Hey Reddit! I’m Rew, and I’m the Director of Product Engineering and Innovation. I lead the passwordless projects at Dashlane, where we help keep all your passwords, payments, and personal info safe, secure, and accessible only to you.

Passkeys are a simpler and more secure way to authenticate online. Leveraging WebAuthn, the same underlying technology behind security keys like YubiKeys, passkeys are set to redefine our digital safety norms. Born from the inventive minds at the FIDO Alliance, and already adopted by Google and Paypal, passkeys are a potential game-changer in cybersecurity, and we at Dashlane are thrilled about this. Envisaged as a future replacement for passwords, passkeys promise a more secure digital world.

Proof Photo: https://i.imgur.com/0JXKo02.jpg

A little about myself, I started my career doing web development in the early 2000s, then eventually, I joined Dashlane in 2011 as their first iOS developer. I grew up in East London, an area called Brick Lane, and now have settled with a partner and two kids just north of Paris, France.

I’m looking forward to answering your questions about passkeys, Dashlane, best practices, or myself. Ask me Anything!

Update:

Helping answer questions is:

Dashlane's Chief Technology Officer - u/fredericrivain

Dashlane's Autofill Product Manager - u/tinautofill

Customer Support Specialist - u/Dashlane-James

That's a wrap!

Thanks for everyone for taking part in this reddit AMA, it's 7:30pm in France so I'm going to sign off, I'll check back for new questions later on, we had some great questions!

What is this all about?

I recommend these videos produced by Apple which go over some of the current flaws in authentication technology and how things based on FIDO standards like WebAuthn could be a solution if companies work together to make it happen (spoiler: they did just that!):

Move beyond passwords:

https://developer.apple.com/videos/play/wwdc2021/10106/

Meet passkeys:

https://developer.apple.com/videos/play/wwdc2022/10092/

Comments: 268 • Responses: 69  • Date: 

TheLonelyWoodworker256 karma

After cutting all reasonable support for your safari users, then finally releasing a replacement after months of a complete lack of functionality, you cut off support for anything but the latest version of MacOS. Do you have any plans to bring back support for older (still maintained and updated) versions of the OS to bring service levels back to what your user base signed up for and was promised?

rewislam41 karma

We're in an unfortunate situation with Safari. You can't have a safari extension unless you ship a native app on macOS. We don't have a native app on macOS, so what we've done is ship our iOS app as a Mac Catalyst app, this means that what you see on macOS is essentially the app for iPad, but running on macOS.

The problem with this is that when we drop support for iOS, which is often possible as many people update their iOS version quite soon after it is available, it also cuts support for macOS, as they are both tied to essentially the same version. We realise it's less likely or possible to update macOS, but this isn't something we can work around easily. The alternative would be to create an entire app, just for macOS, but the audience for specifically macOS+Safari is relatively small compared to macOS+Chrome.

Safari used to have standalone extensions circa 2019 I think, but since then it was only possible to ship a Safari extension, if it came with a dedicated native app (or Mac Catalyst app).

TheLonelyWoodworker3 karma

So reading between the lines here. You had a product that worked in safari, and was used by a multitude of Apple users because of your support. However because the market is smaller and it took more effort than the android/windows ones you decided to depreciate the app and support for it.

Am I basically right in saying then that you have no plans to restore support it’s previous level and that going forward, due to your iOS tie in, it will only ever support the latest version? If so please just say so. If there is going to be no meaningful return to support I will move on to a company that will.

rewislam5 karma

We don't plan to support older versions of macOS.

TheLonelyWoodworker3 karma

So then, just so I’m clear. Currently you support Ventura, as it’s the latest version. When Sonoma is released later this year you plan on dropping support for Ventura as it’s no longer the current version and supporting only Sonoma? Or from this point forword will you support older maintained versions beginning with Ventura?

rewislam3 karma

We always want to keep up with latest technologies/OSs (new APIs, updated version of SwiftUI, security updates etc..). Dropping support for older versions allows to iterate more easily on the product. Unfortunately software development has got to a stage where this is becoming the norm and maintaining support for older versions of OSs becomes an ever increasing burden, while not impossible, it really makes it challenging to develop upon what the vendors consider "legacy" OS versions.

We will not drop support for Ventura/iOS 16 in 2023. However, we don’t guarantee how long we will keep supporting them in the future.

MaievSekashi17 karma

Predictably any question worth answering gets ignored

rewislam-18 karma

I know it's an AMA, but ideally I'm here to answer questions about passkeys. I know it's not super satisfying, sorry about that!

DweadPiwateWoberts11 karma

"I'm just here to talk about Rampart."

rewislam-11 karma

I'm just here to talk about Rampart

😂

Dissk107 karma

Well, this is it. The AmA that got me to unsubscribe from this subreddit after 10 years. This is literally just an ad, how is this even allowed?

therankin15 karma

I think the thought is that it's not LastPass, which has taken a lot of heat lately, so not enough people will notice.

The thing is, with Reddit, many of us notice everything.

rewislam14 karma

I'm trying to put myself in your shoes... so we're pretending to do an AMA, but in reality it is an advert. What do you think the return on investment is for this advert? I mean it seems like quite a bad investment if it is an advert, it could have been better spent. Honestly I'm not here to promote Dashlane, and just really interested to see how passkeys get taken up, and there isn't a huge vested interest in seeing passkeys adopted. On the whole, I just think people would be more secure if they used passkeys, whether that is with Dashlane or not.

I actually think there were some pretty good questions in here, and hopefully some people took something away that was useful.

ABC123itsEASY3 karma

If that's the case you chose the wrong subreddit. This discussion would have made more sense in a technology subreddit of some kind.

rewislam5 karma

The topic of passkeys is well represented within the tech scene, but everyday folks might not be aware of them, so doing this AMA was a good way to understand the gaps in knowledge. There have been good questions in here, and I do think people who have come here to learn more about passkeys have left with more of an insight into the topic.

rewislam-8 karma

Sorry to hear that, I'm not used to used to posting on reddit, so perhaps my tone came across too folksy? :)

soupiejr9 karma

No, it's not your tone. It's that you refuse to answer any real questions people have. But anyway, can we talk about Rampart now?

rewislam-12 karma

I had to look up Rampart... I think I get it... but do you have "real" questions about passkeys? 😁

mhuntoon83 karma

Why is it that for the past several months, my Safari extension doesn't work the same as it used to? It used to work seamlessly, now it's far less convenient to use. I also notice that I now need to constantly sign in each time I try to use Dashlane to log me into a site. Sometimes I need to retype my Dashlane account password, other times I'm allowed to use touch id on my MacBook Air.

I used to LOVE having and using Dashlane. The customer experience, in my humble opinion, has diminished significantly and I'm wondering if I should just switch over to the Apple passkeys instead and save my yearly fee. I think they only thing I'd be missing out on would be the VPN, but I'm honestly not even sure how good that is.

rewislam2 karma

Recently the team shipped what is known as a Safari Web Extension, by default the extension was based on a Safari App Extension. If you go into Safari settings and look at the extensions pane you should see two options for Dashlane. Here is a post that goes into more detail about it:

https://www.reddit.com/r/Dashlane/comments/13d1jnp/early_access_the_new_version_of_dashlane_for/

RockBrackenshield27 karma

With passkeys, my general understanding is that they're generally baked into a device, most commonly this is looking like it will be our phones.

Should a phone be stolen with all our passkeys on it, what's to prevent them from being misused? With the push for convenience, I worry that if a phone is stolen, passkeys are on it, an attacker just has to visit the page and they can then simply use the passkey and authenticate as me. What protections surround passkeys or prevent misuse should the device they're bound to be stolen? Or is it largely dependent upon whatever service is used to store the passkeys (iCloud, Android, password manager a la Bitwarden or Dasblane)?

rewislam14 karma

Passkeys will typically require a biometric check for use. This should prevent even unlocked devices being abused for their passkeys.

But with anything on phones, it's really important to setup a strong device passcode and also setup biometry, the screen lock is the best answer to getting your device stolen.

VAGINA_BLOODFART27 karma

So the way to rid users of pesky strong passwords where one stolen password means only one compromised system is to replace all of them with a single much more easily broken 4 digit pin, pattern unlock that can be figured out by just kinda looking at the smudges on a users screen, or easily faked biometrics, which if broken will give the bad actor access to all of your accounts and leave you completely locked out on account of your phone having been stolen and not being able to use a password as a backup?

Count me in

rewislam2 karma

I think if most people are using strong and unique passwords, it wouldn't be as strong of an issue. The problem is that the majority of people do use very weak, guessable passwords, and passkeys dramatically improves the security situation for these folks.

At least in the next years, most websites will still allow you to use a password if you wish, and if that password is strong and unique, then that's a good situation to be in.

