Hi everyone! I’m Rew Islam, the Director of Product Engineering and Innovation, leading the passwordless projects at Dashlane. I’m looking forward to discussing Passkeys and the future of online authentication. Ask me Anything!

After cutting all reasonable support for your safari users, then finally releasing a replacement after months of a complete lack of functionality, you cut off support for anything but the latest version of MacOS. Do you have any plans to bring back support for older (still maintained and updated) versions of the OS to bring service levels back to what your user base signed up for and was promised?

We're in an unfortunate situation with Safari. You can't have a safari extension unless you ship a native app on macOS. We don't have a native app on macOS, so what we've done is ship our iOS app as a Mac Catalyst app, this means that what you see on macOS is essentially the app for iPad, but running on macOS.

The problem with this is that when we drop support for iOS, which is often possible as many people update their iOS version quite soon after it is available, it also cuts support for macOS, as they are both tied to essentially the same version. We realise it's less likely or possible to update macOS, but this isn't something we can work around easily. The alternative would be to create an entire app, just for macOS, but the audience for specifically macOS+Safari is relatively small compared to macOS+Chrome.

Safari used to have standalone extensions circa 2019 I think, but since then it was only possible to ship a Safari extension, if it came with a dedicated native app (or Mac Catalyst app).

So reading between the lines here. You had a product that worked in safari, and was used by a multitude of Apple users because of your support. However because the market is smaller and it took more effort than the android/windows ones you decided to depreciate the app and support for it.

Am I basically right in saying then that you have no plans to restore support it’s previous level and that going forward, due to your iOS tie in, it will only ever support the latest version? If so please just say so. If there is going to be no meaningful return to support I will move on to a company that will.

We don't plan to support older versions of macOS.

So then, just so I’m clear. Currently you support Ventura, as it’s the latest version. When Sonoma is released later this year you plan on dropping support for Ventura as it’s no longer the current version and supporting only Sonoma? Or from this point forword will you support older maintained versions beginning with Ventura?

We always want to keep up with latest technologies/OSs (new APIs, updated version of SwiftUI, security updates etc..). Dropping support for older versions allows to iterate more easily on the product. Unfortunately software development has got to a stage where this is becoming the norm and maintaining support for older versions of OSs becomes an ever increasing burden, while not impossible, it really makes it challenging to develop upon what the vendors consider "legacy" OS versions.

We will not drop support for Ventura/iOS 16 in 2023. However, we don’t guarantee how long we will keep supporting them in the future.

Predictably any question worth answering gets ignored

I know it's an AMA, but ideally I'm here to answer questions about passkeys. I know it's not super satisfying, sorry about that!

"I'm just here to talk about Rampart."

I'm just here to talk about Rampart

😂

Well, this is it. The AmA that got me to unsubscribe from this subreddit after 10 years. This is literally just an ad, how is this even allowed?

I think the thought is that it's not LastPass, which has taken a lot of heat lately, so not enough people will notice.

The thing is, with Reddit, many of us notice everything.

I'm trying to put myself in your shoes... so we're pretending to do an AMA, but in reality it is an advert. What do you think the return on investment is for this advert? I mean it seems like quite a bad investment if it is an advert, it could have been better spent. Honestly I'm not here to promote Dashlane, and just really interested to see how passkeys get taken up, and there isn't a huge vested interest in seeing passkeys adopted. On the whole, I just think people would be more secure if they used passkeys, whether that is with Dashlane or not.

I actually think there were some pretty good questions in here, and hopefully some people took something away that was useful.

If that's the case you chose the wrong subreddit. This discussion would have made more sense in a technology subreddit of some kind.

The topic of passkeys is well represented within the tech scene, but everyday folks might not be aware of them, so doing this AMA was a good way to understand the gaps in knowledge. There have been good questions in here, and I do think people who have come here to learn more about passkeys have left with more of an insight into the topic.

Sorry to hear that, I'm not used to used to posting on reddit, so perhaps my tone came across too folksy? :)

No, it's not your tone. It's that you refuse to answer any real questions people have. But anyway, can we talk about Rampart now?

I had to look up Rampart... I think I get it... but do you have "real" questions about passkeys? 😁

Why is it that for the past several months, my Safari extension doesn't work the same as it used to? It used to work seamlessly, now it's far less convenient to use. I also notice that I now need to constantly sign in each time I try to use Dashlane to log me into a site. Sometimes I need to retype my Dashlane account password, other times I'm allowed to use touch id on my MacBook Air.

