Engineering

Turning Secure by Design into Reality: Dashlane’s One-Year Progress Report

Frederic Rivain
Updated:
One year into CISA’s Secure by Design pledge, Dashlane shares how phishing resistance, transparency, and privacy-first security reduce risk.

One year ago, Dashlane signed CISA’s Secure by Design pledge, committing to transparency, measurable progress, and security standards that go beyond the minimum. As Dashlane’s CTO, I want to follow up on our original commitment and offer a transparent look at what Secure by Design means in practice at Dashlane.

Over the past year, the pledge has acted as a compass for our security roadmap. It has pushed us to reduce systemic risk, eliminate entire classes of vulnerabilities, and raise the bar not only for our product, but for the broader ecosystem.

Making phishing resistance the goal

Passwords continue to be the primary failure point in digital security. Secure by Design starts with a simple and uncomfortable reality: Users cannot reliably detect phishing at scale. Systems must, therefore, be designed so phishing attempts fail by construction. As a security product, Dashlane is on a journey to phishing resistance.

Passkey support

With this in mind, we’ve continued to improve our passkey support with a focus on both usability and resilience:

  • We increased passkey protection by moving storage in cloud secure enclaves, reducing the risk related to device compromise.
  • We contributed to the FIDO Credential Exchange standard, enabling safer passkey portability across platforms. Support is already available on iOS, and Android is coming next.
  • We published the 2025 Passkey Power 20 Report, which shows real-world passkey adoption trends based on millions of aggregated and anonymized web and mobile passkey authentications.

Hardware security key support

In parallel, we expanded support for FIDO2 hardware security keys as a primary factor to access a Dashlane vault. This makes the strongest form of phishing-resistant authentication available to personal Dashlane users and introduces it in beta for business users. These mechanisms align directly with CISA guidance: When authentication is resistant by design, entire categories of attacks lose their effectiveness.

Passwordless authentication

Perhaps the most consequential shift has been the ongoing migration from a traditional master password to passwordless authentication. Removing the master password removes a high-value target altogether. Today, a growing proportion of Dashlane customers authenticate without one.

This shift toward master passwordless authentication is accelerating and already represents a meaningful share of our active user base, significantly reducing exposure to phishing, credential stuffing, and password reuse.

AI-powered phishing detection

We also recognize that reaching full phishing resistance is a journey. To protect customers along the way, we introduced our AI-powered phishing detection model designed to identify and block phishing attempts while password-based authentication is still in use.

Secure by Design is ultimately about reducing the attack surface, not asking users to compensate for it.

Secure identity visibility for enterprises

Visibility is critical for enterprises, yet security-sensitive logs often introduce new data exposure risks. We chose not to accept that trade-off.

Over the past year, Dashlane introduced zero-knowledge, end-to-end encrypted audit logs, ensuring administrators gain the insights they need while Dashlane itself can’t access sensitive content. Visibility and privacy are not opposing goals when systems are designed with strong security primitives from the start.

This work builds on the continued evolution of Dashlane OmnixTM, our intelligent credential security platform for businesses that provides browser-based defense for every single sign-in through credential risk detection and automated risk response.

Transparency as a first-class security feature

Secure by Design also means being clear, predictable, and accountable when things don’t go as planned.

This year, we rebuilt our vulnerability disclosure process, inspired directly by CISA guidance, to make reporting issues simpler and to set clear expectations for security researchers.

We also began publishing public security advisories, providing structured and timely communication when security findings arise. Clear communication builds trust and helps the ecosystem learn faster.

In parallel, Dashlane marked 10 years of continuous bug bounty operations, reflecting a decade of collaboration with the security research community. External scrutiny remains one of the strongest accelerators for strengthening our product.

Innovation and contribution beyond Dashlane

Secure by Design does not stop at product boundaries.

This year, Dashlane was granted two security-focused patents, protecting innovations that advance how credentials and authentication workflows can be secured in practice.

We also shared our journey and technical learnings with peers by speaking at the CISA Technical Exchange Group, contributing to the community dialogue on how Secure by Design principles can be applied in real-world systems. The pledge is also about learning together and sharing lessons openly.

Secure by Design is never done

One year in, the most important takeaway is that Secure by Design isn’t a milestone. Rather, it’s a continuous and intentional effort.

It means designing for failure rather than perfection. Eliminating root causes instead of layering controls. Treating transparency as a core security property, not an afterthought.

Threats will continue to evolve, and expectations will keep rising. Our commitment is to keep removing risk at the source and to keep sharing what we learn along the way.

That’s what Secure by Design means to us, and it’s the standard we believe the industry must collectively adopt.

Sign up to receive news and updates about Dashlane

Related articles

How Dashlane Solved the Zero-Knowledge Activity Log Paradox After 12+ Months
Engineering

How Dashlane Solved the Zero-Knowledge Activity Log Paradox After 12+ Months

A green and blue background with three blue slanted rectangles in the middle. A white Dashlane logo is overlaid on top.
Engineering

Dashlane and the New Generation of AI Browsers

A green and blue background with three blue slanted rectangles in the middle. A white Dashlane logo is overlaid on top.
Engineering

Autofill Any Data Type on iOS 18 with Dashlane’s Context Menu Autofill

A green and blue background with three blue slanted rectangles in the middle. A white Dashlane logo is overlaid on top.
Engineering

The Power of Zero Knowledge: How Dashlane Builds Security for Your Digital Kingdom

Why Browser-Native Security Matters: Dashlane's Approach to Protection at the Point of Risk
Engineering

Why Browser-Native Security Matters: Dashlane’s Approach to Protection at the Point of Risk

Inside the Paris Security Happy Hour: Tokens, Trust, and the Future of Digital Identity
Company News

Inside the Paris Security Happy Hour: Tokens, Trust, and the Future of Digital Identity

A picture of the author: Frederic Rivain
Frederic Rivain

Frederic Rivain has been Dashlane’s passionate Chief Technology Officer since 2015. He is eager to learn, innovate, and have fun with the engineering team to ensure it efficiently supports Dashlane and offers the best service to all Dashlane users.