GreenImagination904221 karma

Do you plan on answering questions, or is this just a sale pitch/opportunity for you?

rewislam-6 karma

Do you have a question about passkeys? :) I'm here to answer question, nothing to sell!

GreenImagination90427 karma

I had a question around how you're able to prevent AITM type of attacks. I hear more and more that these are able to get around solutions like you have.

rewislam4 karma

Passkeys cannot be attacked using this form of attack as the exchange over the network is of no value to the attacker. With a password, you're potentially sending the password, a secret over the network, with passkeys you're not sending anything sensitive over the network.

The private key that is stored locally must be protected, but it never needs to leave the local device.

GreenImagination90422 karma

Thank you. How is the private key anchored? I'm assuming it's not a hardware key?

rewislam2 karma

Hi u/GreenImagination9042 - it's stored in Dashlane along with other user information, and encrypted just as other user data is in Dashlane.

Theoreocow2 karma

Are these passkeys also going to be stored in Dashlane servers with the zero knowledge strategy? Where dashlane doesnt store the actual info but just the hashes?

rewislam2 karma

All user data is locally encrypted, currently this is based on a knowledge factor, the master password. But we're looking to replace the master password with passwordless authentication, something possession based such as your device, with local biometry or PIN to access. In all cases, the data on the server is encrypted, and the encryption takes place on the local device before it is sent to the server.

Theoreocow2 karma

Can dashlane be accessed by malicious actors using session token stealing, where when youre logged into dashlane, and they manage to steal the session cookie/token?

rewislam2 karma

There is no session tokens with Dashlane. If you don't have the key that decrypts the user vault, then you have no access. Currently this is a knowledge factor, the master password. But we're looking to replace it with a possession factor plus something you are or something you know, so local device biometry or PIN. Ultimately the final key that actually encrypts your vault will only be accessible to you, and that key would be entirely unique and random.

mpogopogo14 karma

I teach computer science and I’ve had several students ask about passkeys now that they’ve started appearing. Some students have tried to learn themselves, but they run into a wall of impenetrable text at the FIDO Alliance. Is there a plan to educate the public about passkeys (beyond Reddit)? If the plan is to replace passwords for the general public, there’s a long way to go.

dorkus9 karma

Check out https://passkeys.io and https://webauthn.io. Both are useful resources.

The webauthn site is very useful for software developers as it provides links to libraries you may use to implement the protocol.

I used those to implement it in the product I’m responsible for and through that learn a lot about how it works.

mpogopogo8 karma

Thank you. Those are good resources to share.

I have no problem explaining it to my students, but if the success of passkeys relies on me explaining it everyone, that's going to be a problem. I don't have that kind of time! Seriously, I just see this change coming and if somewhat tech-literate teenagers are having trouble understanding it, what chance is there for their parents or (even worse) tech-challenged grandparents? Passwords need to die, but without a concerted effort to educate and guide people, passkeys are doomed to fail. We rely on all sorts of terrible technologies (e.g., email, SMS, IPv4) that stay around because of inertia. If no one understands passkeys, they won't get used just because some engineers have decided they're better. I hope someone gets that message.

rewislam-3 karma

This is a very valid point. But I do wonder if anyone really needs to understand them. Let's say they are so much easier to use than passwords, and ultimately people are just interested in getting into their accounts and be able to get on with their day. Do they really need to understand the technology? There is no "how to use passkeys" guide required, it will in most cases literally be like unlocking your phone using biometrics.

Shameful admission: I only figured out how https worked in the last 12 months 🫢 - but it never stopped me using the internet. I think it's a stretch to take that idea to passkeys, but not too much either. In the end users will be registering for websites, and signing in to websites with much better security and simpler user experience - a rare combination, and if they don't understand the underlying technology, I think they'll be fine. The basic concepts of WebAuthn/passkeys are not too difficult to grasp, but it does require a little insight into things like public key cryptography which might go over the heads of many non-tech folks.

Stormkiko9 karma

I don't think it's as important to explain to everyone in the general public how it works, but it's important that it's easy for people to understand why it works, and why it's different.

Even if you're tech illiterate, it's easy to understand the concept of a password because it's the same concept as a house key. You have an item that opens something else that is locked. You know if you give that item to someone else, they will be able to open your stuff. You also know that if you have multiple things you need locked, multiple keys are safer so that if you lose one, someone can't open everything. That concept directly relates to passwords visually.

I foresee the struggle with getting the public to change being them understanding why they should switched. If all of a sudden someone just sees that now everything is seemingly just unlocked for them and they have no understanding of why then it very easily comes across as being extremely insecure.

