Skip to content

Dashlane displays passkeys for broader RP IDs instead of matching the exact requested RP ID (WebAuthn compliance issue) #3

New issue
New issue
Open
Open
Dashlane displays passkeys for broader RP IDs instead of matching the exact requested RP ID (WebAuthn compliance issue)#3
@Romain7495

Description

@Romain7495
Romain7495
opened on Oct 9, 2025

🐛 Bug Report

Dashlane displays passkeys from broader RP IDs when a stricter RP ID is requested (WebAuthn RP ID filtering issue)

Summary

When a website requests authentication with a specific Relying Party ID (RP ID) (e.g., auth.smood.ch), Dashlane displays passkeys registered for both auth.smood.ch and smood.ch, even though only the former should be valid according to the WebAuthn specification.

Other passkey providers (iCloud Keychain, Chrome Password Manager, 1Password, Bitwarden) correctly filter credentials to only those matching the requested rpId.

How to reproduce

  1. Create two WebAuthn credentials (passkeys):
    • Credential A → rpId = smood.ch
    • Credential B → rpId = auth.smood.ch
  2. Visit the login page at https://auth.smood.ch that calls: 
    navigator.credentials.get({
  publicKey: { rpId: "auth.smood.ch", ... }
});
  3. Observe that Dashlane offers both passkeys:
    • One for smood.ch
    • One for auth.smood.ch

Expected behavior

Only the passkey whose rpId exactly matches the requested one (auth.smood.ch) should be displayed or selectable.

A credential created for a broader domain (smood.ch) should not be presented, since its rpIdHash does not match the expected RP ID for this ceremony.

Actual behavior

Dashlane displays all passkeys sharing the same base domain (smood.ch), even when a stricter rpId is requested by the website.

This makes credentials appear as valid candidates when they technically should not be.

Why this is a spec compliance issue

According to the W3C WebAuthn Level 3 specification (§ 7.2 – Verifying an Authentication Assertion):

“Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party.”

This implies that only credentials whose stored rpId exactly matches the requested RP ID may be used.

Environment

  • Dashlane version: [6.2540.0]
  • Browser: [e.g., Chrome 141.0.7390.65 (Official Build) (arm64)]
  • OS: [e.g., macOS 26.0.1 (25A362)]
  • Tested domains:
    • https://smood.ch
    • https://auth.smood.ch
  • Tested with: Keycloak 26.4 (WebAuthn passwordless)

Additional context

This behavior only occurs in Dashlane — other password managers filter correctly based on the requested rpId.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions