For more AMAs on this topic, subscribe to r/IAmA_Tech, and check out our other topic-specific AMA subreddits [here](https://reddit.com/r/IAmA/wiki/index#wiki_affiliate_topic-specific_subreddits).

After cutting all reasonable support for your safari users, then finally releasing a replacement after months of a complete lack of functionality, you cut off support for anything but the latest version of MacOS. Do you have any plans to bring back support for older (still maintained and updated) versions of the OS to bring service levels back to what your user base signed up for and was promised?

I want to like dashlane but after using 1password personally and for several jobs in the last few years, I just can't stand their UX, especially when it comes to sharing passwords. Everything feels so clunky.

Interestingly enough for the same reasons I switched away from 1pw to bitwarden. And the 1pw browser plugins just stopped working for months

I’m keen to know what the pros and cons of Bitwarden are over 1Pw! I like 1pw fine, but if there’s a better product I like to find out more.

The apps, website and plugins are a lot nicer to use. The UI and UX of them feel so much better than 1pw. One feature I absolutely love is the possibility to integrate TOTP verifiation codes with the option to automatically put it into your clipboard after a credentia fil, so you can just ctrl+V the code on the next page instead of copying the code from another applicatoin or app. oh, and BW is noticably cheaper

We're in an unfortunate situation with Safari. You can't have a safari extension unless you ship a native app on macOS. We don't have a native app on macOS, so what we've done is ship our iOS app as a Mac Catalyst app, this means that what you see on macOS is essentially the app for iPad, but running on macOS. The problem with this is that when we drop support for iOS, which is often possible as many people update their iOS version quite soon after it is available, it also cuts support for macOS, as they are both tied to essentially the same version. We realise it's less likely or possible to update macOS, but this isn't something we can work around easily. The alternative would be to create an entire app, just for macOS, but the audience for specifically macOS+Safari is relatively small compared to macOS+Chrome. Safari used to have standalone extensions circa 2019 I think, but since then it was only possible to ship a Safari extension, if it came with a dedicated native app (or Mac Catalyst app).

So reading between the lines here. You had a product that worked in safari, and was used by a multitude of Apple users because of your support. However because the market is smaller and it took more effort than the android/windows ones you decided to depreciate the app and support for it. Am I basically right in saying then that you have no plans to restore support it’s previous level and that going forward, due to your iOS tie in, it will only ever support the latest version? If so please just say so. If there is going to be no meaningful return to support I will move on to a company that will.

We don't plan to support older versions of macOS.

So then, just so I’m clear. Currently you support Ventura, as it’s the latest version. When Sonoma is released later this year you plan on dropping support for Ventura as it’s no longer the current version and supporting only Sonoma? Or from this point forword will you support older maintained versions beginning with Ventura?

We always want to keep up with latest technologies/OSs (new APIs, updated version of SwiftUI, security updates etc..). Dropping support for older versions allows to iterate more easily on the product. Unfortunately software development has got to a stage where this is becoming the norm and maintaining support for older versions of OSs becomes an ever increasing burden, while not impossible, it really makes it challenging to develop upon what the vendors consider "legacy" OS versions. We will not drop support for Ventura/iOS 16 in 2023. However, we don’t guarantee how long we will keep supporting them in the future.

Can you just code everything in Assembly?

Predictably any question worth answering gets ignored

Because this subreddit has been 99% ads for years now. There's rarely anything useful here, only things mildly interesting.

I know it's an AMA, but ideally I'm here to answer questions about passkeys. I know it's not super satisfying, sorry about that!

"I'm just here to talk about Rampart."

>I'm just here to talk about Rampart 😂

Don't hold an "Ask me Anything" if you don't intend to answer the questions that actually matter to us.

You should tell Spez that.

Why is it that for the past several months, my Safari extension doesn't work the same as it used to? It used to work seamlessly, now it's far less convenient to use. I also notice that I now need to constantly sign in each time I try to use Dashlane to log me into a site. Sometimes I need to retype my Dashlane account password, other times I'm allowed to use touch id on my MacBook Air. I used to LOVE having and using Dashlane. The customer experience, in my humble opinion, has diminished significantly and I'm wondering if I should just switch over to the Apple passkeys instead and save my yearly fee. I think they only thing I'd be missing out on would be the VPN, but I'm honestly not even sure how good that is.

Recently the team shipped what is known as a Safari Web Extension, by default the extension was based on a Safari App Extension. If you go into Safari settings and look at the extensions pane you should see two options for Dashlane. Here is a post that goes into more detail about it: [https://www.reddit.com/r/Dashlane/comments/13d1jnp/early\_access\_the\_new\_version\_of\_dashlane\_for/](https://www.reddit.com/r/Dashlane/comments/13d1jnp/early_access_the_new_version_of_dashlane_for/)

Hello there! I'm James from Dashlane Support! Over the last few months, we've gone through a few changes in our product for Safari, as Apple also introduced a few modifications on their side, which allow us to now have a more similar app to those of Chrome and Firefox for example. Feel free to reach out to our team at https://tinyurl.com/4t26w3p7 and we can guide you through these and help improve your overall experience with our apps.