A significant number of people have extremely low tech literacy and understanding and that's very easy to underestimate. I've had to teach college kids recently on how to make a bar graph in Excel and there's always people at jobs you have to explain what a file format is or the difference between save and save as. Hell, think of how many people misuse reply all.

On top of that, people need concerns about what happens when a phone gets lost or stolen, or even just dies, readily available. Replacing your wallet is a pain, getting locked out of absolutely everything because you forgot to charge your phone is a non-starter.

People don't like change. They either need no other possible option or an extremely clear incentive and understanding on why it benefits them to change.

rewislam1 karma

If there is a simple way to explain public key cryptography, and the idea of signatures and verification, then that would be what the public needs to know.

The challenge is, it's hard to come up with an analogy or explanation, without some idea of the audience and their technical knowledge.

I think it would be a struggle to explain it to my 10 year old kid... if there was some way to make it simple for them, then that might be it.

The problem I see is as the explanation is watered down, and simplified, it eventually loses it's original meaning, and ultimately just sounds like magic, which doesn't help.

TheGoodDoctorGonzo2 karma

Can you clarify that you’ve been a core member of the iOS development team for a password security company since 2011 and didn’t figure out https until 2022?

rewislam1 karma

✋🏽 yup, I mean the nuts and bolts of how TLS works, I knew the idea in principle but not the actual mechanics of TLS.

rewislam1 karma

Great resources! I would add https://webauthn.guide/ to that :)

rewislam2 karma

Hi u/mpogopogo this is a great point. I think the concept of passwords is very easy to understand by anyone. However passkeys, although simple to use, are quite complex for non-technical folks, it requires understanding things like public key cryptography, just learning what that is would be a good first step.

If you have more specific questions I'm happy to try answering them.

mpogopogo5 karma

Just curious if there is a plan to educate the public? If the plan is just to start using it, I see it being about as popular as encrypted email. Even in this AmA, the top questions are asking how passkeys are different than passwords.

rewislam5 karma

I think services that support passkeys will indeed educate their users about them.

There is educational material out there, but it does lean towards the technical crowd a little.

I expect the market forces to lead to public education, especially if public services support passkeys for their websites.

alpacasarebadsingers2 karma

A short video would do a lot to make it understandable.

rewislam2 karma

Perhaps not short enough, but some of the content here is really good to understand the idea behind this new form of authentication:

https://developer.apple.com/videos/play/wwdc2021/10106/

Visible_Review_134011 karma

What is the difference between a password and a passkey? How would using them be different?

rewislam10 karma

A password can be stolen or can be guessed. Passkeys cannot, as they are phishing resistant.

Also, passwords are a knowledge factor, the user typically has to remember them and come up with them. Passkeys are always unique and always strong, and never need to be revealed in order to use them when signing in.

Passwords are also a shared secret, meaning the website server has information about the password that can be valuable to an hacker. Passkeys don't provide any secret information to the server, so if a server was breached, the hacker won't be able to do anything with the component of the passkey that lives on the server.

d0rf4715 karma

Passkeys cannot, as they are phishing resistant.

How so? What makes it different than hashing and salting passwords?

rewislam2 karma

People can be convinced to type their password into a website that is created by the attacker. This cannot be done with passkeys.

Puzzleheaded_Egg63623 karma

Passkeys wouldn't be a help either, if you're a victim of recent 'Microsoft Azure hosted subdomain hijacking'. Lets say you've enabled autofill before you know it.. you'll be authenticated as soon as you visit the Phishing site with the similar top level domain whether its password or even passkeys. It all comes down to what 2fa are you using.

rewislam3 karma

Passkeys can't be autofilled on a phishing website, they are bound to the web origin, for example a passkey for google.com won't work on gooogle.com, or google.hackhack.com.

keatre2 karma

Can you think of a passkey similar to an SSH key? Essentially you (the private key) are connecting to a website and authenticating against their (public) passkey?

rewislam3 karma

Yes! Though unlike SSH, passkeys are based on WebAuthn, so the plumbing to make sure all this works is already shipped in all your devices and browsers.

keatre4 karma

What's to stop an attacker from hijacking my private key? It seems like the authentication method is better than passwords, but you still need to guard the private key, right?

rewislam8 karma

Yes, the private key must be protected, but it only needs to be protected locally. Passkeys don't leave any secrets on the server, which passwords can do depending on how the server handles them.

hatchtek8 karma

So in the future will we be logging into dashlane as well with a passkey and if so how will that work?

rewislam3 karma

We don't yet plan to support passkeys to log into Dashlane, but it is something we want eventually.