I used to LOVE having and using Dashlane. The customer experience, in my humble opinion, has diminished significantly and I'm wondering if I should just switch over to the Apple passkeys instead and save my yearly fee. I think they only thing I'd be missing out on would be the VPN, but I'm honestly not even sure how good that is.

Recently the team shipped what is known as a Safari Web Extension, by default the extension was based on a Safari App Extension. If you go into Safari settings and look at the extensions pane you should see two options for Dashlane. Here is a post that goes into more detail about it:

https://www.reddit.com/r/Dashlane/comments/13d1jnp/early_access_the_new_version_of_dashlane_for/

With passkeys, my general understanding is that they're generally baked into a device, most commonly this is looking like it will be our phones.

Should a phone be stolen with all our passkeys on it, what's to prevent them from being misused? With the push for convenience, I worry that if a phone is stolen, passkeys are on it, an attacker just has to visit the page and they can then simply use the passkey and authenticate as me. What protections surround passkeys or prevent misuse should the device they're bound to be stolen? Or is it largely dependent upon whatever service is used to store the passkeys (iCloud, Android, password manager a la Bitwarden or Dasblane)?

Passkeys will typically require a biometric check for use. This should prevent even unlocked devices being abused for their passkeys.

But with anything on phones, it's really important to setup a strong device passcode and also setup biometry, the screen lock is the best answer to getting your device stolen.

So the way to rid users of pesky strong passwords where one stolen password means only one compromised system is to replace all of them with a single much more easily broken 4 digit pin, pattern unlock that can be figured out by just kinda looking at the smudges on a users screen, or easily faked biometrics, which if broken will give the bad actor access to all of your accounts and leave you completely locked out on account of your phone having been stolen and not being able to use a password as a backup?

Count me in

I think if most people are using strong and unique passwords, it wouldn't be as strong of an issue. The problem is that the majority of people do use very weak, guessable passwords, and passkeys dramatically improves the security situation for these folks.

At least in the next years, most websites will still allow you to use a password if you wish, and if that password is strong and unique, then that's a good situation to be in.

Do you plan on answering questions, or is this just a sale pitch/opportunity for you?

Do you have a question about passkeys? :) I'm here to answer question, nothing to sell!

I had a question around how you're able to prevent AITM type of attacks. I hear more and more that these are able to get around solutions like you have.

Passkeys cannot be attacked using this form of attack as the exchange over the network is of no value to the attacker. With a password, you're potentially sending the password, a secret over the network, with passkeys you're not sending anything sensitive over the network.

The private key that is stored locally must be protected, but it never needs to leave the local device.

Thank you. How is the private key anchored? I'm assuming it's not a hardware key?

Hi u/GreenImagination9042 - it's stored in Dashlane along with other user information, and encrypted just as other user data is in Dashlane.

Are these passkeys also going to be stored in Dashlane servers with the zero knowledge strategy? Where dashlane doesnt store the actual info but just the hashes?

All user data is locally encrypted, currently this is based on a knowledge factor, the master password. But we're looking to replace the master password with passwordless authentication, something possession based such as your device, with local biometry or PIN to access. In all cases, the data on the server is encrypted, and the encryption takes place on the local device before it is sent to the server.

Can dashlane be accessed by malicious actors using session token stealing, where when youre logged into dashlane, and they manage to steal the session cookie/token?

There is no session tokens with Dashlane. If you don't have the key that decrypts the user vault, then you have no access. Currently this is a knowledge factor, the master password. But we're looking to replace it with a possession factor plus something you are or something you know, so local device biometry or PIN. Ultimately the final key that actually encrypts your vault will only be accessible to you, and that key would be entirely unique and random.

I teach computer science and I’ve had several students ask about passkeys now that they’ve started appearing. Some students have tried to learn themselves, but they run into a wall of impenetrable text at the FIDO Alliance. Is there a plan to educate the public about passkeys (beyond Reddit)? If the plan is to replace passwords for the general public, there’s a long way to go.

Check out https://passkeys.io and https://webauthn.io. Both are useful resources.

The webauthn site is very useful for software developers as it provides links to libraries you may use to implement the protocol.

I used those to implement it in the product I’m responsible for and through that learn a lot about how it works.

Thank you. Those are good resources to share.

