Skip to main content
Dashlane Logo

Rethinking Authentication Risk: Lessons for Today’s Security Leaders

Published:
Rethinking Authentication Risk: Lessons for Today’s Security Leaders
Credential security risks evolve every day. Dashlane CTO Frederic Rivain explains how IT and security leaders can be proactive about authentication.

A couple weeks ago, I had the honor of speaking at the ISACA 2025 North America Conference in Orlando.

Representing Dashlane in front of more than 200 IT and security professionals, I shared insights on the evolving threat landscape for authentication—and how we, as an industry, must respond.

Dashlane CTO Frederic Rivain speaks to a packed room of IT and security professionals at the ISACA 2025 North America Conference in Orlando in May 2025. His talk covered the future of authentication and the evolving threat landscape.

At Dashlane, we believe deeply in the power of learning from peers. Industry events like ISACA aren’t just about showcasing tools or policies. They’re about exchanging real-world lessons, successes, and mistakes that help us all get better at what we do.

The pace of change in cybersecurity is relentless, and staying ahead means constantly learning from each other’s best practices.

Let me walk you through what I shared during the session, beginning with a story that vividly illustrates what can go wrong when credential security breaks down.

The Disney hack: A wake-up call

Do you recognize the name Matthew Van Andel? He’s a former Disney employee who became the unwilling entry point for a major breach of Disney’s corporate systems in 2024, particularly their Slack environment.

Here’s what happened:

A diagram shows the five steps that an attacker took to hack Disney. First, Disney employee Matthew Van Andel downloaded a compromised AI tool on GitHub, then the attacker put a keylogger on his personal computer. Next, the attacker got access to Van Andel’s credential vault, which wasn’t protected by 2FA. After that, the attacker got access to Disney’s Slack on Van Andel’s personal computer and hacked Disney.

Van Andel downloaded a seemingly innocuous AI tool from GitHub on his personal computer. That package was malicious and included a keylogger.

The keylogger malware quietly monitored his activity, eventually exfiltrating the contents of his credential vault. Because Van Andel also had access to Disney’s Slack from that personal computer, the attacker used his credentials to move laterally into Disney’s internal systems.

It’s a textbook example of how personal device access, poor isolation, and a lack of endpoint controls can combine to create significant risk.

What should have been done differently? There’s no easy fix, but a few fundamentals stand out:

  • Monitor and control applications and packages installed on work devices
  • Deploy endpoint protection capable of detecting malware and suspicious behavior
  • Enforce MFA, especially on sensitive tools like credential managers
  • Restrict access to sensitive corporate systems from unmanaged personal devices

At the end of the day, security is about reducing risk and minimizing blast radius. That’s our job as IT and security professionals.

The expanding threat landscape: Authentication in the age of AI

No discussion of modern security risks is complete without mentioning AI.

AI has supercharged phishing. Today, attackers can craft highly convincing, personalized phishing emails at scale. According to our 2025 Dashlane State of Credential Security Report:

  • 74% of IT leaders say AI has increased credential security threats
  • 88% of employees report a rise in phishing attempts
  • 84% of IT leaders cite an increase in phishing volume, sophistication, or both

The latest Verizon Data Breach Investigation Report shows a similar trend. AI is reshaping the attacker toolkit—and fast.

A graph shows that the percentage of AI-assisted malicious emails has risen steadily, going from around 5% in 2022 to around 10% in 2025. This data is according to the 2025 Verizon Data Breach Investigations Report.
The percentage of AI-assisted malicious emails over time, as shown in the 2025 Verizon Data Breach Investigation Report

But that’s not the only AI risk. Shadow AI—the unsanctioned use of AI tools in the workplace—is another growing threat. A 2024 Cyberhaven report found that the significant majority of enterprise AI usage was happening through personal accounts. That means potentially sensitive queries, data, and credentials are being sent to consumer-grade AI models without any organizational oversight.

In Dashlane’s own aggregated data, DeepSeek—an AI tool with some concerning licensing and security implications—has become the second most-used GenAI app among our customers. The speed of adoption is outpacing policy, and that’s dangerous.

The blurred boundaries of hybrid work

Post-pandemic hybrid work environments further complicate credential security. Employees now routinely blend personal and professional lives across devices and locations. Shadow IT is rampant. Device management is inconsistent. Access controls often lag behind reality.

This creates visibility gaps that make it nearly impossible for IT and security teams to spot risky behaviors—until it's too late.

Monitoring authentication patterns, especially on non-SSO services, is essential. Proactive systems that surface unusual credential usage can help you catch threats before they become breaches.

