Dashlane and Yubico have announced a joint initiative to introduce passwordless, phishing-resistant login to Dashlane's credential vaults through FIDO2-based YubiKeys.
The new system, available initially to new personal users via Dashlane's browser extension, replaces traditional passwords with hardware-backed secrets, strengthening protection against account takeover threats.
The integration builds on the WebAuthn PRF (Pseudo-Random Function) extension, enabling YubiKeys to generate hardware-bound secrets used for encrypting and decrypting Dashlane vaults. This contrasts with earlier implementations where hardware tokens served as a second factor, rather than the primary authentication method. By relying solely on a registered YubiKey, users can access their accounts without entering a master password, marking a significant shift in credential manager security models.
The initiative was led by Dashlane, a credential security company headquartered in New York, and Yubico, a Stockholm and Santa Clara-based firm known for its hardware-based authentication tools and contributions to the FIDO2 and WebAuthn standards. The partnership is a response to the growing threat posed by AI-driven phishing attacks, which increasingly target users' login credentials across services.
Yubico is a long-time proponent of passwordless authentication and the original creator of the YubiKey. Its devices support multiple standards, including FIDO2/WebAuthn, U2F, and Smart Card (PIV), and are widely used in enterprise environments for secure identity verification.
Dashlane, which serves over 25,000 businesses and millions of individual users, was the first password manager to implement passkey support across all major platforms and to incorporate confidential computing for passkey storage. This latest development introduces a FIDO2-based security key as the primary authentication method, completely eliminating reliance on passwords. According to the company, users can also register multiple YubiKeys to prevent account lockout in case of device loss or damage.
Currently, the passwordless YubiKey login is limited to the desktop browser extension due to incomplete support for WebAuthn PRF across mobile platforms and non-Chromium browsers. However, a Yubico software development kit (SDK) is in the works to enable broader mobile compatibility, potentially extending this approach across all user devices in the future.
While this feature is currently in beta and only available to new personal Dashlane users, the company has confirmed plans to extend support to existing users and business customers. This move positions Dashlane as the first major credential manager to offer vault access using a hardware-backed, passwordless login as the default method, rather than as an optional security enhancement.
Leave a Reply