​

I have no problem explaining it to my students, but if the success of passkeys relies on me explaining it everyone, that's going to be a problem. I don't have that kind of time! Seriously, I just see this change coming and if somewhat tech-literate teenagers are having trouble understanding it, what chance is there for their parents or (even worse) tech-challenged grandparents? Passwords need to die, but without a concerted effort to educate and guide people, passkeys are doomed to fail. We rely on all sorts of terrible technologies (e.g., email, SMS, IPv4) that stay around because of inertia. If no one understands passkeys, they won't get used just because some engineers have decided they're better. I hope someone gets that message.

This is a very valid point. But I do wonder if anyone really needs to understand them. Let's say they are so much easier to use than passwords, and ultimately people are just interested in getting into their accounts and be able to get on with their day. Do they really need to understand the technology? There is no "how to use passkeys" guide required, it will in most cases literally be like unlocking your phone using biometrics.

Shameful admission: I only figured out how https worked in the last 12 months 🫢 - but it never stopped me using the internet. I think it's a stretch to take that idea to passkeys, but not too much either. In the end users will be registering for websites, and signing in to websites with much better security and simpler user experience - a rare combination, and if they don't understand the underlying technology, I think they'll be fine. The basic concepts of WebAuthn/passkeys are not too difficult to grasp, but it does require a little insight into things like public key cryptography which might go over the heads of many non-tech folks.

I don't think it's as important to explain to everyone in the general public how it works, but it's important that it's easy for people to understand why it works, and why it's different.

Even if you're tech illiterate, it's easy to understand the concept of a password because it's the same concept as a house key. You have an item that opens something else that is locked. You know if you give that item to someone else, they will be able to open your stuff. You also know that if you have multiple things you need locked, multiple keys are safer so that if you lose one, someone can't open everything. That concept directly relates to passwords visually.

I foresee the struggle with getting the public to change being them understanding why they should switched. If all of a sudden someone just sees that now everything is seemingly just unlocked for them and they have no understanding of why then it very easily comes across as being extremely insecure.

A significant number of people have extremely low tech literacy and understanding and that's very easy to underestimate. I've had to teach college kids recently on how to make a bar graph in Excel and there's always people at jobs you have to explain what a file format is or the difference between save and save as. Hell, think of how many people misuse reply all.

On top of that, people need concerns about what happens when a phone gets lost or stolen, or even just dies, readily available. Replacing your wallet is a pain, getting locked out of absolutely everything because you forgot to charge your phone is a non-starter.

People don't like change. They either need no other possible option or an extremely clear incentive and understanding on why it benefits them to change.

If there is a simple way to explain public key cryptography, and the idea of signatures and verification, then that would be what the public needs to know.

The challenge is, it's hard to come up with an analogy or explanation, without some idea of the audience and their technical knowledge.

I think it would be a struggle to explain it to my 10 year old kid... if there was some way to make it simple for them, then that might be it.

The problem I see is as the explanation is watered down, and simplified, it eventually loses it's original meaning, and ultimately just sounds like magic, which doesn't help.

Can you clarify that you’ve been a core member of the iOS development team for a password security company since 2011 and didn’t figure out https until 2022?

✋🏽 yup, I mean the nuts and bolts of how TLS works, I knew the idea in principle but not the actual mechanics of TLS.

Great resources! I would add https://webauthn.guide/ to that :)

Hi u/mpogopogo this is a great point. I think the concept of passwords is very easy to understand by anyone. However passkeys, although simple to use, are quite complex for non-technical folks, it requires understanding things like public key cryptography, just learning what that is would be a good first step.

If you have more specific questions I'm happy to try answering them.

Just curious if there is a plan to educate the public? If the plan is just to start using it, I see it being about as popular as encrypted email. Even in this AmA, the top questions are asking how passkeys are different than passwords.

I think services that support passkeys will indeed educate their users about them.

There is educational material out there, but it does lean towards the technical crowd a little.

I expect the market forces to lead to public education, especially if public services support passkeys for their websites.

A short video would do a lot to make it understandable.

Perhaps not short enough, but some of the content here is really good to understand the idea behind this new form of authentication:

https://developer.apple.com/videos/play/wwdc2021/10106/

What is the difference between a password and a passkey? How would using them be different?

A password can be stolen or can be guessed. Passkeys cannot, as they are phishing resistant.

