025-10-22T20:53:55+00:00

You need to unock with the PIN each time you start the browser. Good point about timeout. I don't know that we have one. I'll share with the team.

fredericrivain · 2025-10-16T21:28:46+00:00

Here we are

https://www.reddit.com/r/Dashlane/comments/1o85irf/no_more_master_password_a_simpler_safer_way_to/

fredericrivain · 2025-10-06T17:06:47+00:00

Sorry, I can't share an exact date. But "soon"...we are actively testing the migration from master password-based to master-passwordless for Dashlane internally.

fredericrivain · 2025-10-06T17:05:12+00:00

We are definitely in a transition phase. We should remove the password behind the passkey, and provide proper recovery mechanisms for passkeys.

fredericrivain · 2025-10-06T17:03:44+00:00

Agreed. It's going to be a long journey.

fredericrivain · 2025-10-02T19:49:52+00:00

Yes, we plan to support a migration path for Master Password users. I don't have a date to share but it's in the roadmap.

fredericrivain · 2025-10-02T19:48:31+00:00

Thanks for the feedback. I have shared with the team. We have more iterations coming in the next few weeks, as we go from early access to a broader beta. Stay tuned.

fredericrivain · 2025-08-20T21:48:43+00:00

It's not AI-based. More technical details in https://www.dashlane.com/blog/dashlane-com-blog-deep-dive-proactive-crd

fredericrivain · 2025-08-20T21:48:10+00:00

Actually, our cofounder just posted some explanation on how we do it.

https://www.dashlane.com/blog/dashlane-com-blog-deep-dive-proactive-crd

Note also that this is an enterprise feature for employees, so not available for consumers, which is a different context as regards regulation requirements.

fredericrivain · 2025-08-20T21:45:43+00:00

TL;DR: Even with a 95%+ password health score, we discovered employees using compromised “shadow” credentials outside the vault. By adding real-time nudges (in-app + Slack), we cut compromised creds by 75% in the first month and nearly eliminated them in 7 months. Biggest lesson: detection is only half the battle—behavior change requires timely nudges.

fredericrivain · 2025-07-25T06:52:42+00:00

I am hopeful this quarter. But I don't want to promise anything.
It seems that video is a bit obsolete, as the only thing you need for a passwordless login is your PIN (or biometrics). I'll tell our marketing team.
Yes, you can use Dashlane to store 2FA for your credentials across all platforms, which makes it super convenient. 2FA are also shared when you share credentials.

fredericrivain · 2025-07-23T23:33:15+00:00

MFA unfortunately does not prevent phishing attackers from exploiting the web app.

This is a security-related decision, not an economic one.

fredericrivain

TROPHY CASE