Credential security remains the core issue

While MFA and SSO are valuable, they’re not comprehensive. Our research shows that 37% of corporate apps still aren’t protected by SSO. That doesn’t include shadow IT or consumer services employees use for work.

Even password managers—though essential—can’t solve the problem alone.

Credential security is still at the heart of most breaches. And the situation isn’t improving, with AI, remote work, and employee fatigue compounding the problem.

A blue bar graph shows how the average cost of a breach has increased from around 8,750,000 in 2015 to 12,500,000 in 2025, according to data from IBM. Overlaid on the blue bar graph is a red line graph showing that the breach volume has increased from around 3,000,000 in 2015 to around 12,000,000 in 2025, according to data from Verizon.
The average cost of a breach and breach volume have both trended upward since 2015, according to data from IBM and Verizon.

Visibility first, then action

The first step toward solving this problem is gaining visibility. You can’t fix what you can’t see. Shadow IT, shadow AI, and unmanaged credential behaviors must be brought to light, not just for remediation, but to build the case for resources and investment.

One of our customers recently discovered—via Credential Risk Detection from Dashlane—that their own CEO was using compromised credentials on personal websites. That was the moment leadership truly engaged. Real data drives action.

A laptop screen shows Dashlane’s Credential Risk Detection and Insights. There are credential security statistics on the screen, including the amount of at-risk passwords at an organization.
Credential Risk Detection from Dashlane gives organizations real-time visibility into weak and compromised passwords across all employees, even if they aren’t using Dashlane, as well as actionable insights.

Additionally, employees need to be prompted with automated alerts in their day-to-day workflow that inform them about their compromised, weak, and reused passwords and how to take action. This is made possible with Dashlane’s Nudges feature.

Nudges have shown real impact: 75% of companies using them have seen improved password hygiene and reduced credential risk.

Internally, we’ve seen the same. Dashlane employees, despite working for a security company, had some weak or reused credentials too. Over the past year, we’ve actively used our own Nudges, as well as Credential Risk Detection, to dramatically improve internal hygiene—and we continue to track progress.

AI won’t solve AI-induced authentication risks

I’m not convinced AI will be the silver bullet for authentication challenges. If anything, emerging agentic AI systems may further expand the attack surface.

The real fix? Eliminate the weakest link: Passwords.

Going passwordless with phishing-resistant solutions is the only viable path forward. We were thrilled to see Microsoft announce new accounts will be passwordless by default.

As a board member of the FIDO Alliance, Dashlane strongly supports the adoption of passkeys—secure, passwordless credentials resistant to phishing and credential stuffing. And we’re not alone: 76% of IT leaders say their C-Suite is actively pushing for passkey adoption.

 If you haven’t started rolling out passkeys, now’s the time. You can even join us in signing the FIDO Passkey Pledge.

Privacy and security by design

Strong identity solutions aren’t enough. We need systems that are private and secure by default.

That means encrypting sensitive data not only at rest and in transit, but also in use. At Dashlane, we use confidential computing and secure cloud enclaves to ensure we never have access to customer data, even while processing it.

This isn’t just a good practice—it’s a competitive advantage. Privacy by design reduces liability and helps meet compliance and regulatory expectations.

Security, meanwhile, means building guardrails that prevent mistakes before they happen with tactics like:

  • Least privilege access
  • Strong authentication (SSO + MFA + password management)
  • Clear onboarding and offboarding workflows
  • Device policies that separate work use from personal use

In other words: Don’t rely on employees following all security best practices on their own, plus the occasional security training. Bake security into your systems.

Culture is the final layer

Security isn’t just a technology problem, it’s a cultural one. You can’t patch your way out of user apathy or accidental negligence.

Education still matters, but so does storytelling. At Dashlane, we openly discussed the Disney hack to show employees what’s at stake. The lesson: Good intentions don’t protect you from consequences.

The most effective organizations build cultures where security is everyone’s job. Where phishing attempts are flagged early. Where the finance team doesn’t fall for CEO scams. Where leaders lead by example.

Final takeaways

To wrap up, here are the key actions I encouraged the ISACA audience to take—and I encourage you to do the same:

  • Treat credential security as a top-tier organizational risk
  • Get full visibility into credential use, beyond SSO
  • Fix root causes rather than settling for reactive patching
  • Move toward phishing-resistant, passwordless authentication
  • Build in privacy and security from the start, not after the fact

There’s no silver bullet—but there are proven practices. Let’s keep learning from each other, raising the bar, and building systems designed to be secure by default.

Sign up to receive news and updates about Dashlane