There is a feature of WebAuthn, the underlying technology of passkeys, that is called the PRF extension, once this is fully supported on all platforms it would make sense for us to use it for Dashlane:

https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension

BlackFenrir8 karma

Be honest. Are you holding this AMA because you're to sell us stuff?

rewislam3 karma

Not at all, I'm just very interesting and excited about the topic of passkeys, and would love to share knowledge about them, so if you've any questions, let me know!

30_characters6 karma

How can we ensure that multifactor authentication isn't used like a cookie to track people across multiple accounts? In other words, if I give a company my phone number for SMS authentication, or my phone's serial number and additional information by downloading an authentication app, how do I know it won't be used for marketing purposes?

rewislam0 karma

Good question! I think the app stores have tried to contain this type of behaviour from app developers by asking developers to declare their behaviour in terms of tracking.

I'm not sure there is a silver bullet for this. Ultimately when our lives involve us using hardware and software, there is always scope for some tracking. Ultimately it would come down to what the business model is of the company and the reputation they have.

Velvitkween6 karma

  1. How does a pass key differ from a passcode? Example?

rewislam3 karma

A passkey is what is called a phishing-resistant form of authentication, meaning it's not possible for someone to steal your passkey, or convince you to sign in to a fake website so that the attacker can use your passkey themselves, just as they can with passwords.

Also, it depends on what you mean by passcode. If you mean the passcode on your iPhone, then that's a different thing, that's something local to that device, and not related to signing into websites, which is the primary purpose of passkeys.

Velvitkween2 karma

Like dashland passcodes. Are they really that vulnerable? I will create a passcode in D and then get an alert that it was compromised 50 times, for example. That happens more thN I would like which stresses me out.

rewislam3 karma

Ah, you mean passwords? Yes, if you use easy to guess passwords then they really are that vulnerable. It's always important to make sure passwords are unique and complicated, however if a service uses a passkey, then it's guaranteed to be unique and complicated.

Passwords will still be around, and it's important to continue to create strong ones, but when you see passkeys start to appear, you should use them!

Rabbit38a5 karma

Is this event a presentation or just a text Q&A?

rewislam1 karma

Hey u/Rabbit38a this is a text Q&A, so if you have any questions about passkeys fire away!

ahh_meh5 karma

If Safari and Chrome already support passkeys, what additional compelling functionality does Dashlane add that’s not included in browser for free?

rewislam2 karma

If you are using a single ecosystem, let's say all the devices you use are Apple based, then there is not a huge compelling reason to use something other than what ships with your devices.

However if you're switching between ecosystems, then a dedicated credential manager like Dashlane could make the experience of authenticating simpler.

These dedicated products are also adding additional functionality such as sharing, that could be useful for your needs. I would say if something works for you, and the product is creating strong credentials, then stick with it.

N8video4 karma

When will Dashlane enable passkey functionality on the platform? Looking forward to having that option.

rewislam3 karma

Hi u/N8video - we already support passkeys in our browser extension and will support Android and iOS from Android 14 and iOS 17 onwards!

Optimus_Prime_Day3 karma

What is the incentive for companies to want to use this method for logins, from a business use case or financial perspective?

How does your company benefit from this, and is this technilogy going to be proprietary?

rewislam9 karma

Passkeys are based on open standards, so no one can really benefit from the uptake in passkeys support.

Companies should use passkeys because their users already suffer from problems with passwords, such as account takeovers and "forgotten password" support emails.

Also, research from Google shows that passkeys are more successful at the attempt to login than passwords.

https://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html

HagueHarry2 karma

Have you ever considered naming one of your children Christian?

rewislam2 karma

I've already named my kids, so it's too late, and I never did, though I was a fan of Chris Cornell and Soundgarden.