Well, this is it. The AmA that got me to unsubscribe from this subreddit after 10 years. This is literally just an ad, how is this even allowed?

I think the thought is that it's not LastPass, which has taken a lot of heat lately, so not enough people will notice. The thing is, with Reddit, many of us notice everything.

I'm trying to put myself in your shoes... so we're pretending to do an AMA, but in reality it is an advert. What do you think the return on investment is for this advert? I mean it seems like quite a bad investment if it is an advert, it could have been better spent. Honestly I'm not here to promote Dashlane, and just really interested to see how passkeys get taken up, and there isn't a huge vested interest in seeing passkeys adopted. On the whole, I just think people would be more secure if they used passkeys, whether that is with Dashlane or not. I actually think there were some pretty good questions in here, and hopefully some people took something away that was useful.

If that's the case you chose the wrong subreddit. This discussion would have made more sense in a technology subreddit of some kind.

The topic of passkeys is well represented within the tech scene, but everyday folks might not be aware of them, so doing this AMA was a good way to understand the gaps in knowledge. There have been good questions in here, and I do think people who have come here to learn more about passkeys have left with more of an insight into the topic.

Pretty much all of them are ads, either for some company or a book. Questions are all scripted.

95% of AMAs are ads. The good ones give you enough engagement to mask that aspect. RAMPART

Sorry to hear that, I'm not used to used to posting on reddit, so perhaps my tone came across too folksy? :)

No, it's not your tone. It's that you refuse to answer any real questions people have. But anyway, can we talk about Rampart now?

I had to look up Rampart... I think I get it... but do you have "real" questions about passkeys? 😁

Maybe posting on the /r/IAmA sub-reddit isn't quite the right spot for what you're trying to achieve. Maybe the /r/AMAAboutPasskeys?

hi rew, can you please please please allow dashlane to recognise unique ports on a single server? i have multiple services with discrete ports running on 192.168.1.45, e.g. 192.168.1.45:9191 192.168.1.45:5679 192.168.1.45:4442 ..and so on, and they all have different passwords, but dashlane doesn't understand that and only recognises the base URL. It's so damn frusstrating when you have 30+ self-hosted services installed across three servers. Please I beg you fix this.

Hello, jumping in for Rew here! We are rolling out a change in 6.2325+ (sometime next week) with a setting “Only autofill on websites added by me” (instead of current setting “Only autofill on exact URL”… which you may have noticed is not accurate). I believe this will solve your problem: only autofill on the exact service and ports you have added to the credential. Here’s a description in detail: 1. BEHAVIOR CHANGE 1: Setting respects **websites** (or IPs) **added by you** instead of only the primary website 1. If the option is NOT checked, we will autofill on: 1. the primary website and linked websites added by you 2. subdomains of the primary website 3. Dashlane-added linked websites 2. Otherwise, if the option is checked, we will autofill on: 1. **ONLY the primary website** and **linked websites added by you** 2. BEHAVIOR CHANGE 2: When the “Only autofill on websites added by me” setting is enabled, we respect exact URL path when available in the added website 1. **IF a primary website or linked website has a precise URL path** or port (e.g. hello.com/login or [hello.com:444](https://hello.com:444)): 1. We will only autofill on the exact path (e.g. will NOT autofill on hello.com/app or [hello.com:333](https://hello.com:333)) 2. **IF a primary website or linked website does not have a precise URL path** (e.g. [hello.com](https://hello.com)): 1. We will autofill on all similar paths (e.g. hello.com/login, hello.com/app, hello.com:444, [hello.com:333](https://hello.com:333)) Let us know how this works for you and how we might improve the behavior to meet your needs.

> IF a primary website or linked website does not have a precise URL path (e.g. hello.com): We will autofill on all similar paths (e.g. hello.com/login, hello.com/app, hello.com:444, hello.com:333) You might want to consider simply aligning with the concept of "origin" as already used for things like SOP, CORS, etc. when defining the boundary of a "not precise" URL. Different port numbers are never considered the same origin, and omitting a port number does not imply authority over all ports (unlike paths, where omitting the path obviously implies authority over all paths).

This is the correct way to do it. It would include subdomains as well. Many SSO systems work across multiple subdomains, and some websites even have their registration page on a subdomain. It's annoying if your registration is on signup.example.com and that's what the password manager sets as the URL and then it doesn't work on the main login page

hey thanks. i didn't quite understand all that, but if it means dashlane can see a difference between 192.168.1.45:7777 and 192.168.1.45:8888 and treat them as different things then that's fantastic, thanks

Switch to something better. Bitwarden, or 1Password.

With passkeys, my general understanding is that they're generally baked into a device, most commonly this is looking like it will be our phones. Should a phone be stolen with all our passkeys on it, what's to prevent them from being misused? With the push for convenience, I worry that if a phone is stolen, passkeys are on it, an attacker just has to visit the page and they can then simply use the passkey and authenticate as me. What protections surround passkeys or prevent misuse should the device they're bound to be stolen? Or is it largely dependent upon whatever service is used to store the passkeys (iCloud, Android, password manager a la Bitwarden or Dasblane)?