Also, passwords are a knowledge factor, the user typically has to remember them and come up with them. Passkeys are always unique and always strong, and never need to be revealed in order to use them when signing in.

Passwords are also a shared secret, meaning the website server has information about the password that can be valuable to an hacker. Passkeys don't provide any secret information to the server, so if a server was breached, the hacker won't be able to do anything with the component of the passkey that lives on the server.

Passkeys cannot, as they are phishing resistant.

How so? What makes it different than hashing and salting passwords?

People can be convinced to type their password into a website that is created by the attacker. This cannot be done with passkeys.

Passkeys wouldn't be a help either, if you're a victim of recent 'Microsoft Azure hosted subdomain hijacking'. Lets say you've enabled autofill before you know it.. you'll be authenticated as soon as you visit the Phishing site with the similar top level domain whether its password or even passkeys. It all comes down to what 2fa are you using.

Passkeys can't be autofilled on a phishing website, they are bound to the web origin, for example a passkey for google.com won't work on gooogle.com, or google.hackhack.com.

Can you think of a passkey similar to an SSH key? Essentially you (the private key) are connecting to a website and authenticating against their (public) passkey?

Yes! Though unlike SSH, passkeys are based on WebAuthn, so the plumbing to make sure all this works is already shipped in all your devices and browsers.

What's to stop an attacker from hijacking my private key? It seems like the authentication method is better than passwords, but you still need to guard the private key, right?

Yes, the private key must be protected, but it only needs to be protected locally. Passkeys don't leave any secrets on the server, which passwords can do depending on how the server handles them.

So in the future will we be logging into dashlane as well with a passkey and if so how will that work?

We don't yet plan to support passkeys to log into Dashlane, but it is something we want eventually.

There is a feature of WebAuthn, the underlying technology of passkeys, that is called the PRF extension, once this is fully supported on all platforms it would make sense for us to use it for Dashlane:

https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension

Be honest. Are you holding this AMA because you're to sell us stuff?

Not at all, I'm just very interesting and excited about the topic of passkeys, and would love to share knowledge about them, so if you've any questions, let me know!

1. How does a pass key differ from a passcode? Example?

A passkey is what is called a phishing-resistant form of authentication, meaning it's not possible for someone to steal your passkey, or convince you to sign in to a fake website so that the attacker can use your passkey themselves, just as they can with passwords.

Also, it depends on what you mean by passcode. If you mean the passcode on your iPhone, then that's a different thing, that's something local to that device, and not related to signing into websites, which is the primary purpose of passkeys.

Like dashland passcodes. Are they really that vulnerable? I will create a passcode in D and then get an alert that it was compromised 50 times, for example. That happens more thN I would like which stresses me out.

Ah, you mean passwords? Yes, if you use easy to guess passwords then they really are that vulnerable. It's always important to make sure passwords are unique and complicated, however if a service uses a passkey, then it's guaranteed to be unique and complicated.

Passwords will still be around, and it's important to continue to create strong ones, but when you see passkeys start to appear, you should use them!

How can we ensure that multifactor authentication isn't used like a cookie to track people across multiple accounts? In other words, if I give a company my phone number for SMS authentication, or my phone's serial number and additional information by downloading an authentication app, how do I know it won't be used for marketing purposes?

Good question! I think the app stores have tried to contain this type of behaviour from app developers by asking developers to declare their behaviour in terms of tracking.

I'm not sure there is a silver bullet for this. Ultimately when our lives involve us using hardware and software, there is always scope for some tracking. Ultimately it would come down to what the business model is of the company and the reputation they have.

Is this event a presentation or just a text Q&A?

Hey u/Rabbit38a this is a text Q&A, so if you have any questions about passkeys fire away!

If Safari and Chrome already support passkeys, what additional compelling functionality does Dashlane add that’s not included in browser for free?

If you are using a single ecosystem, let's say all the devices you use are Apple based, then there is not a huge compelling reason to use something other than what ships with your devices.

However if you're switching between ecosystems, then a dedicated credential manager like Dashlane could make the experience of authenticating simpler.

These dedicated products are also adding additional functionality such as sharing, that could be useful for your needs. I would say if something works for you, and the product is creating strong credentials, then stick with it.

When will Dashlane enable passkey functionality on the platform? Looking forward to having that option.

Hi u/N8video - we already support passkeys in our browser extension and will support Android and iOS from Android 14 and iOS 17 onwards!

