Building for Security in a Browser Environment
As you may already know, Dashlane is transitioning from desktop apps to a web-first experience, where users can access their accounts through a browser extension. We knew from the very beginning of this process that we had to ensure the new Dashlane experience would meet our strict security standards. In this post, we’re excited to share how we made that happen and debunk a few common misconceptions about browser extension security.
First, some foundational context
Depending on your familiarity with software, you may or may not know the differences between a website, a web app, and a browser extension.
A browser extension, on the other hand, is an application you install in your browser of choice, like Chrome, Firefox, or Edge. Browser extensions are very similar to desktop apps: Both run using local files on your computer instead of files downloaded from a server. The main difference is that desktop apps are installed on your operating system (Windows or MacOS), and extensions are installed and run directly in your browser. Additionally, extensions are audited by browser app store administrators for an extra layer of security.
In the new web-first Dashlane, the extension and web app work hand-in-hand to offer you the richest and most secure experience, including our vastly improved autofill. Plus, you can still enjoy offline access to your Vault, as long as you have previously logged in, authorized the device, and do not have 2FA enabled for each login. Accessing your Vault is simple: In your extension, choose More from the top menu and then click Open the app; or, go to Dashlane.com and click Log in in the upper right-hand corner. If you are on a computer where you don’t have the extension installed, you can go to app.dashlane.com to log in.
New platform, same architecture
While this new platform may look and feel different, the underlying architecture at the foundation of Dashlane isn’t changing. More specifically, our commitment to zero-knowledge remains unwavering. Zero-knowledge means that only you can access your data—neither Dashlane nor a hacker can see the contents of your account. In order to do this, Dashlane encrypts data locally on your device rather than on a remote server, a process the web-first experience still follows.
Because all data is encrypted locally, in the unlikely event that an attacker were to successfully hack our AWS servers, they would get access to millions of encrypted files with no key to decrypt. Trying to decrypt each encrypted file with brute force is possible—but thanks to our implementation of AES-256 encryption and Argon 2 key derivation, it’d take even the most sophisticated computer thousands of years.
And remember: If you use locally encrypted services or products, such as Dashlane or the popular messaging app Signal, you should always lock your device with a password, pin, or biometrics. An unlocked device could give a hacker or thief access to sensitive data.
Our continued investment in security
Security is at the core of our product, brand, and company culture. In addition to the work that goes into new feature releases some areas we continually invest in include:
- Honoring our internal threat model
- An ongoing bug bounty program with HackerOne
- Engaging third parties for security audits
- Adhering to industry best practices, such as Soc2
- Being a member of industry communities, such as the FIDO Alliance, and implementing new security-minded protocols such as WebAuthn
No security system is infallible, so the way we keep our customers’ data safest is by acknowledging all the potential risks, staying proactive, building plans to ensure any security incident has minimal impact. We have never had a security incident, but that doesn’t mean we can take a lax approach.
Want to take an even deeper dive into our security? Read our white paper.