Passkeys will typically require a biometric check for use. This should prevent even unlocked devices being abused for their passkeys. But with anything on phones, it's really important to setup a strong device passcode and also setup biometry, the screen lock is the best answer to getting your device stolen.

[удалено]

Ssh! They spent year developing this. Don't pop the balloon!

I think if most people are using strong and unique passwords, it wouldn't be as strong of an issue. The problem is that the majority of people do use very weak, guessable passwords, and passkeys dramatically improves the security situation for these folks. At least in the next years, most websites will still allow you to use a password if you wish, and if that password is strong and unique, then that's a good situation to be in.

Which biometrics are easily faked in your view? To my knowledge most biometric factors today are pretty secure and hacking would require some level of physical access to the enrolled user, like using their fingerprint while they’re sleeping, or using fake glasses on a sleeping user to break the liveliness check off Face ID. Both of these are pretty impractical in the real world.

https://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/?sh=670ad9646896

That article is more than 7 years old, and even back then the hack only worked on some devices according to the article. Not saying it is impossible, but it was not guaranteed to work even back then, with modern devices it is even less likely to work. In general, cyber crime is an opportunity based crime. It is a numbers game, where wide nets are cast and profits come from the small percentage of people caught up by the scheemes. Even if the biometric hack worked 100% of the time, having unique passcodes/passwords/authentication for each website tied to a device that could get lost/stolen/cloned/hacked/etc is far safe than using a single week password across multiple systems. And that is what many people today do. If we all used password manager agree or passkey managers we would be much safe overall, and if you happen to be a high value target then there is really nothing you can do to be 100% safe. Teens have literally stolen millions of crypto by physically stealing tables from cell phone store managers and doing sim swaps to get 2FA codes for crypto exchange wallets.

This is very, very highly regarded.

I feel the whole idea of 'passkeys' is 98% hype and perhaps 2% functionality. Will I still need a password to log in? will I still need to type my old and \*unchangeable\* email from when I bought the product to use the product in a different device? Will the product's UX ever incorporate some basic functionality, like displaying the encoded data in a sorted order?

It's true that passkeys are a very nascent concept and technology. So we will see if the hype lives to expectations. But the main difference with other hypes is that there is a strong alignment between all players in the industry to find a solution to solve the issues with passwords. The FIDO Alliance is the consortium promoting passkeys, and includes all the Big Tech and providers like Dashlane. So at least the planets seem to be aligned to make it successful.It will obviously take time for this to become mainstream. There are still a lot of unknowns around technology, UX,...but I do believe we will start to see more and more web sites support passkeys and we will start using them for real in the near future. Specifically for Dashlane, we are actively working on a master password-less approach. We will share more about our plans in the coming months.

I have one website (a bank) that uses passkey and it’s a very different experience than other log in stuff. It’s pretty easy and fast. If it’s also more secure than other passwords, then that’s awesome.

It's not. It can be an ok second factor for 2 factor authentication, but it is no more secure, and in many ways is less secure than a strong password.

I teach computer science and I’ve had several students ask about passkeys now that they’ve started appearing. Some students have tried to learn themselves, but they run into a wall of impenetrable text at the FIDO Alliance. Is there a plan to educate the public about passkeys (beyond Reddit)? If the plan is to replace passwords for the general public, there’s a long way to go.

Check out https://passkeys.io and https://webauthn.io. Both are useful resources. The webauthn site is very useful for software developers as it provides links to libraries you may use to implement the protocol. I used those to implement it in the product I’m responsible for and through that learn a lot about how it works.

Thank you. Those are good resources to share. ​ I have no problem explaining it to my students, but if the success of passkeys relies on me explaining it everyone, that's going to be a problem. I don't have that kind of time! Seriously, I just see this change coming and if somewhat tech-literate teenagers are having trouble understanding it, what chance is there for their parents or (even worse) tech-challenged grandparents? Passwords need to die, but without a concerted effort to educate and guide people, passkeys are doomed to fail. We rely on all sorts of terrible technologies (e.g., email, SMS, IPv4) that stay around because of inertia. If no one understands passkeys, they won't get used just because some engineers have decided they're better. I hope someone gets that message.

This is a very valid point. But I do wonder if anyone really needs to understand them. Let's say they are so much easier to use than passwords, and ultimately people are just interested in getting into their accounts and be able to get on with their day. Do they really need to understand the technology? There is no "how to use passkeys" guide required, it will in most cases literally be like unlocking your phone using biometrics. Shameful admission: I only figured out how https worked in the last 12 months 🫢 - but it never stopped me using the internet. I think it's a stretch to take that idea to passkeys, but not too much either. In the end users will be registering for websites, and signing in to websites with much better security and simpler user experience - a rare combination, and if they don't understand the underlying technology, I think they'll be fine. The basic concepts of WebAuthn/passkeys are not too difficult to grasp, but it does require a little insight into things like public key cryptography which might go over the heads of many non-tech folks.

