The future may be passwordless, but it’s not here yet

There’s a reason they call it the bleeding edge, I guess. That’s the lesson I learned after a few weeks of testing Dashlane’s password manager using its just-introduced passwordless option for setting up new accounts.

No, I didn’t literally spill any blood, but I did manage to run headlong into a bug that effectively cut me off from access to my password vault on some devices for several days. To its credit, the company was quick to acknowledge the bug and deliver a fix, but the entire incident illustrates how easy it is for any security company to stumble in the current rush to get rid of passwords.

Also: What are passkeys? Experience the life-changing magic of going passwordless

Let’s start with the good news. Overall, my Dashlane experience has been positive. It was extremely easy to set up a new account on a mobile device, import my existing data from 1Password, and set up the software on new devices using the Dashlane app and browser extension. I also found the process of filling in passwords extremely easy. Bonus: all of my 2FA credentials (time-based, one-time passwords like those used in Google Authenticator and Authy) migrated effortlessly from 1Password.

Everything worked perfectly, until the Friday before I was set to head out on a two-week trip and began setting up the laptop I planned to bring with me. Dashlane’s security challenge worked exactly as expected, and I received email confirmation that my new device was successfully added to my account, but clicking the Access Vault button did nothing.

Also: The best VPN services: Expert tested and reviewed

Maybe it’s a browser issue, I thought, so I tried installing a different browser. That one failed in identical fashion. I was equally unsuccessful on another Windows PC, on a Chromebook, and on a MacBook. Although the device was added to my account, it couldn’t open my password vault.

Finally, I contacted Dashlane support via email. It took a bit of back-and-forth to get a bug report filed, and then I waited two full days for this response:

The issue has been identified by our engineering teams and we’ll be releasing a fix ASAP. In the meantime, we recommend continuing to access your account through your previously authenticated devices.

We appreciate your patience and understanding.

The next day, Dashlane support alerted me that a new version of the browser extension was available. Installing that upgrade returned everything to normal.

Also: Amazon adds passkeys so you can sign in without a pesky password

As support incidents go, this one was inconvenient, but not dangerous. My stored data was never at risk of being accessed by any outsider (the decryption keys were on my device only), and I had multiple backups, as well as an account recovery key that would have allowed me to restore my data if I had been unable to regain access to the account.

I still had access to the password vault on my mobile device, but it would have been extraordinarily frustrating to look up long, randomly generated passwords on my mobile device and then type them manually on my laptop, which is why I temporarily switched back to 1Password while this incident unfolded.

So, what happened? Dashlane’s Senior Product Manager, Jordan Aron, explained that this problem occurred because of technical upgrades the company’s engineers made to code in its browser extensions that had an inadvertent effect on passwordless users. (Dashlane customers using accounts secured by a master password were unaffected.)

Also: Beyond passwords: 4 key security steps you’re probably forgetting

The fix was relatively simple, but it required review and approval by the browser extension stores before it could reach affected customers. Aron estimates that approximately 5% of customers using the new passwordless option were affected.

In an email response, Aron pointed out, “This is a very new solution that we are constantly innovating and improving upon, and this isolated event shouldn’t dissuade users from experiencing the ease-of-use and enhanced security benefits of a Dashlane passwordless account.

“To more rapidly mitigate any potential future issues, we’ve expanded the scope of our detective monitoring and visibility to not only include successful passwordless device setups, but the final step of successful vault access as well. In terms of prevention, we’re also implementing additional review for updates to our codebase and evaluating improvements in more proactive, preventative detection with focus on our passwordless login feature.”

Also: 6 simple cybersecurity rules you can apply now

Ironically, this wasn’t the only issue I had with passwordless security options this week.

Months ago, I made my primary Microsoft account passwordless. To set up a new device, I use the Microsoft Authenticator app or a security key, with no option for SMS authentication. Those options make it really difficult for an attacker to break into my account. Unfortunately, they also make it impossible for me to use Microsoft’s Remote Desktop utility to access a system where I’ve signed in using that account. I’m also unable to connect to a Hyper-V virtual machine using Enhanced mode. Maybe someday Microsoft will expand its passkey support to include Remote Desktop sign-ins, but I’m not holding my breath.

Also: The best security keys to protect yourself and your business

And on the same laptop where I temporarily switched back to 1Password, I discovered that I was still connected to the test account I set up using 1Password’s passwordless option (which is still in a public beta). No problem, I thought, I’ll just use the Manage Accounts feature to remove it. Except that that option wanted me to provide a master password that doesn’t exist. I was finally able to solve the problem by uninstalling and reinstalling the browser extension.

The moral of the story? It’s good to know that security companies are working hard on passwordless options. Someday, when they’ve ironed out all the kinks, those solutions will make the world a better place. But until that day arrives, maybe it’s a good idea to hang on to your master password.