So, we have all seen the recent struggles with LastPass as discussed here. I am one of the last people to consider moving on from LastPass as I have run it at several companies including in the government space. Over the weekend, I made the decision to move on. Dashlane is our likely solution, which has some great value for us and mostly the same experience. Migrating from LastPass Enterprise to Dashlane for Business isn’t super simple, but once done this is a solution that should help us move onward and upward. Today, we will cover a few topics: (1) What is Dashlane), (2) Setting up the Encryption/SSO/SCIM service, (3) Provisioning via Okta, (4) Deploying the Addin via Workspace ONE, (5) and transitioning vaults. Let’s get started!

What is Dashlane?

Dashlane is a password manager that is used primarily in the browser. Let’s cover how user data is protected in Dashlane as that is what we care about.

Dashlane User Security

User Data is secured with:

• The User Master Password, which is ONLY stored if a user leverages the “Remember my Master Password” feature when logging in
• Local Storage might use an intermediate key (random 32-byte) encrypted with a hash from the Master Password
• A unique User Device Key for every registered device enabled by the user (used for authentication and auto-generated by that device itself)

A few other tenets of their security are:

• The Master Password is used to generate a symmetric AES-256 key for encryption and decryption of the user’s personal data on their device leveraging the Webcrypto API and native libraries (for iOS and Android)
• Upon decryption data is loaded into memory. With this, individual passwords are decrypted when they need to be used, named pipes or web sockets will send each password by a different process from core to plugins (but are AES-encrypted first). They also use Argon2d (or PKBDF2) derivation to compute the AES keys to protect against brute force attacks.
• When Master Passwords are reset, all devices will need to be re-registered as the keys are destroyed.

Dashlane Authentication Flow

The various authentication flows are useful to understand how many of their security principals work.

First, this is their authentication flow (note that the master password isn’t used for server authentication):

Now, we look at the flow when adding a new device:

Dashlane Data Security with Shared Credentials

The process for sharing credentials between users is also done fairly well:

1. User A asks Dashlane for User B’s Public Key
2. User A generates an AES-256 key with crypto-secure random functions on each platform called the ObjectKey (note its unique per item)
3. User A encrypts the ObjectKey with User B’s public key creating a UserB EncryptedObjectKey
4. User A sends that key to Dashlane’s servers
5. User A encrypts her credential with the ObjectKey using AES-CBC and HMAC-SHA2 creating an EncryptedCredential and sends it to Dashlane’s servers
6. When User B logs in, Dashlane sends him a sharing request from User A.
7. User B accepts that request and signs an acceptance with his private key
8. Dashlane’s servers send User B the EncryptedObjectKey and the EncryptedCredential
9. User B decrypts the EncryptedObjectKey with his private key to get the ObjectKey
10. User B decrypts the EncryptedCredential with the ObjectKey and adds User A’s shared credential to his own personal vault.

Group sharing uses the same principal leveraging public and private RSA-2048-bit keys and intermediate keys to ensure your logins are secure.

Dashlane Encryption Service

The Dashlane Encryption Service is a required component if you want to leverage SCIM and SSO capabilities (basically Single Sign-On and Automated Provisioning of Users and Groups).

The minor frustration with this service is they are the ONLY provider that makes you host your own SSO service to integrate with your IDP like Ping or Okta. However, the benefit is that end-to-end encryption and encrypted sharing keys are not capabilities you can typically get out of the box. The DES lets you seamlessly integrate Dashlane with these capabilities while keeping encryption keys secure and a strong user experience. Dashlane likes to tout:

I will say that owning your own encryption keys is great despite having to pay for something like Azure App Services. The service will give you the following:

• User encryption key during login
• Group encryption key during SCIM directory synchronization

The architecture of the encryption service looks like this:

The good news is that your encryption service is relatively easy to setup. Let’s check out the video below to see how easy it is.

Setting up the Dashlane Encryption Service

As you saw, it’s pretty simple on Azure. Overall, not a huge deal. Let’s move onto how you get SSO setup.

