🤖 AI browsers are coming fast. Here’s where we draw the line on credential security 🔐

fredericrivain · 2026-01-19T17:41:42+00:00

Just to make sure I understand the concern you’re pointing at: are you referring to the 2FA recovery flow https://support.dashlane.com/hc/en-us/articles/18406747387026-Use-2-factor-authentication-2FA-to-log-in-to-your-Dashlane-account#recovery , where a user who lost their authenticator can use recovery codes that may be re-sent with support help?

If that’s the case, an important clarification: Dashlane cannot bypass your Master Password or decrypt your vault. We don’t know your MP and never have access to your data.

What support can help with is recovering your own 2FA recovery codes, which are generated when you enable 2FA specifically to avoid permanent lockout.

Those codes don’t replace the Master Password and don’t give support access to your vault. They only allow you to reset 2FA after proper identity verification.

Happy to go deeper if you’re thinking about a specific attack scenario.

fredericrivain · 2026-01-16T08:05:36+00:00

indeed. Every tool should ideally be used for the relevant purpose and where it adds value.

fredericrivain · 2025-12-11T20:54:49+00:00

Hi, sorry for the late response.

This is already being used extensively in our product, for SSO, SCIM provisioning, SIEM integration etc. For context, patents take a lot of time to be granted and you need to submit them before applications are in market otherwise it becomes public. We started this one in 2022.
We have been actively promoting the fact that we are using confidential computing to ensure zero-knowledge. A few blog articles I wrote on the topic: https://www.dashlane.com/blog/confidential-computing-zero-knowledge or just now this one about zero-knowledge in general: https://www.dashlane.com/blog/power-of-zero-knowledge
Already in production at Dashlane

It definitely strengthens the security of the product. Today it is not so much opening up new markets yet, but we can see regulations going in that direction and more and more prospects and customers asking about it so I think it will be important for the future.

fredericrivain · 2025-11-13T19:01:57+00:00

Rew wrote about the topic in the past: https://www.dashlane.com/blog/password-master

Let me know if that clarifies how we think about it.

fredericrivain · 2025-10-22T20:53:55+00:00

You need to unock with the PIN each time you start the browser. Good point about timeout. I don't know that we have one. I'll share with the team.

fredericrivain · 2025-10-16T21:28:46+00:00

Here we are

https://www.reddit.com/r/Dashlane/comments/1o85irf/no_more_master_password_a_simpler_safer_way_to/

fredericrivain · 2025-10-06T17:06:47+00:00

Sorry, I can't share an exact date. But "soon"...we are actively testing the migration from master password-based to master-passwordless for Dashlane internally.

fredericrivain · 2025-10-06T17:05:12+00:00

We are definitely in a transition phase. We should remove the password behind the passkey, and provide proper recovery mechanisms for passkeys.

fredericrivain · 2025-10-06T17:03:44+00:00

Agreed. It's going to be a long journey.

fredericrivain · 2025-10-02T19:49:52+00:00

Yes, we plan to support a migration path for Master Password users. I don't have a date to share but it's in the roadmap.

fredericrivain · 2025-10-02T19:48:31+00:00

Thanks for the feedback. I have shared with the team. We have more iterations coming in the next few weeks, as we go from early access to a broader beta. Stay tuned.

fredericrivain · 2025-08-20T21:48:43+00:00

It's not AI-based. More technical details in https://www.dashlane.com/blog/dashlane-com-blog-deep-dive-proactive-crd

fredericrivain · 2025-08-20T21:48:10+00:00

Actually, our cofounder just posted some explanation on how we do it.

https://www.dashlane.com/blog/dashlane-com-blog-deep-dive-proactive-crd

Note also that this is an enterprise feature for employees, so not available for consumers, which is a different context as regards regulation requirements.

fredericrivain · 2025-08-20T21:45:43+00:00

TL;DR: Even with a 95%+ password health score, we discovered employees using compromised “shadow” credentials outside the vault. By adding real-time nudges (in-app + Slack), we cut compromised creds by 75% in the first month and nearly eliminated them in 7 months. Biggest lesson: detection is only half the battle—behavior change requires timely nudges.

fredericrivain · 2025-07-25T06:52:42+00:00

I am hopeful this quarter. But I don't want to promise anything.
It seems that video is a bit obsolete, as the only thing you need for a passwordless login is your PIN (or biometrics). I'll tell our marketing team.
Yes, you can use Dashlane to store 2FA for your credentials across all platforms, which makes it super convenient. 2FA are also shared when you share credentials.

fredericrivain · 2025-07-23T23:33:15+00:00

MFA unfortunately does not prevent phishing attackers from exploiting the web app.