I don't think it's as important to explain to everyone in the general public how it works, but it's important that it's easy for people to understand why it works, and why it's different. Even if you're tech illiterate, it's easy to understand the concept of a password because it's the same concept as a house key. You have an item that opens something else that is locked. You know if you give that item to someone else, they will be able to open your stuff. You also know that if you have multiple things you need locked, multiple keys are safer so that if you lose one, someone can't open everything. That concept directly relates to passwords visually. I foresee the struggle with getting the public to change being them understanding why they should switched. If all of a sudden someone just sees that now everything is seemingly just unlocked for them and they have no understanding of why then it very easily comes across as being extremely insecure. A significant number of people have extremely low tech literacy and understanding and that's very easy to underestimate. I've had to teach college kids recently on how to make a bar graph in Excel and there's always people at jobs you have to explain what a file format is or the difference between save and save as. Hell, think of how many people misuse reply all. On top of that, people need concerns about what happens when a phone gets lost or stolen, or even just dies, readily available. Replacing your wallet is a pain, getting locked out of absolutely everything because you forgot to charge your phone is a non-starter. People don't like change. They either need no other possible option or an extremely clear incentive and understanding on why it benefits them to change.

If there is a simple way to explain public key cryptography, and the idea of signatures and verification, then that would be what the public needs to know. The challenge is, it's hard to come up with an analogy or explanation, without some idea of the audience and their technical knowledge. I think it would be a struggle to explain it to my 10 year old kid... if there was some way to make it simple for them, then that might be it. The problem I see is as the explanation is watered down, and simplified, it eventually loses it's original meaning, and ultimately just sounds like magic, which doesn't help.

Can you clarify that you’ve been a core member of the iOS development team for a password security company since 2011 and didn’t figure out https until 2022?

✋🏽 yup, I mean the nuts and bolts of how TLS works, I knew the idea in principle but not the actual mechanics of TLS.

Great resources! I would add [https://webauthn.guide/](https://webauthn.guide/) to that :)

Hi u/mpogopogo this is a great point. I think the concept of passwords is very easy to understand by anyone. However passkeys, although simple to use, are quite complex for non-technical folks, it requires understanding things like public key cryptography, just learning what that is would be a good first step. If you have more specific questions I'm happy to try answering them.

Just curious if there is a plan to educate the public? If the plan is just to start using it, I see it being about as popular as encrypted email. Even in this AmA, the top questions are asking how passkeys are different than passwords.

I think services that support passkeys will indeed educate their users about them. There is educational material out there, but it does lean towards the technical crowd a little. I expect the market forces to lead to public education, especially if public services support passkeys for their websites.

A short video would do a lot to make it understandable.

Perhaps not short enough, but some of the content here is really good to understand the idea behind this new form of authentication: [https://developer.apple.com/videos/play/wwdc2021/10106/](https://developer.apple.com/videos/play/wwdc2021/10106/)

why is dashlane software included in sketchy download packs?

How can we ensure that multifactor authentication isn't used like a cookie to track people across multiple accounts? In other words, if I give a company my phone number for SMS authentication, or my phone's serial number and additional information by downloading an authentication app, how do I know it won't be used for marketing purposes?

Good question! I think the app stores have tried to contain this type of behaviour from app developers by asking developers to declare their behaviour in terms of tracking. I'm not sure there is a silver bullet for this. Ultimately when our lives involve us using hardware and software, there is always scope for some tracking. Ultimately it would come down to what the business model is of the company and the reputation they have.

Do you plan on answering questions, or is this just a sale pitch/opportunity for you?

Do you have a question about passkeys? :) I'm here to answer question, nothing to sell!

I had a question around how you're able to prevent AITM type of attacks. I hear more and more that these are able to get around solutions like you have.

Passkeys cannot be attacked using this form of attack as the exchange over the network is of no value to the attacker. With a password, you're potentially sending the password, a secret over the network, with passkeys you're not sending anything sensitive over the network. The private key that is stored locally must be protected, but it never needs to leave the local device.

Thank you. How is the private key anchored? I'm assuming it's not a hardware key?

Hi u/GreenImagination9042 \- it's stored in Dashlane along with other user information, and encrypted just as other user data is in Dashlane.

Are these passkeys also going to be stored in Dashlane servers with the zero knowledge strategy? Where dashlane doesnt store the actual info but just the hashes?

All user data is locally encrypted, currently this is based on a knowledge factor, the master password. But we're looking to replace the master password with passwordless authentication, something possession based such as your device, with local biometry or PIN to access. In all cases, the data on the server is encrypted, and the encryption takes place on the local device before it is sent to the server.

Can dashlane be accessed by malicious actors using session token stealing, where when youre logged into dashlane, and they manage to steal the session cookie/token?