What is the incentive for companies to want to use this method for logins, from a business use case or financial perspective?

How does your company benefit from this, and is this technilogy going to be proprietary?

Passkeys are based on open standards, so no one can really benefit from the uptake in passkeys support.

Companies should use passkeys because their users already suffer from problems with passwords, such as account takeovers and "forgotten password" support emails.

Also, research from Google shows that passkeys are more successful at the attempt to login than passwords.

https://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html

Have you ever considered naming one of your children Christian?

I've already named my kids, so it's too late, and I never did, though I was a fan of Chris Cornell and Soundgarden.

so:

1. when is dashlane passkeys available?
2. can you import/export passkeys into dashlane from apple or android devices or other apps that have setup the passkey.
3. when do you expect the majority of websites to support passkeys
4. will they also be used to login to mobile apps?
5. how can passkeys be tied in with hardware tokens like ubikey while still being portable?
6. why did you guys stop supporting ubikey and other MFA hardware keys? is that coming back?
7. can users have both regular login/passwords and passkeys for a site? and if so doesn't that defeat the security of passkeys?
8. how can a user recover access to a site if the passkey is lost or doesn't work, are there any backup codes or recovery methods?

Hey u/Ok-Location-6033

1. They're available now! At least on the web extension, they're available on Android 14 now and will be available on iOS 17 when it's out
2. Import/export is not yet possible, but there are companies in the industry working on this problem, Dashlane included!
3. Great question, I think we'll see a lot of big tech companies adopt them this year, and hopefully year-on-year we'll see adoption spread as people start to realise there is a much easier way to sign in to things
4. Yes!
5. Passkeys do work with certain Yubikeys, I think the version 5 ones... you'll have to check on their website, but hardware keys will have a limit to the number of passkeys that can be stored on them, which isn't the case with software authenticators
6. We would like to bring back support for that! In fact it's going to be essential that services like Dashlane offer a phishing-resistant method to sign-in

Thanks for all your questions!

Your answer came to that user on an AmA barely 15 minutes after he created the account.

This has to be a new record for someone doing and AmA and answering a small list of FAQ to someone who randomly saw your post and that came up with the appropiate list so fast.

Reddit is way too sensitive to canned corporate responses nowadays with all the drama with their "CEO", I would suggest to do your homework and not treat the community like him or just hold to your ad campaign for a while so this does not backfire on you too.

I type quite fast :) We don't have anyone asking questions on our behalf, but you'll have to ask u/Ok-Location-6033 if they are genuine or not :)

You should buy your employee lunch for posting the questions you were dying to answer .

1. User created specifically to ask question.

2. Question gets answered within 5 minutes.

3. Other questions from around same time not answered...

The link to the AMA was posted on some of our social channels, it probably attracted a bunch of folks that are unfamiliar with reddit (I'm not a big user myself).

I was answering the newest questions first, which is probably not cool for the questions I missed that got bogged down the list.

But you're free to believe what you want :) I would actually be annoyed if other Dashlaner's were posting here, as they'd most likely be trying to trip me up 😂.

Thanks.

1. I was actually looking to see if it is possible to have the passkey in dashlane but then require the ubikey to validate access to the passkey as well (vs. storing passkeys on the ubikey itself). so they stay portable but also have the hardware security as well.

7 and 8 ?

Oops I missed the last two!

1. This is something we'd like to add, support for a hardware key to protect the Dashlane account in this way.

2. Yes, it really depends on how the website deploys passkeys, they can have both alongside each other, or replace passwords. In the case you can still use your password, you don't get all the security benefits, but you still get ease of use and the fact that it can't be phished as long as you just use your passkey.

3. Recovery is a hot topic, and passkeys don't necessarily prescribe a particular recovery method, that is up to the website to determine. Indeed I can see recovery flows as a new avenue for attacks so we can expect new things to come along to help with recovery in future.

Pretty sure 7 will be up the individual websites ? And I agree it defeats the whole idea if they allow both. It's like the chips in the credit cards. In the US if your card doesn't work using the chip for whatever reason then you can just swipe it like the old cards completely defeating the entire reason for having the chip.

Number 8 I would really like to see a discussion on because so far the only solutions I have seen is using a one time passcode you get via ... email... so either your email is also using a passkey so you can't access it to get your one time passcode or it isn't which means your entire passkey system is rendered useless by a the password to your email account.