Ok-Location-60332 karma

so:

  1. when is dashlane passkeys available?
  2. can you import/export passkeys into dashlane from apple or android devices or other apps that have setup the passkey.
  3. when do you expect the majority of websites to support passkeys
  4. will they also be used to login to mobile apps?
  5. how can passkeys be tied in with hardware tokens like ubikey while still being portable?
  6. why did you guys stop supporting ubikey and other MFA hardware keys? is that coming back?
  7. can users have both regular login/passwords and passkeys for a site? and if so doesn't that defeat the security of passkeys?
  8. how can a user recover access to a site if the passkey is lost or doesn't work, are there any backup codes or recovery methods?

rewislam-4 karma

Hey u/Ok-Location-6033

  1. They're available now! At least on the web extension, they're available on Android 14 now and will be available on iOS 17 when it's out
  2. Import/export is not yet possible, but there are companies in the industry working on this problem, Dashlane included!
  3. Great question, I think we'll see a lot of big tech companies adopt them this year, and hopefully year-on-year we'll see adoption spread as people start to realise there is a much easier way to sign in to things
  4. Yes!
  5. Passkeys do work with certain Yubikeys, I think the version 5 ones... you'll have to check on their website, but hardware keys will have a limit to the number of passkeys that can be stored on them, which isn't the case with software authenticators
  6. We would like to bring back support for that! In fact it's going to be essential that services like Dashlane offer a phishing-resistant method to sign-in

Thanks for all your questions!

pcboxpasion15 karma

Your answer came to that user on an AmA barely 15 minutes after he created the account.

This has to be a new record for someone doing and AmA and answering a small list of FAQ to someone who randomly saw your post and that came up with the appropiate list so fast.

Reddit is way too sensitive to canned corporate responses nowadays with all the drama with their "CEO", I would suggest to do your homework and not treat the community like him or just hold to your ad campaign for a while so this does not backfire on you too.

rewislam1 karma

I type quite fast :) We don't have anyone asking questions on our behalf, but you'll have to ask u/Ok-Location-6033 if they are genuine or not :)

3legged8 karma

You should buy your employee lunch for posting the questions you were dying to answer .

  1. User created specifically to ask question.

  2. Question gets answered within 5 minutes.

  3. Other questions from around same time not answered...

rewislam1 karma

The link to the AMA was posted on some of our social channels, it probably attracted a bunch of folks that are unfamiliar with reddit (I'm not a big user myself).

I was answering the newest questions first, which is probably not cool for the questions I missed that got bogged down the list.

But you're free to believe what you want :) I would actually be annoyed if other Dashlaner's were posting here, as they'd most likely be trying to trip me up 😂.

Ok-Location-6033-3 karma

Thanks.

  1. I was actually looking to see if it is possible to have the passkey in dashlane but then require the ubikey to validate access to the passkey as well (vs. storing passkeys on the ubikey itself). so they stay portable but also have the hardware security as well.

7 and 8 ?

rewislam4 karma

Oops I missed the last two!

  1. This is something we'd like to add, support for a hardware key to protect the Dashlane account in this way.

  2. Yes, it really depends on how the website deploys passkeys, they can have both alongside each other, or replace passwords. In the case you can still use your password, you don't get all the security benefits, but you still get ease of use and the fact that it can't be phished as long as you just use your passkey.

  3. Recovery is a hot topic, and passkeys don't necessarily prescribe a particular recovery method, that is up to the website to determine. Indeed I can see recovery flows as a new avenue for attacks so we can expect new things to come along to help with recovery in future.

SpamMyDuck2 karma

Pretty sure 7 will be up the individual websites ? And I agree it defeats the whole idea if they allow both. It's like the chips in the credit cards. In the US if your card doesn't work using the chip for whatever reason then you can just swipe it like the old cards completely defeating the entire reason for having the chip.

Number 8 I would really like to see a discussion on because so far the only solutions I have seen is using a one time passcode you get via ... email... so either your email is also using a passkey so you can't access it to get your one time passcode or it isn't which means your entire passkey system is rendered useless by a the password to your email account.

But if you can't get this one time recovery code or whatever without a passkey and your phone is stolen, lost or stops working while you are on vacation or something then you are probably well and truly screwed right ?

rewislam3 karma

Again it really depends on how the service deploys their recovery flow. If it's just a magic-link then it's as safe as your access to your mailbox.

More sophisticated websites may want you to go through other hoops, and perhaps wait 24 hours or something before you regain access... again it depends on how valuable the access is and the measures the website decides to employ.

AlbrechtSchoenheiser2 karma

What is your password?

rewislam2 karma

this-is-really-not-my-password-but-if-it-was-it-would-not-be-too-bad-i-guess-or-is-it-you-guess?

