Skip to content

Dapple Overview

Dapple Authenticator is a passkey manager and authenticator designed for mobile and Windows devices. Dapple uses a patented method to derive passkeys from biometrics, ensuring that you can never lose your passkeys. It stores passkeys locally on devices and uses the Dapple cloud to synchronize meta-data and enable recovery across devices, however your biometric is never stored and your passkeys never leave your device.

Supported platforms

  • Mobile: Android 14+ and iOS 18+
  • Windows: Windows 11 22H2 with Windows Hello and TPM

Why Dapple

  • Implements phishing-proof passwordless login based on widely adopted standards
  • Biometric recovery means that passkeys can be easily recovered in the case of lost devices
  • Passkeys can be synchronized across devices without being stored in the cloud

Key features

  • Local storage of passkeys with cloud-backed metadata sync.
  • Biometric-based passkey regeneration and device transfer.
  • Support for mobile-to-Windows enrollment via Bluetooth and QR codes.

How Dapple enables passwordless login

The Dapple Authenticator uses existing industry standards to ensure that it is compatible across a wide variety of devices and services.

Passkey

  • You can think of a passkey as a digital key that lives on your device (phone or computer).
  • When a website or app asks you to sign in, it checks that you have the key on your device and that you unlock it (with your fingerprint, face, or device PIN).
  • You never type a password, and the website never sees your biometric data or the secret key itself.

FIDO2

  • FIDO2 is a set of standards organizations follow so passkeys behave the same way everywhere.
  • These rules ensure passkeys are secure and protect you from common online scams like phishing.
  • Because it's a standard, different apps and websites can accept the same passkey technologies.

WebAuthn

  • WebAuthn is the technology websites use to ask your device for a passkey.
  • When a site supports WebAuthn it can offer passwordless sign-in. Your device does the heavy lifting — the website just gets a confirmation you passed the check.

Dapple stores passkeys safely on your device and helps you use them across devices. You unlock keys with biometrics or a PIN. If you lose a device, a combination of your recovery key and biometric lets you recover your profile.

Technical details

This section provides concise, practical details if you're familiar with web or authentication concepts.

  • Cryptography model: passkeys are asymmetric key pairs. The device stores the private key; the website stores the public key.
  • Registration: the browser or authenticator calls WebAuthn (navigator.credentials.create) to generate a key pair and send the public key to the site (relying party).
  • Authentication: the site challenges the device (navigator.credentials.get); the authenticator signs the challenge with the private key and returns the signature for verification.
  • FIDO2 = WebAuthn (browser API) + CTAP (client-to-authenticator protocol used by external/roaming authenticators).
  • Attestation and metadata: relying parties may request attestation to learn about authenticator provenance; Dapple focuses on user convenience and recoverability while respecting privacy.

Dapple is a FIDO2-capable authenticator and passkey manager. It acts as a credential provider on platforms that support it and implements the necessary client-side flows to integrate with WebAuthn-compatible websites and apps. Dapple keeps private keys on-device and syncs non-sensitive metadata via the Dapple cloud to support discovery and recovery.

Compatibility and support

  • Modern browsers (Chrome, Edge, Safari, Firefox) support WebAuthn. Platform behavior differs slightly; Dapple integrates with platform credential providers where possible.
  • Mobile: Android 14+ and iOS 18+ are supported for the beta release.
  • Windows: Windows 11 22H2 or later are supported (requires Windows Hello and a TPM).

Security and privacy notes

  • Biometric data is only used during enrollment and recovery and is never stored on your device.
  • The private key never leaves the device. Metadata is synced to enable discovery and recovery, but does not include private key material.
  • Passkeys are phishing-resistant: a site can only verify signatures from the correct origin.
  • Recovery requires both the recovery key and a biometric check.

Passkeys vs. common MFA solutions

Passkeys address many of the security and usablity issues with existing MFA solutions, providing both better security and a smoother user experience.

  • SMS (one-time codes): Codes are delivered by text message, so they're familiar and convenient for many users. Technically this relies on the phone network and a shared secret; it is vulnerable to interception and SIM swap attacks and is not phishing-resistant, so it's considered weak for high-risk accounts.

  • TOTP authenticator apps (e.g., Google Authenticator): These apps generate short-lived codes you type in. They are more secure than SMS because they don't depend on the phone network, but they still rely on a shared secret and can be phished or stolen if the device is compromised.

  • Hardware security keys (FIDO2 security keys): Physical USB/NFC keys are highly secure and phishing-resistant because private keys never leave the device. They offer strong technical assurance but require the user to carry and manage a physical token.

  • Push notifications / app-based approvals (e.g. Microsoft Authenticator): A prompt appears on your phone asking you to approve a sign-in. This is convenient and easy for users, but can be vulnerable to social engineering if users approve unexpected prompts; technically it relies on a trusted channel and user vigilance.

  • Passkeys (platform or managed via Dapple): Passkeys replace passwords with asymmetric key pairs and are used via familiar unlock methods (fingerprint, face, PIN). They combine strong phishing resistance with a fast, user-friendly experience. Technically, they bind cryptographic signatures to the website origin (WebAuthn/FIDO2) and keep private keys on-device; Dapple adds biometric-derived recovery and cross-device discovery without storing private keys in the cloud.

Key takeaways

  • Security: Passkeys and hardware FIDO2 tokens provide the strongest protection against phishing.
  • Usability: Passkeys give strong security with the simplest experience for most users.
  • Recovery & portability: Hardware tokens require physical backup; Dapple provides recovery options (recovery key + biometric) and cross-device sync while keeping private keys off the cloud.