But if you can't get this one time recovery code or whatever without a passkey and your phone is stolen, lost or stops working while you are on vacation or something then you are probably well and truly screwed right ?

Again it really depends on how the service deploys their recovery flow. If it's just a magic-link then it's as safe as your access to your mailbox.

More sophisticated websites may want you to go through other hoops, and perhaps wait 24 hours or something before you regain access... again it depends on how valuable the access is and the measures the website decides to employ.

What is your password?

this-is-really-not-my-password-but-if-it-was-it-would-not-be-too-bad-i-guess-or-is-it-you-guess?

I don't know most of my passwords as they're in Dashlane and all very complex and unique ;)

Do you still move away from the microphone when you are breathing?

I try to breath every day, unless I'm diving in a pool. I don't get behind a microphone very often.

As I mentioned in the original post:

That's a wrap!
Thanks for everyone for taking part in this reddit AMA, it's 7:30pm in France so I'm going to sign off, I'll check back for new questions later on, we had some great questions!

What’s the plan to stay relevant over free password solutions from google and Apple ?

Any password manager is better than trying to come up with passwords in your head!

The built-in password managers are great if all your devices are on the same ecosystem, but they struggle when you work across platforms, say you own an iPhone but use a Windows laptop.

But as I mentioned, if something works for you, and you're not creating weak passwords, stick with it!

Have you ever heard of Steve Gibson's SQRL as an alternative to Passkeys, and if you have what is your opinion?

The underlying technology for passkeys isn't that new or groundbreaking. There are a couple of things that make passkeys different to other similar ideas:

1. The WebAuthn standards, which is the technology that passkeys works under, lives under the W3C, which ensures browser developers can incorporate it as an industry recommendation, it's not controlled by a particular company, and anyone who is willing can participate in the evolution of it
2. For better or for worse, there are just a handful of platform vendors that provide the majority of the hardware and software that we all use. If these companies agree among themselves to put their weight behind a particular technology, it has a vastly bigger chance of taking off and getting adopted.

The challenge isn't coming up with the technology, the challenge is adoption.

1. Why should we trust you?

That is a reasonable question for anyone holding my data

1. FIDO support?

2. How private can it be made?

3. How automated are your operations. Do you have an adequate operations team?

4. Why should I believe you will be any more secure than okta or LastPass?

5. What compliance frameworks do you adhere to, which are you required to adhere to?

Thanks!

This might help answer some of your questions:

https://trust.dashlane.com/

https://www.dashlane.com/download/whitepaper-en.pdf

I'm not here to convince anyone about Dashlane, just here to answer questions about passkeys - I would recommend everyone do their own research before deciding to adopt such a product.

Not sure how to do this, but have been a Dashlane user for years....what is a Passkey?

Hi! This is a good video to watch that explains some of the details of what a passkey is, it's quite technical, but it might give you an idea of what it is:

https://developer.apple.com/videos/play/wwdc2021/10106/

A more general answer is: passkeys are a replacement for passwords, they are technically more complex, but much easier to use, always strong and unique and phishing-resistant so no hacker can get you to handover your passkey as they can do with your password.

As a developer, how will I be able to allow my clients to utilize passkeys via their DashLane accounts, in the apps I wrote for them?

Hi u/scilicoder could you explain more about clients? Are these customers or software clients?

Hey Rew some questions for you,

How would logins work on the chrome extension if one migrates away from the Master Password to "passwordless"? From my understanding the iOS version would use a pin or faceid and only one of those is available on a computer.

And an extra big picture question:

What is your expected timeline within the next decade for most apps to implement "passwordless" logins as an option?

Hi u/Cbas_619,

Great question, we're building specific functionality on Chrome so users can either use WebAuthn or PIN to unlock Dashlane. I can't go into too many implementation details as this is work in progress, but I'm looking forward to this being shipped!

I expect passwordless to be a widely adopted within the next 5-year timeframe, or less! Businesses lose a lot of money with weak authentication methods like knowledge factors, such as passwords, so it makes business sense to improve authentication security.

Hi Rew, I admittedly need to learn more about passkeys. As a product manager, I've been hearing a lot of news about AI and it's double exponential growth each day, and passwords are becoming more of a vulnerability than ever. Are passkeys future-proofing for the problems brought on by the exponential growth of AI, or do you all see it as a fix only the current set of problems from 30+ years of using passwords?

