What You Should Know about Dashlane’s Patented Security Architecture
Originally published June 16, 2016. Last updated May 12, 2023.
Security at Dashlane has always been a very strong focus for our Engineering team. As a leading password manager, Dashlane is responsible for the safety of the data of millions of users. In order to protect our users’ data, we take security into account at every stage of our software development, including the design of our architecture, coding and code reviews, tests, and security audits. Security is also a major factor in our product specification, design, communication, and documentation.
How we designed our security architecture
When we started developing the Dashlane Password Manager, we had to design how our users’ data would be protected. We began by listing all the criteria a good security model should have. Here are the three most important criteria we came up with:
- Simple: An essential aspect of any security architecture is its simplicity. A simple security architecture is easier to review, both for developers and for security researchers. It is also easier to understand globally and allows developers to modify it without having blind spots.
- Do not trust anything or anyone: We believe that good security architecture should never trust any server, code, or user it interacts with, including Dashlane’s servers. Even if we do everything we can to ensure our servers’ safety, we always work with the assumption that our servers could become the next target of a cybercriminal at any time. Our architectural choices must ensure that such an event, however unlikely it may be, does not break our security model.
- Resilient against common and known attacks: Security breaches happen every day. A good security model is naturally resistant to common attacks and breaches, such as theft and leaking of usernames and password hashes. In addition, the simplicity of the security model makes it easy for the world-class security team at Dashlane to continually monitor for recent attacks and vulnerabilities and ensure that Dashlane’s architecture is protected from any new exploits.
From Day 1, we designed our security model to meet or surpass all of those criteria. In March 2012, we submitted a security patent to the U.S. Patent and Trademark Office (USPTO) under the title “Cloud-based data backup and sync with local storage and access keys.” During this time, we had some back and forth with USPTO about amending our initial claims and description to ensure it captured the latest state-of-the-art and non-replicable technology. This culminated in the awarding of a patent in February 2016.
Here’s a quick rundown of our patented technology, which works by separating a user’s authentication process from their data ciphering process.
Learn more about how Dashlane puts security first to protect your data.
User data ciphering process
The algorithm used to cipher a user’s data is very simple and uses well-known standard practices. From a user’s Master Password, we derive a ciphering key using Argon2d (Argon2 is a state-of-the-art key derivation function). Then, we use AES-256 to cipher a user’s passwords, payment information, and personal information that is stored within Dashlane. Any stored data is always encrypted into an indecipherable string of random letters, numbers, and symbols, which is stored locally and on Dashlane servers for synchronization purposes. However, for your protection and our own, we never store your Master Password or any of its derivatives on our servers at any time.
User authentication process
User authentication is required in addition to ciphering a user’s data. For example, if I log into Dashlane for the first time on a new computer, I need to have a way to prove to Dashlane’s servers that I am Guillaume Maron, so Dashlane’s servers can provide me with my ciphered data.
Considering that a lot of cyberattacks target users’ password hashes, we didn’t want to rely on users’ Master Password hashes to authenticate. Instead, when a user logs into Dashlane for the first time on a new device, they are always prompted to enter a One Time Password (OTP) sent by email. During this first connection, a User Device Key is generated and sent to Dashlane’s servers to establish a trusted authentication link. As a result, in order to access a user’s data, an attacker would need to possess the user’s Master Password and also have access to one of their devices or access to their email. Dashlane also supports 2-factor authentication instead of using the OTP by email.
Since that first patent, we have continuously innovated and invested in improving the security of Dashlane while maintaining our fundamental security principles.
If you want to know more, don’t hesitate to check out our Security White Paper or contact us at security@dashlane.com.
Sign up to receive news and updates about Dashlane