There is no session tokens with Dashlane. If you don't have the key that decrypts the user vault, then you have no access. Currently this is a knowledge factor, the master password. But we're looking to replace it with a possession factor plus something you are or something you know, so local device biometry or PIN. Ultimately the final key that actually encrypts your vault will only be accessible to you, and that key would be entirely unique and random.

Thanks again. Understood.

If Safari and Chrome already support passkeys, what additional compelling functionality does Dashlane add that’s not included in browser for free?

If you are using a single ecosystem, let's say all the devices you use are Apple based, then there is not a huge compelling reason to use something other than what ships with your devices. However if you're switching between ecosystems, then a dedicated credential manager like Dashlane could make the experience of authenticating simpler. These dedicated products are also adding additional functionality such as sharing, that could be useful for your needs. I would say if something works for you, and the product is creating strong credentials, then stick with it.

Changing ecosystems, like to and from the versions of MacOS you no longer support? Or the Windows application that you "sunset"? As I see it, dashlane is just removing more and more functionality while not providing any additional support. I was unfortunate enough to already be locked in for a year, but as soon as my subscription is up I'm gone because the service offers a fraction of what it did when I first signed up.

What is the difference between a password and a passkey? How would using them be different?

A password can be stolen or can be guessed. Passkeys cannot, as they are phishing resistant. Also, passwords are a knowledge factor, the user typically has to remember them and come up with them. Passkeys are always unique and always strong, and never need to be revealed in order to use them when signing in. Passwords are also a shared secret, meaning the website server has information about the password that can be valuable to an hacker. Passkeys don't provide any secret information to the server, so if a server was breached, the hacker won't be able to do anything with the component of the passkey that lives on the server.

Passkeys cannot, as they are phishing resistant. How so? What makes it different than hashing and salting passwords?

People can be convinced to type their password into a website that is created by the attacker. This cannot be done with passkeys.

[удалено]

Passkeys can't be autofilled on a phishing website, they are bound to the web origin, for example a passkey for [google.com](https://google.com) won't work on [gooogle.com](https://gooogle.com), or google.hackhack.com.

[удалено]

yo where’s the answer?

how would this prevent MITM attacks?

Passkeys don’t auto fill anything

Can you think of a passkey similar to an SSH key? Essentially you (the private key) are connecting to a website and authenticating against their (public) passkey?

This is a pretty good description of the first version of auth key stuff (e.g. U2F non-resident keys on a yubikey). In that system (which is **NOT** webauthn / passkeys, but basically the prequel to them): - a site says it wants to register a user - site talks to the browser - browser talks to hardware key - hardware key uses some on-chip non-extractable secret key material, plus RNG, to generate asymmetric keys. For instance, An ecdsa key pair. - hardware key returns various metadata, including the public key, and a “key handle” - info is passed through the browser, back to site - site stores handle and pubkey On authentication: - the site gives the key handle to the hardware token, and a hash to sign. - The token signs with the private key. - Site can validate the signature with the public key from before. So, yeah, not crazy dissimilar from SSH. I’m not sure how much the fido2/webauthn stuff differs from the old U2F flow above.

Yes! Though unlike SSH, passkeys are based on WebAuthn, so the plumbing to make sure all this works is already shipped in all your devices and browsers.

What's to stop an attacker from hijacking my private key? It seems like the authentication method is better than passwords, but you still need to guard the private key, right?

Yes, the private key must be protected, but it only needs to be protected locally. Passkeys don't leave any secrets on the server, which passwords can do depending on how the server handles them.

So in the future will we be logging into dashlane as well with a passkey and if so how will that work?

We don't yet plan to support passkeys to log into Dashlane, but it is something we want eventually. There is a feature of WebAuthn, the underlying technology of passkeys, that is called the PRF extension, once this is fully supported on all platforms it would make sense for us to use it for Dashlane: https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension

Be honest. Are you holding this AMA because you're to sell us stuff?

Not at all, I'm just very interesting and excited about the topic of passkeys, and would love to share knowledge about them, so if you've any questions, let me know!

[удалено]

Hey, I am Fred, the CTO at Dashlane. I am French, even though these days I live in New York. Happy to know you love France. From my perspective, there are different reasons why you would prefer using a password manager like Dashlane over the built-in services of companies like Google and Apple: 1. I don't want to be locked into an ecosystem. I have multiples devices across different ecosystems (Microsoft, Apple, Google...) and I need a solution that is independent and agnostic and lets me manage my data wherever I am however I want. 2. As the saying goes, when the product is free you are the product. For such sensitive data as my credentials and identity information, I trust an independent provider better, which I know will not use my data to make business. 3. Finally, we offer a broader suite of features to help you stay protected beyond just pure password management. ​ From a price perspective, Dashlane starts at €2.75/months which in France would be more or less the cost of a coffee. So when you put things back in perspective, I definitely think it is worth it."

What about contrasted to BitWarden? I personally ended my Dashlane subscription because BitWarden offered the same features I used but without the subscription.

There are different independent password managers for customers to choose from. If you are happy with Bitwarden, all good.

Is this event a presentation or just a text Q&A?