Setting up Dashlane SSO

We don’t really need a video for setting up Dashlane SSO as it’s super simple. First, you will add the domain, then you add TXT records at your DNS site, and validate. Not too complicated:

We won’t waste any time there since you have probably done it for every other product. Once that is done, I setup my SSO inside of Workspace ONE Access but you can really do it anywhere. In our next video, we will cover setting up Dashlane inside of Okta including the SSO portion of it. That will be easiest so you can see the entire flow setup.

Setting up Dashlane in Okta

Deploying the Dashlane Add-In via Workspace ONE

My recommendation is to deploy Dashlane using scripts instead of product provisioning. You can access my script you can deploy here, but let’s look at the code real quick:

$KeyPath = "HKLM:\Software\Policies\Microsoft\Edge\ExtensionInstallForcelist"
$KeyName = "2"
$KeyType = "String"
$KeyValue = "gehmmocbbkpblljhkekmfhjpfbkclbph"
if(!(Test-Path $KeyPath)) {
    try {
        #Create registry path
        New-Item -Path $KeyPath -ItemType RegistryKey -Force -ErrorAction Stop
		New-Item -Path $KeyPathSettings -ItemType RegistryKey -Force -ErrorAction Stop
    }
    catch {
        Write-Output "FAILED to create the registry path"
    }
}

#Verify if the registry key already exists
if(!((Get-ItemProperty $KeyPath).$KeyName)) {
    try {
        #Create registry key 
        New-ItemProperty -Path $KeyPath -Name $KeyName -PropertyType $KeyType -Value $KeyValue
    }
    catch {
        Write-Output "FAILED to create the registry key"
    }
    }

It’s a pretty simple script. The main key is to modify the KeyName if you have a number of add-ons you are already deploying. I’m deploying 2 so I modified it as such. It’s pretty simple overall. If you want to plan for Chrome use this one here. I don’t really cover Chrome in this because you should be using Chrome Cloud Management, which I have covered in the past.

One other thing you may want to do is disable password managers. Here is a script to do that for Edge:

$KeyPath = "HKLM:\Software\Policies\Microsoft\Edge"
$KeyName = "PasswordManagerEnabled"
$KeyType = "Dword"
$KeyValue = "0"
if(!(Test-Path $KeyPath)) {
    try {
        #Create registry path
        New-Item -Path $KeyPath -ItemType RegistryKey -Force -ErrorAction Stop
		New-Item -Path $KeyPathSettings -ItemType RegistryKey -Force -ErrorAction Stop
    }
    catch {
        Write-Output "FAILED to create the registry path"
    }
}

#Verify if the registry key already exists
if(!((Get-ItemProperty $KeyPath).$KeyName)) {
    try {
        #Create registry key 
        New-ItemProperty -Path $KeyPath -Name $KeyName -PropertyType $KeyType -Value $KeyValue
    }
    catch {
        Write-Output "FAILED to create the registry key"
    }
    }

Ideally, I would probably recommend leveraging Freestyle Orchestrator to deploy both the Dashlane Plug-In script and this script together. I will put in a video for that at a later time.

Transitioning Vaults to Dashlane

One area that is a bit confusing is migrating vaults. As you saw earlier, we leverage Okta to push groups aka sync Okta groups to groups inside of Dashlane. The problem we mainly have is sharing out those credentials. The API documentation isn’t particularly helpful either. Essentially we click the “Share” button in the Web App:

Once we select items, we click “Next” and then we click on a group to share them with:

Finally, we decide what rights to give people:

Inevitably, it’s a low-tech solution for sharing, but its easily done nevertheless. I would prefer a way to manage the sharing via API, but maybe in the future!

Final Thoughts

As I said earlier, I have been an avid supporter of LastPass for a very long time. It breaks my heart to have to move in another direction now given the state of things. Dashlane does have some additional costs, but the ease of mind with a company that lets you own your encryption keys and elevates your Identity Management game is a win-win. It’s nice to see that I was able to leverage my friends in Workspace ONE and Okta to further this journey with an elevated user experience.