Business Password Managers

Interview: Dashlane’s CEO On Driving Passwordless Adoption And Better Security Behaviors

Expert Insights interviews John Bennett, Dashlane’s CEO, live at RSAC 2024.

Article thumbnail image

Dashlane is a password manager used by over 19 million users and 22,000 businesses, in more than 180 countries. The platform is aimed at helping users manage their passwords more securely, which it achieves by providing a secure password vault and highlighting password reuse and compromise. 

But will the future be fully passwordless, and how can the cybersecurity industry make this a reality? In this interview, live from RSAC 2024, John Bennett, CEO at Dashlane, discusses FIDO, the death of the password, the evolution of password-based threats, and what is most exciting him in the cybersecurity space.

The following Q&A has been edited for clarity and length. You can listen to the full interview on the Expert Insights Podcast:

What is the number one issue that you are here at RSAC to talk about?

The number one issue that I’m really focused on is an extension of the work that Dashlane has done with the FIDO Alliance on how we can accelerate passwordless and the adoption of Passkeys, by working with a larger ecosystem and the larger players. Whether it’s Google or Microsoft, or others. It’s a continuation of these discussions that we’ve had in FIDO Alliance and bringing them to RSAC.

Why is it so important for organizations to be thinking about and implementing passwordless authentication?

The number one attack vector is still identity compromise, identity theft, and it’s driving 80% of breaches. It’s the fastest growing threat vector that malicious actors leverage in their first point of attack to business. SSO [single sign-on] is the gold standard. But the reality is, there is just such a long tail of applications that are not behind SSO, and that’s where you see these businesses at risk.

You have employees that want to do the right thing – they want to improve their security posture – but we’re human. And in some cases, we’re going to do what is easiest and fastest. We’re going to reuse credentials from our personal lives that may be compromised, to access applications on the business side, where there is proprietary company data or customer data.

Businesses need to worry about that because SSO isn’t enough anymore. CISOs of businesses of all sizes recognize that they’ve got to start looking at and securing the applications that are not behind SSO. That really starts with using a credential manager, in terms of having good behavior. 

The other part is how you eliminate passwords within the organization. SSO is one step of that. The other aspect is moving to Passkeys and passwordless. I think that’s one of the biggest focus areas that companies need to think about: securing that employee behavior outside of the applications behind SSO. 

Can you tell us a little bit about the work that Dashlane has been doing with the FIDO Alliance, Google, and Microsoft on helping to push passwordless? 

Passkeys are such an amazing advancement in cryptography. It’s more secure, it’s phishing resistant, and on top of that, it’s actually a much more efficient and delightful user experience. But there’s a lot to be sorted out still. We’re in the early days, it’s still nascent technology. 

For FIDO, we’re focused on a couple of key areas. One is working with the standards bodies in terms of continuing to build out areas of documentation and agreement on aspects that are going to be important. 

Portability is going to matter in businesses with Passkeys, because there is this aspect of being able to share them with people both inside and outside the organization; universality in terms of being able to work seamlessly across the ecosystem, whether you’re in the Google or Microsoft ecosystem. 

We are continuing to work on not just the user experience aspect and the role that Dashlane plays in that as a credential manager, but the broader ecosystem. How do we all work together to solve some of these problems?

The other aspect that’s going to be important is that businesses are going to want to know if the Passkey being presented is coming from someone they can trust. There’s meaningful work that we’re doing there. 

Do you think that Passkeys are going to be more quickly adopted in the consumer space than in the enterprise space? 

I hope so. I’m optimistic. I wish I could wave a magic wand and say 80% of the sites that I interact with on the consumer side had multi-factor authentication on them. But the reality is the majority of sites I go to, either don’t offer MFA, or I haven’t set it up. Passkeys are a more secure way of securing consumers’ behavior across these sites. We’re seeing acceleration in leading brands putting Passkeys out there. 

For me, the tipping point is going to be where they say, “You can eliminate your password.” And you can now log into Kayak for example, or Google, just using Passkeys. I’m seeing much faster adoption on the consumer side than in business right now. 

Dashlane has rolled out support for passwordless, and this week you have announced some interesting research about how passwordless users tend to be more secure across other areas of security hygiene. Talk us through some of the findings you’ve had.

One of the things that I was really excited about – and that was a driver for me joining Dashlane – was just the pace of innovation within the company, we’ve driven just a ton of innovation.

We launched the elimination of the master password on our consumer product on both Android and iOS, and now we’re releasing it out to the web extension, as well. We’re removing this big piece of friction. We want you to improve your security posture, we want you to put your credentials in a vault, we want you to auto-generate a complex password to protect yourself. But you’ve got to create this complicated long master password, and for a lot of consumers and even business users, that’s a point of friction. 

Since we’ve launched [passwordless], what we’re seeing is 40% higher adoption rate in terms of people putting information in the vault and then sharing those credentials with people within the [Dashlane] ecosystem. We’re seeing 20-25% more active use for consumers. We’re seeing a material shift in terms of engagement and people using all the capabilities within the Dashlane Vault. 

John, for small businesses in the SMB space, do you think moving to passwordless authentication should be a priority that they double down on?

I was at a session yesterday and a CISO from a leading credit card company was talking about how they have 15 milliseconds to establish the identity of the person trying to run the transaction. And if they don’t do that in 15 milliseconds, the transaction is lost. But one of the things they look at in terms of the ecosystem is small businesses.

If we look at how interconnected our global economies are today, so many small and medium businesses are part of a supply chain. And the acceleration of the velocity and pace of attacks is not just focused on enterprise and mid-enterprise, but it’s focused on SMBs, as well. 