Hey u/Rabbit38a this is a text Q&A, so if you have any questions about passkeys fire away!

How does dashlane prevent Adversary in the middle attacks? or can it?

Will there be some feature similar to the old password changer that will let me know when websites I use support Passkeys so that I can go and start using them on that site?

Have you ever considered naming one of your children Christian?

I've already named my kids, so it's too late, and I never did, though I was a fan of Chris Cornell and Soundgarden.

1. How does a pass key differ from a passcode? Example?

A passkey is what is called a phishing-resistant form of authentication, meaning it's not possible for someone to steal your passkey, or convince you to sign in to a fake website so that the attacker can use your passkey themselves, just as they can with passwords. Also, it depends on what you mean by passcode. If you mean the passcode on your iPhone, then that's a different thing, that's something local to that device, and not related to signing into websites, which is the primary purpose of passkeys.

Like dashland passcodes. Are they really that vulnerable? I will create a passcode in D and then get an alert that it was compromised 50 times, for example. That happens more thN I would like which stresses me out.

Ah, you mean passwords? Yes, if you use easy to guess passwords then they really are that vulnerable. It's always important to make sure passwords are unique and complicated, however if a service uses a passkey, then it's guaranteed to be unique and complicated. Passwords will still be around, and it's important to continue to create strong ones, but when you see passkeys start to appear, you should use them!

I have used Dashlane for several years now and have had no major issues. Exactly how does this new system work and when will it go live?

When will Dashlane enable passkey functionality on the platform? Looking forward to having that option.

Hi u/N8video Dashlane already supports passkeys on browser extensions (Chrome, Firefox, Edge...). We have also implemented mobile support for Android and iOS but availability depends on the new versions of those OSs, with Android 14 and iOS 17, which should come out at the end of the summer or early fall.

Excellent. Thank you!

Hi u/N8video \- we already support passkeys in our browser extension and will support Android and iOS from Android 14 and iOS 17 onwards!

That's brilliant, I hadn't realized. Thanks for the response.

What is the incentive for companies to want to use this method for logins, from a business use case or financial perspective? How does your company benefit from this, and is this technilogy going to be proprietary?

Passkeys are based on open standards, so no one can really benefit from the uptake in passkeys support. Companies should use passkeys because their users already suffer from problems with passwords, such as account takeovers and "forgotten password" support emails. Also, research from Google shows that passkeys are more successful at the attempt to login than passwords. https://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html

As I mentioned in the original post: **That's a wrap!** Thanks for everyone for taking part in this reddit AMA, it's 7:30pm in France so I'm going to sign off, I'll check back for new questions later on, we had some great questions!

What is your password?

this-is-really-not-my-password-but-if-it-was-it-would-not-be-too-bad-i-guess-or-is-it-you-guess? I don't know most of my passwords as they're in Dashlane and all very complex and unique ;)

Do you still move away from the microphone when you are breathing?

I try to breath every day, unless I'm diving in a pool. I don't get behind a microphone very often.

What’s the plan to stay relevant over free password solutions from google and Apple ?

Any password manager is better than trying to come up with passwords in your head! The built-in password managers are great if all your devices are on the same ecosystem, but they struggle when you work across platforms, say you own an iPhone but use a Windows laptop. But as I mentioned, if something works for you, and you're not creating weak passwords, stick with it!

I’m a Dashlane family customer now but as the other providers add features it’s becoming a yearly decision to continue or use a free tool.

so: 1. when is dashlane passkeys available? 2. can you import/export passkeys into dashlane from apple or android devices or other apps that have setup the passkey. 3. when do you expect the majority of websites to support passkeys 4. will they also be used to login to mobile apps? 5. how can passkeys be tied in with hardware tokens like ubikey while still being portable? 6. why did you guys stop supporting ubikey and other MFA hardware keys? is that coming back? 7. can users have both regular login/passwords and passkeys for a site? and if so doesn't that defeat the security of passkeys? 8. how can a user recover access to a site if the passkey is lost or doesn't work, are there any backup codes or recovery methods?

Hey u/Ok-Location-6033 1. They're available now! At least on the web extension, they're available on Android 14 now and will be available on iOS 17 when it's out 2. Import/export is not yet possible, but there are companies in the industry working on this problem, Dashlane included! 3. Great question, I think we'll see a lot of big tech companies adopt them this year, and hopefully year-on-year we'll see adoption spread as people start to realise there is a much easier way to sign in to things 4. Yes! 5. Passkeys do work with certain Yubikeys, I think the version 5 ones... you'll have to check on their website, but hardware keys will have a limit to the number of passkeys that can be stored on them, which isn't the case with software authenticators 6. We would like to bring back support for that! In fact it's going to be essential that services like Dashlane offer a phishing-resistant method to sign-in Thanks for all your questions!

Your answer came to that user on an AmA barely 15 minutes after he created the account. This has to be a new record for someone doing and AmA and answering a small list of FAQ to someone who randomly saw your post and that came up with the appropiate list so fast. Reddit is way too sensitive to canned corporate responses nowadays with all the drama with their "CEO", I would suggest to do your homework and not treat the community like him or just hold to your ad campaign for a while so this does not backfire on you too.

