Forgot Your Password? Introducing Zero-Knowledge Account Recovery for Dashlane Business
With Dashlane Business, users only need to remember one password, their Master Password. For security, it should be strong and unique. We don’t have access to it or their data. Ever. So, what happens if users forget their password?
Today, we’re introducing Account Recovery: a patent-pending solution for Dashlane Business users to reset their Master Passwords based on a zero-knowledge architecture, without losing any of their data. With Account Recovery, an optional setting in the Admin Console, admins can provide employees a simple and secure way to regain access to Dashlane in the case of a forgotten Master Password, without sharing any personal data.
Traditional Password Resets
Most digital services store information on their servers to provide value to their users. For example, a note-taking app will generally store users’ notes on its servers to sync them across devices. In general, an authentication system – such as a login & password – is used to grant users access to their information. In these cases, the role of the password is to ensure that the person accessing the data is authorized to do so. If a user forgets their password used for authentication, the service can help him or her recreate a new password after verifying they are indeed the owner of the account. Such verification can be done by following a link in an email and answering a secret question. This system implies the service can always access users’ data on their server.
Why Dashlane is Different
For services that handle very sensitive data, such as password managers or other security tools, authentication needs to be different. At Dashlane, we built our company around one core principle: a zero-knowledge architecture. We don’t have access to any user data on our servers, and a user’s Master Password is used – not only to grant access – but to cipher the data locally on a user’s device. No Master Passwords are sent to our servers nor stored anywhere by Dashlane.
This type of zero-knowledge architecture ensures we absolutely cannot access users’ data, thus ensuring security and privacy. One key issue with this architecture is that, resetting the Master Password in the event a user has forgotten it, implies losing all the user’s previously stored data. We do not have any way to decrypt it without the Master Password, or a way to trigger a traditional password reset. However, we’ve been working on a patent-pending solution for Dashlane Business that maintains security and zero-knowledge.
How We Offer Zero-Knowledge Account Recovery
Account Recovery is an opt-in feature for both admins and their employees. Admins can enable Account Recovery in the Admin Console, and employees can opt-in to it at their next login to Dashlane.
With Account Recovery enabled, users can initiate the recovery process by clicking “Forgot my password?” from the app login screen. Users verify their email address using a security token sent by email, mobile authenticator, or by using a security key. From there, they create a new Master Password, which sends an Account Recovery request to the admin(s) on a Dashlane Business account.
An important step of the recovery process is the verification of the requester’s identity. It is up to the admin, acting as a trusted third-party, to ensure the user requesting recovery is indeed the owner of the account. If the admin approves the request, the requester can then use their new Master Password to regain access to Dashlane.
Account Recovery is now available to all Dashlane Business accounts on Windows, Mac and iOS. Android will be made available in 2018. For more information, visit our Help Center. Or, for a technical briefing, grab a coffee and read our Security Whitepaper.