This week I received an odd email. It was a message from Dashlane, welcoming me to their password manager service. This was odd, only because I did not open an account with Dashlane.
I contacted them through their support email explaining the situation. I requested that the account be suspended and that they contact me to discuss the implications of this. Christine from Dashlane responded quite promptly, and explained that I could delete “my” account, but she cautioned me that I would not be able to use “my” Dashlane account if I deleted it, and that I would lose all of my data. It was pretty clear that this was a canned response, or else she didn’t read very clearly.
I wrote back explaining yet again that I did not open the account and that I was concerned about how someone could create an account connected to my email address who was not me. I suggested she escalate this to someone who could understand what I was trying to explain to her.
In parallel, I tweeted @DashlaneSupport (and followed them so that they could Direct Message me). That’s when Simon stepped in. I have to say that Simon has been great. He understood my concerns, he addressed them, and he was polite and professional.
We went back and forth quite a bit over a few days and I determined that they have made a design decision with which I don’t really agree. When you create a Dashlane account, you give them your email address, and you create a master password. Once you’ve created this login, you can begin creating passwords and storing them with the Dashlane service.
You’ll notice that there’s a rather important (at least in my opinion) step missing here. Dashlane does not ask for confirmation of your email address during creation of your account. Because this step is missing from their process, someone was able to create an account using my email address.
Let me quote Simon directly:
When creating a Dashlane account, you are asked to choose your email address and a Master Password. When provided, your account is created right away – we only prompt users to enter a “security code” when signing-in to their Dashlane account from a new device in order to verify their identity – unless Two-Factor Authentication was enabled for this particular Dashlane account. You are right in saying that email addresses are not verified upon account creation – but as owner of this email address, you own the Dashlane account as well. You can delete it and re-create it, therefore our users’ security is guaranteed there.
As a company with a patented security architecture, we work hand in hand with our head of security to ensure that our users are protected at all times. I understand your concern however, and the fact that you would feel more comfortable having an email address verification process. This is not on our road-map right now, but it certainly does not mean we will not implement this process one day.
At first I was upset and concerned and after thinking it through (and making sure I wasn’t missing something by talking to Bart), I realized that this doesn’t actually cause me any harm at all. It’s not like they can use these password they create with my email address, or somehow log into any of my accounts. After I calmed a bit, I realized there is someone who could potentially be harmed, and that’s the creator of the account.
Let’s put ourselves in the shoes of the person who created this account connected to my email address. We’ll call him Wilbur. Let’s presume for sake of argument that Wilbur made a simple typo. He meant to put in [email protected]. For a few days now Wilbur has been going through all of his passwords and putting them into Dashlane, blissfully unaware that he has made a typo.
Wilbur doesn’t notice that he never received a “welcome to Dashlane” email.
Now along comes Allison, and upon the advice from Dashlane, she deletes Wilbur’s account. Wilbur will be furious, disappointed, aggravated and concerned. He will write to Dashlane (or possible slam Dashlane on Twitter and other social media platforms), accusing them of losing all of his data.
Dashlane has a free and paid tier. What if he’s a paying customer? He will write to Dashlane, but they won’t know who he is, because he doesn’t have an account with them.
Like I said, this situation creates no real threat to me personally, other than having to go delete this account. But it creates a huge problem for our little friend Wilbur and potentially will create a huge problem for Dashlane as a result.
I want to reiterate that Simon was really great, very responsive, got to the precise parts of what bothered me, and gave me the truth. I’m not sure I agree that email verification should be on a back burner, but I appreciate so much that he stuck with me till I understood exactly what was going on here. I started with huge concerns about Dashlane and ended believing that they have a really responsive support team. And remember, I was not a paying or free customer.
There’s a couple of lessons to take away from this:
- Be very careful when you enter your login information on Dashlane to make sure your email address is typed correctly. Maybe log in from another browser first thing so you get the security code sent to you. The security code thing does work – I verified when I deleted my account.
- Don’t fly off the handle right away (like I normally do), give a company a chance to explain and show whether they’re responsible and responsive (or not)
- I think that an email verification process is a pretty darn important step in a service like this.
- If it weren’t for that, I might give Dashlane a chance, based entirely off of the responsiveness of Simon