If you look at SMBs, a lot of the customers that we work with don’t have SSO deployed. They have this very broad attack surface. And with this acceleration in terms of generative AI making it much easier to do social engineering, there are billions of compromised credentials on the dark web. SMBs now are at more risk than they ever were, because it’s becoming so much easier for malicious actors to go for them, and the ROI is very high for them.

How do you remove the human element from that, if they don’t have to have a password to get into access the application they’re using? A big start to that is using a credential security vault like Dashlane, so you can then remove that element of risk, and bring that SSO experience to non-SSO applications.

Do you see any more challenges in the SMB space around password hygiene?

On the enterprise side, they have more tools, they can enforce more security policies on the users. They can look at people and their behavior within the organization, and they can adaptively push out security awareness training, or put other hurdles of friction in before they let them access the applications that access the keys to the kingdom. 

On the SMB side, organizations might have only one or two people within their IT organization. They’re having to wear multiple hats, and they have less access to processes and tools. You have employees that are bringing their consumer security posture into the business. If their consumer posture is not strong, they bring that in. They’re reusing credentials and passwords that they’re reusing in their personal life. And a lot of times, those are the ones that have been compromised and are on the dark web. That’s a huge risk factor for SMBs.

You mentioned generative AI. As organizations are starting to roll out single sign-on and passwordless authentication, how are you seeing the threat actors in the identity space start using those new technologies to try and get around those improved security controls? 

It’s a bit of cat and mouse that’s going on. You’re seeing advancements in cybersecurity companies, where they’re putting AI into their products to drive a much higher level of automation, so that the IT and security professionals can focus on the critical aspects of preventing malicious actors going after their organizations.

But on the flip side of that, we’re already seeing out in the wild that malicious actors are getting around the safeguards within these large language models. They’re also creating their own.

On the social engineering aspect, in terms of how they can go in and get a consumer or business user to compromise their credential or access, it’s becoming far more efficient, it’s becoming more scalable. The pace is faster, and way more sophisticated. 

I think that means you have got to start thinking now about how you’re going to put those safeguards in place. Because the velocity is only going up, year after year, in terms of how quickly they can adapt and look for another attack factor that’s going to be successful getting into an organization.

I think it’s called spamming right, where they just they pound you until you compromise your MFA. In terms of, email, it’s so well socially engineered, you’re going to end up putting your credentials into a fraudulent site.

 and whether that is going to that could be at any aspect of the company that would create financial exposure and risk for the company. Absolutely.

Dashlane is a leader in the password management space. How do you see the Dashlane platform evolving as hopefully we start to move more into passwordless?

One of the areas I’m very excited about is the work that we’re doing in terms of thinking holistically about the challenges. We’re seeing more and more companies come to us and say, “I’m not just going to deploy this password management solution for a department or a set of employees, but I want to think across the organization,” which is great.

But at the end of the day, the employee still has to adopt the use of that password manager. And they’ve got to put credentials in the vault for it to be effective. Where we’re investing now is thinking more of a holistic and human-centric approach. It’s not just good enough for us to have mass deployment and have every employee in the organization have access to this. But how do we change the behavior? How do we improve, you know, their security awareness and behavior. 

There are aspects of the platform we’re investing in, so that on the admin side, they have visibility in terms of which of their employees are most at risk, and other aspects by integrating into solutions that are woven into the fabric. For organizations have use Slack, we can do things like security nudges. We can make sure they’re aware of compromised credentials that [end users are] using, and that they should change that. 

The final aspect we think about is delivering value to employees before they’ve put a credential in the vault. We offer a web extension, so if an employee thinks they’re going to DocuSign, but it’s not DocuSign, our ability to flag that before they compromise [a credential].

We’re thinking horizontal, versus, creating more complexity in the product. We’re continuing to make it simple and accessible for both the IT admin and for the employees.

You’ve spoken about collaboration in the space across vendors, it would be great to hear more about that.

I’m so excited to be back at RSA. The last time I was at RSA was in 2020, right before the world shut down for a number of years. I’m excited to be here and talk to companies about all aspects of the ecosystem, whether that’s on security awareness, endpoint protection, or cloud protection. 

A lot of discussions that I’m having this week are on how we can continue to work together to solve some of some of these emerging threats holistically. Where do we need to have alignment in terms of emerging standards, or how do we accelerate the pace of passwordless and Passkey adoption within business, not just on the consumer side. 

The other aspect is looking at companies where increasingly we see this opportunity of having tighter API integration, which gives SMBs and enterprise customers solutions that are holistically solving their problem. We’re removing complexity, and we’re adding value across other products that they’ve already made an investment in.

What is your advice for the CISOs and security leaders who are attending the conference this week?

One piece of advice is: SSO is not enough. And we still see this behavior where they say: “Well, I’ve got SSO in place, I don’t need a credential manager. Or, I’m just going to give it to departments, that have a high use case around sharing.”

Hackers are logging in, they’re not breaking in. They’re logging in through compromised credentials. And where they’re, where they’re coming in is this long tail of applications that are not behind SSO. That’s my advice. SSO plus an enterprise password manager, is dramatically going to improve your security posture.

And finally, what is most exciting you in the cybersecurity space today?

It’s the level of collaboration. The conversations I’m having where I think there’s this high recognition: we understand that the game has changed. 

Just what’s going on globally in the world, with the rise of nation state malicious actors, that is our competition. That is what we’re solving for. And I’m really encouraged when at scale, very large platform players in this space, recognize that we need to work together. I’m very excited for just the awareness of we have a really important role to play in society and I’m so excited about the openness and the willingness to have meaningful conversations on areas that we need to work together on.

Learn more about Dashlane:

About Expert Insights: 

Expert Insights is a B2B research and review platform for IT solutions and services. We help over one million IT managers, CISOs, small business owners, and other professionals discover the best IT and cybersecurity solutions.