I don't know most of my passwords as they're in Dashlane and all very complex and unique ;)

Secretly_A_Raven2 karma

Do you still move away from the microphone when you are breathing?

rewislam2 karma

I try to breath every day, unless I'm diving in a pool. I don't get behind a microphone very often.

youwantboomboom1 karma

Hi Rew, I admittedly need to learn more about passkeys. As a product manager, I've been hearing a lot of news about AI and it's double exponential growth each day, and passwords are becoming more of a vulnerability than ever. Are passkeys future-proofing for the problems brought on by the exponential growth of AI, or do you all see it as a fix only the current set of problems from 30+ years of using passwords?

rewislam2 karma

There is no link I can see between AI and passkeys. Also, don't believe the hype, AI seems impressive, but it has its limits and I think we'll start to see those in the years ahead.

However, one area that could be an issue is quantum cryptography, but that would be an issue for a lot of security issues, but people are working on the problem so we'll see how that goes!

PointlessTrivia1 karma

Have you ever heard of Steve Gibson's SQRL as an alternative to Passkeys, and if you have what is your opinion?

rewislam1 karma

The underlying technology for passkeys isn't that new or groundbreaking. There are a couple of things that make passkeys different to other similar ideas:

  1. The WebAuthn standards, which is the technology that passkeys works under, lives under the W3C, which ensures browser developers can incorporate it as an industry recommendation, it's not controlled by a particular company, and anyone who is willing can participate in the evolution of it
  2. For better or for worse, there are just a handful of platform vendors that provide the majority of the hardware and software that we all use. If these companies agree among themselves to put their weight behind a particular technology, it has a vastly bigger chance of taking off and getting adopted.

The challenge isn't coming up with the technology, the challenge is adoption.

Tchotchke_geddon1 karma

  1. Why should we trust you?

That is a reasonable question for anyone holding my data

  1. FIDO support?

  2. How private can it be made?

  3. How automated are your operations. Do you have an adequate operations team?

  4. Why should I believe you will be any more secure than okta or LastPass?

  5. What compliance frameworks do you adhere to, which are you required to adhere to?

Thanks!

rewislam3 karma

This might help answer some of your questions:

https://trust.dashlane.com/

https://www.dashlane.com/download/whitepaper-en.pdf

I'm not here to convince anyone about Dashlane, just here to answer questions about passkeys - I would recommend everyone do their own research before deciding to adopt such a product.

rewislam1 karma

As I mentioned in the original post:

That's a wrap!
Thanks for everyone for taking part in this reddit AMA, it's 7:30pm in France so I'm going to sign off, I'll check back for new questions later on, we had some great questions!

docwisdom1 karma

What’s the plan to stay relevant over free password solutions from google and Apple ?

rewislam1 karma

Any password manager is better than trying to come up with passwords in your head!

The built-in password managers are great if all your devices are on the same ecosystem, but they struggle when you work across platforms, say you own an iPhone but use a Windows laptop.

But as I mentioned, if something works for you, and you're not creating weak passwords, stick with it!

Exact_DeAnn_63311 karma

Not sure how to do this, but have been a Dashlane user for years....what is a Passkey?

rewislam3 karma

Hi! This is a good video to watch that explains some of the details of what a passkey is, it's quite technical, but it might give you an idea of what it is:

https://developer.apple.com/videos/play/wwdc2021/10106/

A more general answer is: passkeys are a replacement for passwords, they are technically more complex, but much easier to use, always strong and unique and phishing-resistant so no hacker can get you to handover your passkey as they can do with your password.

scilicoder1 karma

As a developer, how will I be able to allow my clients to utilize passkeys via their DashLane accounts, in the apps I wrote for them?

rewislam2 karma

Hi u/scilicoder could you explain more about clients? Are these customers or software clients?

Cbas_6191 karma

Hey Rew some questions for you,

How would logins work on the chrome extension if one migrates away from the Master Password to "passwordless"? From my understanding the iOS version would use a pin or faceid and only one of those is available on a computer.

And an extra big picture question:

What is your expected timeline within the next decade for most apps to implement "passwordless" logins as an option?

rewislam2 karma

Hi u/Cbas_619,

Great question, we're building specific functionality on Chrome so users can either use WebAuthn or PIN to unlock Dashlane. I can't go into too many implementation details as this is work in progress, but I'm looking forward to this being shipped!

I expect passwordless to be a widely adopted within the next 5-year timeframe, or less! Businesses lose a lot of money with weak authentication methods like knowledge factors, such as passwords, so it makes business sense to improve authentication security.

MervynLowne0 karma

Does Dashlane propose producing its own security key like Yubikey?

rewislam3 karma

Hi u/MervynLowne we don't plan to get into the hardware business, Yubico and others are doing a great job there! The great thing with passkeys is that software authenticators like Dashlane can participate, especially now that Google and Apple have announced APIs for 3rd party apps 🫶🏽

Mlitz0 karma

I have been wanting to buy a passkey for a long time, as soon as this is available I will be buying one for my Dashlane. I also take passwords very serious and encourage people to use password managers.

