Rethinking Authentication Risk: Lessons for Today’s Security Leaders

A couple weeks ago, I had the honor of speaking at the ISACA 2025 North America Conference in Orlando.

Representing Dashlane in front of more than 200 IT and security professionals, I shared insights on the evolving threat landscape for authentication—and how we, as an industry, must respond.

At Dashlane, we believe deeply in the power of learning from peers. Industry events like ISACA aren’t just about showcasing tools or policies. They’re about exchanging real-world lessons, successes, and mistakes that help us all get better at what we do.

The pace of change in cybersecurity is relentless, and staying ahead means constantly learning from each other’s best practices.

Let me walk you through what I shared during the session, beginning with a story that vividly illustrates what can go wrong when credential security breaks down.

Do you recognize the name Matthew Van Andel? He’s a former Disney employee who became the unwilling entry point for a major breach of Disney’s corporate systems in 2024, particularly their Slack environment.

Here’s what happened:

Van Andel downloaded a seemingly innocuous AI tool from GitHub on his personal computer. That package was malicious and included a keylogger.

The keylogger malware quietly monitored his activity, eventually exfiltrating the contents of his credential vault. Because Van Andel also had access to Disney’s Slack from that personal computer, the attacker used his credentials to move laterally into Disney’s internal systems.

It’s a textbook example of how personal device access, poor isolation, and a lack of endpoint controls can combine to create significant risk.

What should have been done differently? There’s no easy fix, but a few fundamentals stand out:

At the end of the day, security is about reducing risk and minimizing blast radius. That’s our job as IT and security professionals.

No discussion of modern security risks is complete without mentioning AI.

AI has supercharged phishing. Today, attackers can craft highly convincing, personalized phishing emails at scale. According to our 2025 Dashlane State of Credential Security Report:

The latest Verizon Data Breach Investigation Report shows a similar trend. AI is reshaping the attacker toolkit—and fast.

The percentage of AI-assisted malicious emails over time, as shown in the 2025 Verizon Data Breach Investigation Report

But that’s not the only AI risk. Shadow AI—the unsanctioned use of AI tools in the workplace—is another growing threat. A 2024 Cyberhaven report found that the significant majority of enterprise AI usage was happening through personal accounts. That means potentially sensitive queries, data, and credentials are being sent to consumer-grade AI models without any organizational oversight.

In Dashlane’s own aggregated data, DeepSeek—an AI tool with some concerning licensing and security implications—has become the second most-used GenAI app among our customers. The speed of adoption is outpacing policy, and that’s dangerous.

Post-pandemic hybrid work environments further complicate credential security. Employees now routinely blend personal and professional lives across devices and locations. Shadow IT is rampant. Device management is inconsistent. Access controls often lag behind reality.

This creates visibility gaps that make it nearly impossible for IT and security teams to spot risky behaviors—until it's too late.

Monitoring authentication patterns, especially on non-SSO services, is essential. Proactive systems that surface unusual credential usage can help you catch threats before they become breaches.

While MFA and SSO are valuable, they’re not comprehensive. Our research shows that 37% of corporate apps still aren’t protected by SSO. That doesn’t include shadow IT or consumer services employees use for work.

Even password managers—though essential—can’t solve the problem alone.

Credential security is still at the heart of most breaches. And the situation isn’t improving, with AI, remote work, and employee fatigue compounding the problem.

The average cost of a breach and breach volume have both trended upward since 2015, according to data from IBM and Verizon.

The first step toward solving this problem is gaining visibility. You can’t fix what you can’t see. Shadow IT, shadow AI, and unmanaged credential behaviors must be brought to light, not just for remediation, but to build the case for resources and investment.

One of our customers recently discovered—via Credential Risk Detection from Dashlane—that their own CEO was using compromised credentials on personal websites. That was the moment leadership truly engaged. Real data drives action.

Credential Risk Detection from Dashlane gives organizations real-time visibility into weak and compromised passwords across all employees, even if they aren’t using Dashlane, as well as actionable insights.

Additionally, employees need to be prompted with automated alerts in their day-to-day workflow that inform them about their compromised, weak, and reused passwords and how to take action. This is made possible with Dashlane’s Nudges feature.

Nudges have shown real impact: 75% of companies using them have seen improved password hygiene and reduced credential risk.

Internally, we’ve seen the same. Dashlane employees, despite working for a security company, had some weak or reused credentials too. Over the past year, we’ve actively used our own Nudges, as well as Credential Risk Detection, to dramatically improve internal hygiene—and we continue to track progress.

I’m not convinced AI will be the silver bullet for authentication challenges. If anything, emerging agentic AI systems may further expand the attack surface.

The real fix? Eliminate the weakest link: Passwords.

Going passwordless with phishing-resistant solutions is the only viable path forward. We were thrilled to see Microsoft announce new accounts will be passwordless by default.

As a board member of the FIDO Alliance, Dashlane strongly supports the adoption of passkeys—secure, passwordless credentials resistant to phishing and credential stuffing. And we’re not alone: 76% of IT leaders say their C-Suite is actively pushing for passkey adoption.

 If you haven’t started rolling out passkeys, now’s the time. You can even join us in signing the FIDO Passkey Pledge.

Strong identity solutions aren’t enough. We need systems that are private and secure by default.

That means encrypting sensitive data not only at rest and in transit, but also in use. At Dashlane, we use confidential computing and secure cloud enclaves to ensure we never have access to customer data, even while processing it.

This isn’t just a good practice—it’s a competitive advantage. Privacy by design reduces liability and helps meet compliance and regulatory expectations.

Security, meanwhile, means building guardrails that prevent mistakes before they happen with tactics like:

In other words: Don’t rely on employees following all security best practices on their own, plus the occasional security training. Bake security into your systems.

Security isn’t just a technology problem, it’s a cultural one. You can’t patch your way out of user apathy or accidental negligence.

Education still matters, but so does storytelling. At Dashlane, we openly discussed the Disney hack to show employees what’s at stake. The lesson: Good intentions don’t protect you from consequences.

The most effective organizations build cultures where security is everyone’s job. Where phishing attempts are flagged early. Where the finance team doesn’t fall for CEO scams. Where leaders lead by example.

To wrap up, here are the key actions I encouraged the ISACA audience to take—and I encourage you to do the same:

There’s no silver bullet—but there are proven practices. Let’s keep learning from each other, raising the bar, and building systems designed to be secure by default.