Skip to main content
Dashlane Logo

A New Era of Phishing-Resistant Authentication: Securing Dashlane Access with FIDO2 Security Keys

Published:
A New Era of Phishing-Resistant Authentication: Securing Dashlane Access with FIDO2 Security Keys
Dashlane is combining its passwordless login technology with FIDO2 security keys, enabling users to unlock their vaults in a new, secure way.

Dashlane is pioneering a new standard of seamless, phishing-resistant authentication for credential vault access.

We’re proud to share that we've combined our first-to-market passwordless login with FIDO2 security keys, the strongest available protection against phishing attacks. Now, there’s a new way to secure the most sensitive part of your digital life: Your credential vault.

A new era of phishing resistance

Dashlane is the first credential manager to enable FIDO2 security keys as a primary authentication factor for vault access, leveraging the innovation of WebAuthn PRF. A FIDO2 security key is a physical device, such as a USB key, from Yubico, Google Titan, and others. FIDO2 is the same underlying technology used for passkeys, the phishing-resistant credentials gradually replacing passwords.

We’re making accessing your most sensitive information easier and safer. Whether you’re an individual or a business, Dashlane’s advanced, phishing-resistant security keeps your vault items secure.

This means:

  • No passwords to remember or be phished
  • No secrets shared with servers or transmitted over the network
  • No reliance on SMS, email codes, or other types of MFA, which are susceptible to interception or social engineering

"Dashlane’s use of FIDO security keys to provide secure, passwordless access to their vault marks a pivotal step forward in digital security," said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. "By leveraging FIDO’s powerful open standards for passkey storage in the vault and now to securely access it, Dashlane is showing tremendous commitment to protecting its users’ most sensitive data in a manner that is both convenient and phishing resistant."

Personal plan users can get early access and be among the first to unlock their Dashlane vault using a FIDO2 security key as their primary way to sign in. This innovation will be generally available later this year for both personal and business users.

Why phishing resistance matters more than ever

Despite advancements in authentication, phishing remains alarmingly effective. Traditional MFA solutions, even those using one-time codes or push notifications, are vulnerable to increasingly clever phishing attacks, often generated by AI. Even the best security experts can be fooled, as Troy Hunt recently experienced. The impact can be costly.

Reports of financial penalties caused by phishing incidents increased by 144% and reports of reputational damage increased by 50% in 2023 compared to 2022.

Source: Proofpoint’s 2024 State of the Phish report

We need to go beyond stop-gap measures and adopt a model that eliminates the phishing vector altogether.

Enter the FIDO2 standards, WebAuthn, and CTAP. These standards, developed by the FIDO Alliance (of which we’re a proud Board Member) and W3C WebAuthn Working Group, are designed from the ground up to stop phishing.

They do this by relying on public-key cryptography, eliminating shared secrets, and binding the credential to its origin. Thus, even if a user is tricked into visiting a fake site, their credentials simply can't be used.

Securing the Dashlane vault: A fully phishing-resistant approach

Your Dashlane credential manager vault is a gateway to every other account you own. Securing it is non-negotiable. 

Dashlane has been a leader in advancing the passwordless future and providing complete credential security. We were the first password manager to support passkeys across all platforms, and we keep innovating to maximize passkeys’ security and convenience.

We were also the first to enable seamless, cross-platform passwordless access to the Dashlane vault, which eliminates the use of a master password.

Building on this foundation, Dashlane has created a new model in which access to your vault can be protected by hardware-backed, phishing-resistant authentication using FIDO2 security keys as a primary factor.

Our solution leverages the WebAuthn PRF (pseudo-random function) extension to derive encryption keys locally, tying vault access to possession of the key and completion of user verification.

If PRF isn’t supported by the platform or browser, we fall back to a secure passwordless flow that uses a provisioned device to securely transfer the encryption key combined with a classic WebAuthn flow.

Diagram showing how Dashlane and FIDO2 security keys work together to enable secure authentication. The Dashlane server has the public key and PRF salt. The data to sign goes to the Dashlane client, then to the authenticator, where it becomes signed data. Next, the signed data goes back to the Dashlane client, then to the Dashlane server.

Our goal is for everyone to be able to access any online service or product in an easy, secure way without the fear of getting phished. Building a passwordless login for Dashlane was the first milestone on that journey. 

Building for security and usability

Security is only part of the equation—usability is just as critical. Our approach is designed to provide a seamless experience with our upcoming enhancements:

  • Multiple-key support that ensures users aren’t locked out if a key is lost or damaged
  • FIDO MDS lookup to verify the security key is a certified FIDO product that meets the stringent security criteria
  • Passwordless provisioning so users can set up new devices without typing a single credential

For access that’s truly free of friction and phishing risk, look no further.

What this means for the cybersecurity industry

We believe this is the future of authentication, not just for Dashlane, but for the broader security ecosystem. By aligning with open standards like FIDO2, we’re laying the groundwork for credential management that’s phishing resistant by design.

Our vision is simple: Make the strongest authentication the easiest to use.

Learn more about our early access program.

Sign up to receive news and updates about Dashlane