The entire incident illustrates how easy it is for any security company to stumble in the current rush to get rid of passwords. Overall, my Dashlane experience has been positive. It was extremely easy to set up a new account on a mobile device, import my existing data from 1Password, and set up the software on new devices using the Dashlane app and browser extension. Everything worked perfectly, until the Friday before I was set to head out on a two-week trip and began setting up the laptop I planned to bring with me. Dashlane’s security challenge worked exactly as expected, and I received email confirmation that my new device was successfully added to my account, but clicking the Access Vault button did nothing.
Maybe it’s a browser issue, I thought, so I tried installing a different browser. That one failed in identical fashion. Finally, I contacted Dashlane support via email. It took a bit of back-and-forth to get a bug report filed, and then I waited two full days for this response: “The issue has been identified by our engineering teams and we’ll be releasing a fix ASAP. In the meantime, we recommend continuing to access your account through your previously authenticated devices. We appreciate your patience and understanding.” The next day, Dashlane support alerted me that a new version of the browser extension was available. Installing that upgrade returned everything to normal. As support incidents go, this one was inconvenient, but not dangerous.
My stored data was never at risk of being accessed by any outsider, and I had multiple backups, as well as an account recovery key that would have allowed me to restore my data if I had been unable to regain access to the account. Dashlane’s Senior Product Manager, Jordan Aron, explained that this problem occurred because of technical upgrades the company’s engineers made to code in its browser extensions that had an inadvertent effect on passwordless users. The fix was relatively simple, but it required review and approval by the browser extension stores before it could reach affected customers. Aron estimates that approximately 5% of customers using the new passwordless option were affected. He also stated, “To more rapidly mitigate any potential future issues, we’ve expanded the scope of our detective monitoring and visibility to not only include successful passwordless device setups, but the final step of successful vault access as well. In terms of prevention, we’re also implementing additional review for updates to our codebase and evaluating improvements in more proactive, preventative detection with focus on our passwordless login feature.” The moral of the story? It’s good to know that security companies are working hard on passwordless options. Someday, when they’ve ironed out all the kinks, those solutions will make the world a better place. But until that day arrives, maybe it’s a good idea to hang on to your master password.