There is no link I can see between AI and passkeys. Also, don't believe the hype, AI seems impressive, but it has its limits and I think we'll start to see those in the years ahead.

However, one area that could be an issue is quantum cryptography, but that would be an issue for a lot of security issues, but people are working on the problem so we'll see how that goes!

Your emails made it sound like a presentation. is it just a chat blog?

Hey u/KS-Amrita_851 sorry about that! It's meant to be a Q&A, this is how reddit AMA's are typically run. If you do want to read up about passkeys there are plenty of resources, I recommend this video from Apple: https://developer.apple.com/videos/play/wwdc2021/10106/

After dashlane incorporates this new technology, what happens with all of the currently stored passwords that a user has saved in your software?

Especially for businesses with multiple users all on dashlanes business suite (as in my case), how will those less tech-savvy users be on-boarded and how will the change affect the way they use both the dashlane software and their everyday login experience?

Hi u/d3gaia - your existing passwords continue to work as they do today!

You only get passkeys for websites that support them, and when the website offers them to you. There is no way to magically change passwords into passkeys... yet!

Are you the founder of Islam or did they just name it after you?

Islam is quite a popular family name in Bangladesh, where my parents are from :)

Why would I need something like that if I remember perfectly all my passwords, and in case I forget one I can quickly restore it?
Why would I want a third company to manage my authentication credential, exposing myself to further risks of unethical use of my data, or theft?

A password manager is certainly a user choice, if you're happy with managing all your passwords yourself then go for it!

However, when websites support passkeys, you cannot keep them in your head and will need some software to manage them.

Also passwords are a shared secret, so even if you keep yours safe, the server may not and they can be leaked via that.

But if it works for you, go for it!

Will passkey be available for Android 13?

Hi u/hatchtek not for Dashlane, but you can use passkeys with Google Password Manager. 3rd party support is only available from Android 14 onwards.

When do we see 'Passwordless login for Dashlane account' rolling out ?

Great question! We're furiously working on that topic :) We're hoping to have something out later this summer, it will initially be for new accounts, and once we're happy with how it's going we'll allow existing accounts to migrate over.

Does Dashlane propose producing its own security key like Yubikey?

Hi u/MervynLowne we don't plan to get into the hardware business, Yubico and others are doing a great job there! The great thing with passkeys is that software authenticators like Dashlane can participate, especially now that Google and Apple have announced APIs for 3rd party apps 🫶🏽

I have been wanting to buy a passkey for a long time, as soon as this is available I will be buying one for my Dashlane. I also take passwords very serious and encourage people to use password managers.

Do you see passkeys being a bigger use in the public sector in the coming years?

What is the biggest hurdle keeping other companys to implement a 2FA into thier login process, specifically adding passkey support.

Hi u/Mlitz!

> Do you see passkeys being a bigger use in the public sector in the coming years?

I would hope so! Passkeys are a great replacement for passwords, and if public sector services are suffering from users losing access to their account, account takeovers etc, then passkeys would help here.

> What is the biggest hurdle keeping other companys to implement a 2FA into thier login process, specifically adding passkey support.

Passkeys replace passwords but also the need for 2FA. Passkeys are typically a possession factor, but also often a "what you are" factor when biometry is used to unlock a passkey. So a company that starts to use passkeys won't need to worry about 2FA as 2FA was a solution to the problems of passwords. Passkeys don't have the problems passwords have, so no need for 2FA.

Is there a presentation? it is past 12:00 noon?

Hi u/Senior_rower_7771 this is a Q&A, so if you have any questions, fire away!

So what's the future of online authentication?will captcha or OTP become outdated?if yes so what will be the safest alternative?

Many folks in the industry, myself included, think that passkeys will become the standard for authentication online. We'll just have to wait and see how adoption goes.

If you're interested, here are some of the companies that are involved in the FIDO Alliance:

https://fidoalliance.org/members/

I also want to know

Is this event a presentation or just a text ?

Hi u/Sensitive_Screen_846 this is a text based Q&A

Are you Muslim?

My entire family are, Sunni Muslims from Bangladesh, but I kind of lost my way with religion around the age of about 11.

I suspect he is catholic..

Oh cause his name is Rew?

It's actually short for Ruhul, but no one can pronounce that, so Rew is just a shortcut. Not catholic, but my partner was raised catholic.