Do you see passkeys being a bigger use in the public sector in the coming years?

What is the biggest hurdle keeping other companys to implement a 2FA into thier login process, specifically adding passkey support.

rewislam3 karma

Hi u/Mlitz!

> Do you see passkeys being a bigger use in the public sector in the coming years?

I would hope so! Passkeys are a great replacement for passwords, and if public sector services are suffering from users losing access to their account, account takeovers etc, then passkeys would help here.

> What is the biggest hurdle keeping other companys to implement a 2FA into thier login process, specifically adding passkey support.

Passkeys replace passwords but also the need for 2FA. Passkeys are typically a possession factor, but also often a "what you are" factor when biometry is used to unlock a passkey. So a company that starts to use passkeys won't need to worry about 2FA as 2FA was a solution to the problems of passwords. Passkeys don't have the problems passwords have, so no need for 2FA.

d3gaia0 karma

After dashlane incorporates this new technology, what happens with all of the currently stored passwords that a user has saved in your software?

Especially for businesses with multiple users all on dashlanes business suite (as in my case), how will those less tech-savvy users be on-boarded and how will the change affect the way they use both the dashlane software and their everyday login experience?

rewislam3 karma

Hi u/d3gaia - your existing passwords continue to work as they do today!

You only get passkeys for websites that support them, and when the website offers them to you. There is no way to magically change passwords into passkeys... yet!

Philocanth0 karma

Are you the founder of Islam or did they just name it after you?

rewislam1 karma

Islam is quite a popular family name in Bangladesh, where my parents are from :)

DesignHead92060 karma

Why would I need something like that if I remember perfectly all my passwords, and in case I forget one I can quickly restore it?
Why would I want a third company to manage my authentication credential, exposing myself to further risks of unethical use of my data, or theft?

rewislam4 karma

A password manager is certainly a user choice, if you're happy with managing all your passwords yourself then go for it!

However, when websites support passkeys, you cannot keep them in your head and will need some software to manage them.

Also passwords are a shared secret, so even if you keep yours safe, the server may not and they can be leaked via that.

But if it works for you, go for it!

Senior_rower_77710 karma

Is there a presentation? it is past 12:00 noon?

rewislam3 karma

Hi u/Senior_rower_7771 this is a Q&A, so if you have any questions, fire away!

hatchtek0 karma

Will passkey be available for Android 13?

rewislam3 karma

Hi u/hatchtek not for Dashlane, but you can use passkeys with Google Password Manager. 3rd party support is only available from Android 14 onwards.

Puzzleheaded_Egg63620 karma

When do we see 'Passwordless login for Dashlane account' rolling out ?

rewislam3 karma

Great question! We're furiously working on that topic :) We're hoping to have something out later this summer, it will initially be for new accounts, and once we're happy with how it's going we'll allow existing accounts to migrate over.

KS-Amrita_8510 karma

Your emails made it sound like a presentation. is it just a chat blog?

rewislam5 karma

Hey u/KS-Amrita_851 sorry about that! It's meant to be a Q&A, this is how reddit AMA's are typically run. If you do want to read up about passkeys there are plenty of resources, I recommend this video from Apple: https://developer.apple.com/videos/play/wwdc2021/10106/

Ok-Feedback5604-1 karma

So what's the future of online authentication?will captcha or OTP become outdated?if yes so what will be the safest alternative?

rewislam2 karma

Many folks in the industry, myself included, think that passkeys will become the standard for authentication online. We'll just have to wait and see how adoption goes.

If you're interested, here are some of the companies that are involved in the FIDO Alliance:

https://fidoalliance.org/members/

Sensitive_Screen_846-1 karma

I also want to know

Is this event a presentation or just a text ?

rewislam6 karma

Hi u/Sensitive_Screen_846 this is a text based Q&A

truth-hertz-7 karma

Are you Muslim?

rewislam2 karma

My entire family are, Sunni Muslims from Bangladesh, but I kind of lost my way with religion around the age of about 11.

nezukotanjiro150-1 karma

I suspect he is catholic..

truth-hertz0 karma

Oh cause his name is Rew?

rewislam1 karma

It's actually short for Ruhul, but no one can pronounce that, so Rew is just a shortcut. Not catholic, but my partner was raised catholic.