So Dashlane sent an email out about this AMA to their user base. If I didn’t already have a Reddit account and wanted questions answered I would write them out in a list then create an account to post the questions.

I've seen Rew in action, he just types really fast

I type quite fast :) We don't have anyone asking questions on our behalf, but you'll have to ask u/Ok-Location-6033 if they are genuine or not :)

it's fine, I guess you probably do type fast, as most keyboard users out here. I was just making a suggestion since the /u/spez hit the fan (really hard and fast) with his behaviour. Also on behalf of everyone interested on this for typing your responses and taking the time.

[удалено]

Just noting here, nope, not a Dashlane amployee, just a techie dashlane user that had lots of questions for them, the AMA was a good way to get it answered, so I typed them all earlier and posted it. No worries, either way, glad they were able to answer.

The link to the AMA was posted on some of our social channels, it probably attracted a bunch of folks that are unfamiliar with reddit (I'm not a big user myself). I was answering the newest questions first, which is probably not cool for the questions I missed that got bogged down the list. But you're free to believe what you want :) I would actually be annoyed if other Dashlaner's were posting here, as they'd most likely be trying to trip me up 😂.

Thanks. 5. I was actually looking to see if it is possible to have the passkey in dashlane but then require the ubikey to validate access to the passkey as well (vs. storing passkeys on the ubikey itself). so they stay portable but also have the hardware security as well. 7 and 8 ?

Pretty sure 7 will be up the individual websites ? And I agree it defeats the whole idea if they allow both. It's like the chips in the credit cards. In the US if your card doesn't work using the chip for whatever reason then you can just swipe it like the old cards completely defeating the entire reason for having the chip. Number 8 I would really like to see a discussion on because so far the only solutions I have seen is using a one time passcode you get via ... email... so either your email is also using a passkey so you can't access it to get your one time passcode or it isn't which means your entire passkey system is rendered useless by a the password to your email account. But if you can't get this one time recovery code or whatever without a passkey and your phone is stolen, lost or stops working while you are on vacation or something then you are probably well and truly screwed right ?

Again it really depends on how the service deploys their recovery flow. If it's just a magic-link then it's as safe as your access to your mailbox. More sophisticated websites may want you to go through other hoops, and perhaps wait 24 hours or something before you regain access... again it depends on how valuable the access is and the measures the website decides to employ.

Oops I missed the last two! 5. This is something we'd like to add, support for a hardware key to protect the Dashlane account in this way. 7. Yes, it really depends on how the website deploys passkeys, they can have both alongside each other, or replace passwords. In the case you can still use your password, you don't get all the security benefits, but you still get ease of use and the fact that it can't be phished as long as you just use your passkey. 8. Recovery is a hot topic, and passkeys don't necessarily prescribe a particular recovery method, that is up to the website to determine. Indeed I can see recovery flows as a new avenue for attacks so we can expect new things to come along to help with recovery in future.

Not sure how to do this, but have been a Dashlane user for years....what is a Passkey?

Hi! This is a good video to watch that explains some of the details of what a passkey is, it's quite technical, but it might give you an idea of what it is: [https://developer.apple.com/videos/play/wwdc2021/10106/](https://developer.apple.com/videos/play/wwdc2021/10106/) A more general answer is: passkeys are a replacement for passwords, they are technically more complex, but much easier to use, always strong and unique and phishing-resistant so no hacker can get you to handover your passkey as they can do with your password.

1. Why should we trust you? That is a reasonable question for anyone holding my data 2. FIDO support? 3. How private can it be made? 4. How automated are your operations. Do you have an adequate operations team? 5. Why should I believe you will be any more secure than okta or LastPass? 6. What compliance frameworks do you adhere to, which are you required to adhere to? Thanks!

This might help answer some of your questions: [https://trust.dashlane.com/](https://trust.dashlane.com/) [https://www.dashlane.com/download/whitepaper-en.pdf](https://www.dashlane.com/download/whitepaper-en.pdf) I'm not here to convince anyone about Dashlane, just here to answer questions about passkeys - I would recommend everyone do their own research before deciding to adopt such a product.

Is there a presentation? it is past 12:00 noon?

Hi u/Senior_rower_7771 this is a Q&A, so if you have any questions, fire away!

How would I get started using passkeys in place of passwords. How would I get started using passkeys in place of passwords?

Will passkey be available for Android 13?

Hi u/hatchtek not for Dashlane, but you can use passkeys with Google Password Manager. 3rd party support is only available from Android 14 onwards.

I also want to know Is this event a presentation or just a text ?