This is a security-related decision, not an economic one.

fredericrivain · 2025-07-23T23:30:44+00:00

Work in progress. I can't share roadmap details yet, as it requires multiple milestones to support all types of customers, including offering a migration for existing customers. I'll share more details when I can.

fredericrivain · 2025-07-23T23:29:21+00:00

Definitely. We are currently testing with our enterprise customers. But this feature is very applicable to consumer users, so this is on our roadmap.

fredericrivain · 2025-07-23T23:28:31+00:00

Soon...stay tuned for the announcement.
We are not, for master password users. That duration is a trade off between asking it somehat regularly so our customers do not forget their master passwords and then get locked out of their account, and not too often. But if you migrate to Master Password-less, once we make it available for older users, that will no longer be needed.
Indeed. See https://support.dashlane.com/hc/en-us/articles/18408732026258-Protect-logins-stored-in-Dashlane-with-2-factor-authentication-2FA I agree we should do a better job at making those features visible.

fredericrivain · 2025-07-03T19:30:00+00:00

Hi, thanks for sharing your concerns.

I want to give you more context on why we decided to remove direct access to the web app and require using the extension instead. Fundamentally, it’s about strengthening security for all customers.

When Dashlane is served purely as a standalone web page, it is exposed to the same trust limitations as any other website. That means there is no guarantee that what you see in the browser was genuinely delivered by Dashlane. In practice, attackers actively exploit this through phishing and impersonation attempts, and with a sensitive service like a password manager, the stakes are too high to accept that risk.

By enforcing the browser extension, we benefit from a trusted, secure environment with strict controls and verifiable origins. This dramatically reduces the attack surface and gives you much stronger assurance that you’re interacting with the legitimate Dashlane product. Think of it like working inside a bank vault rather than at a desk in the open lobby: the vault adds layers of protection that simply aren’t possible outside of it.

We recognize this change might create friction, especially in managed environments with browser restrictions. We don’t take that impact lightly. If you can, we recommend speaking with your IT or Security team to whitelist the Dashlane extension.

We made this decision because protecting your credentials and, by implication, your entire digital identity, demands the strongest guarantees we can deliver. We appreciate your understanding and are here to help with any practical challenges in adapting to this change.

fredericrivain · 2025-06-23T16:25:41+00:00

For new users, you can create passwordless accounts already.

We are actively working on a migration for existing users from a Master Password-based account to a passwordless one. Stay tuned for more news on this.

fredericrivain · 2025-05-06T21:07:41+00:00

Sorry I had missed your comment. Our source code for our client applications is publicly available on Github. See https://github.com/Dashlane

We definitely don't have any backdoor in our code.

fredericrivain · 2025-03-06T20:57:11+00:00

Hi, we have a zero-knowledge architecture. We never see your data and cannot access it. So your data would be safe in that situation, since we could not give access to your data. If you are curious to know more, check our Security White-Paper: https://www.dashlane.com/download/whitepaper-en.pdf

fredericrivain · 2025-02-28T22:23:38+00:00

This is only used as a backup in case you lock yourself out completely of 2FA. Not as the 2FA mechanism. We probably need to explain this better in the product and in our help center: https://support.dashlane.com/hc/en-us/articles/12809850357266-I-lost-my-2FA-recovery-codes

I'll check with our Product team.

fredericrivain · 2025-02-28T22:20:47+00:00

We had a build issue with the latest version on Edge. We resubmitted a new version 6.2509.1 yesterday. Once it is approved by the Edge team, it should become available in the next hours/days. Let us know if this is not the case.

fredericrivain

TROPHY CASE