Unlocking a Seamless Login Experience for SSO Users: Dashlane’s SSO Autologin
Logging in to websites and online services can be a hassle, especially when it happens multiple times a day. That’s what Dashlane is made for: Eliminating the need to remember—and inevitably forget and reset—dozens or hundreds of logins. But what about logging in to Dashlane itself?
Today, we're excited to share a behind-the-scenes look at our journey in making our SSO users' login experience more enjoyable and seamless without compromising security.
The user experience challenge
Single sign-on (SSO) is great. It allows employees to authenticate into all their services through one single portal, with one single account. Some of our users, however, have found logging into Dashlane using SSO to be a source of frustration, pushing us to explore ways to enhance their experience.
Among the pain points identified, the biggest were:
- Being logged out of Dashlane every time the browser gets closed
- Having to click the Dashlane extension logo, then the “Login with SSO” button to re-authenticate
The challenge was clear: How can we leverage your active session on your Identity Provider’s portal (Microsoft Azure, Okta, AWS Cognito, and so on) to reduce the steps needed to log into Dashlane without sacrificing the security that users trust and rely on?
Exploring solutions
With our users’ feedback in mind, we started investigating solutions combining user convenience and security. Through trial and error, we identified three ways to solve this challenge:
Solution 1: Keeping you logged in for an extended period
If accessing Dashlane through SSO each time you close your browser can be frustrating, then why not reduce the frequency at which you’re required to log in to a new browser? Unfortunately, it’s not as simple as that.
The Dashlane web app is a browser extension, which means that it’s at the mercy of your browser’s lifecycle. When your browser closes, all data that hasn’t been stored on the disk is cleared. This includes your session data, since browsers don’t yet offer a safe space to store sensitive data.
While this solution is currently used by some of our competitors, storing private keys and other critical data was out of the question for us, as it wouldn’t meet our security standards, and it would break our zero-knowledge architecture.
Solution 2: Logging you in from the background
Given that, for security reasons, we must ask SSO users to re-authenticate to Dashlane through their Identity Provider (IdP) every time they open their browser, then why not try to do it on their behalf in the background?
The idea was that if the user’s IdP session was still active, loading the IdP page would automatically redirect to the Dashlane app and authenticate the user. We tried three ways to achieve this by:
- Loading the IdP authorization URL into a hidden iframe that our extension controlled. However, we discovered that IdPs block iframes for security reasons.
- Making all the required network requests to the IdP from our extension background (Service Worker). This didn’t solve our challenge either, since it would’ve required us to know our users' SSO credentials and provide them in the network requests.
- Leveraging Chrome’s Offscreen Document API to create an invisible page where we would load users' IdP page. We discovered that this API doesn’t allow us to load external URLs, only local assets bundled in the extension.
Solution 3: Automatically opening users' IdP in an unfocused tab
Because we couldn’t find a satisfactory way to log in users in the background while ensuring the right level of security, we explored an alternative solution that combined security with user-friendliness: Opening your IdP portal automatically for you upon browser startup. Below is an explanation of how it works.
How SSO Autologin works
Now, if you click “Log in with SSO” and go through the process as usual, you’ll notice that the next time you restart your laptop or open your browser, your Identity Provider’s portal opens up in an unfocused tab and logs you into Dashlane automatically. This unfocused tab will also self-close after five seconds of inactivity, for a seamless user experience. You get all the advantages of SSO with Dashlane, just with fewer steps.
Note: This feature works best when your browser is set to restore tabs on restart. Read this Help Center article to learn more.
Dashlane’s mindset: Convenience & security
At Dashlane, we’re always striving to find ways to make your online life easier and more secure. In everything we do, we keep convenience and security as our top priorities.
Want to learn more about using a password manager and how your company might benefit? Watch this video.
Sign up to receive news and updates about Dashlane