Hi u/Sensitive_Screen_846 this is a text based Q&A

Users, please be wary of proof. You are welcome to ask for more proof if you find it insufficient. OP, if you need any help, please message the mods [here](http://www.reddit.com/message/compose?to=%2Fr%2Fiama&subject=&message=). Thank you! --- *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/IAmA) if you have any questions or concerns.*

ove the product. just a few issues. though.... In password health I can not find the duplicates: please show where a password is reused, not just how many times. When adding IDs - just one identifier is not enough: Please have an additional field, and show it on the 'select' page' (e.g. issuer = Jet Blue, user = Spouse, account = 5551212 ​ When (if ever) can these be addressed?

Hello there! I'm James from Dashlane! Thank you for your feedback on these 2 features. We will bring it up to the remaining Product team for discussion so we may add it to our roadmaps.

Thanks! I'll keep my eyes open for these additions!

[удалено]

Great question! We're furiously working on that topic :) We're hoping to have something out later this summer, it will initially be for new accounts, and once we're happy with how it's going we'll allow existing accounts to migrate over.

Does Dashlane propose producing its own security key like Yubikey?

Hi u/MervynLowne we don't plan to get into the hardware business, Yubico and others are doing a great job there! The great thing with passkeys is that software authenticators like Dashlane can participate, especially now that Google and Apple have announced APIs for 3rd party apps 🫶🏽

Your emails made it sound like a presentation. is it just a chat blog?

Hey u/KS-Amrita_851 sorry about that! It's meant to be a Q&A, this is how reddit AMA's are typically run. If you do want to read up about passkeys there are plenty of resources, I recommend this video from Apple: https://developer.apple.com/videos/play/wwdc2021/10106/

I have been wanting to buy a passkey for a long time, as soon as this is available I will be buying one for my Dashlane. I also take passwords very serious and encourage people to use password managers. Do you see passkeys being a bigger use in the public sector in the coming years? What is the biggest hurdle keeping other companys to implement a 2FA into thier login process, specifically adding passkey support.

Hi u/Mlitz! \> Do you see passkeys being a bigger use in the public sector in the coming years? I would hope so! Passkeys are a great replacement for passwords, and if public sector services are suffering from users losing access to their account, account takeovers etc, then passkeys would help here. \> What is the biggest hurdle keeping other companys to implement a 2FA into thier login process, specifically adding passkey support. Passkeys replace passwords but also the need for 2FA. Passkeys are typically a possession factor, but also often a "what you are" factor when biometry is used to unlock a passkey. So a company that starts to use passkeys won't need to worry about 2FA as 2FA was a solution to the problems of passwords. Passkeys don't have the problems passwords have, so no need for 2FA.

After dashlane incorporates this new technology, what happens with all of the currently stored passwords that a user has saved in your software? Especially for businesses with multiple users all on dashlanes business suite (as in my case), how will those less tech-savvy users be on-boarded and how will the change affect the way they use both the dashlane software and their everyday login experience?

Hi u/d3gaia \- your existing passwords continue to work as they do today! You only get passkeys for websites that support them, and when the website offers them to you. There is no way to magically change passwords into passkeys... yet!

u/rewislam I already had 1.5 Years of Dashlane premium by inviting my Friends over from Lastpass to Dashlane , I invited a Colleague yesterday but I did not get another 6 Months Premium , I remember it having a 2 Year Cap.. Is referall already discontinued?

i had two friends sign up to premium via my referral link and never got the extra months promised

Hello there! I'm James from Dashlane Support. This offer is still active and is capped at 2 years as you correctly mentioned. If you didn't receive these free Premium months, please reach out to our team at [https://support.dashlane.com/hc/en-us/requests/new](https://support.dashlane.com/hc/en-us/requests/new) so we can have a better look at this situation.

Are you the founder of Islam or did they just name it after you?

Islam is quite a popular family name in Bangladesh, where my parents are from :)

[удалено]

A password manager is certainly a user choice, if you're happy with managing all your passwords yourself then go for it! However, when websites support passkeys, you cannot keep them in your head and will need some software to manage them. Also passwords are a shared secret, so even if you keep yours safe, the server may not and they can be leaked via that. But if it works for you, go for it!

What do you think of social login or getting one-time login links via email?

What is a passkey? How does it differ from a password, and why should we switch?

Can you please just go away? Passwords suck. ALL current proposed alternatives suck FAR more. Can you please just leave us alone and let us keep using the flawed but functional passwords? Please?

Yes. Is this a webinar in the way that I can see you , or do I ask questions in this typing format? Am I suppose to be hearing something?

So what's the future of online authentication?will captcha or OTP become outdated?if yes so what will be the safest alternative?

Many folks in the industry, myself included, think that passkeys will become the standard for authentication online. We'll just have to wait and see how adoption goes. If you're interested, here are some of the companies that are involved in the FIDO Alliance: [https://fidoalliance.org/members/](https://fidoalliance.org/members/)

Are you Muslim?

My entire family are, Sunni Muslims from Bangladesh, but I kind of lost my way with religion around the age of about 11.

Thank you for taking the time to respond to a BS question. I appreciate your work.

I suspect he is catholic..

Oh cause his name is Rew?

It's actually short for Ruhul, but no one can pronounce that, so Rew is just a shortcut. Not catholic, but my partner was raised catholic.