Account Recovery provides business users with a simple and secure way to recover access to their Dashlane account, should they forget their Master Password.
Our patented process leverages the role of the account admin to guarantee the user's identity, all while preserving our zero-knowledge architecture. Once enabled, if a user forgets their Master Password, they can rest assured their data can be recovered.
Overview of Account Recovery
To use Account Recovery, you must have a business account. An admin on your account must also have already enabled the feature (see "Enabling Account Recovery," below).
Your Dashlane apps must also be upgraded to the following versions:
- Windows: 5.0 or higher
- Mac: 5.3 or higher
- iOS: 5.0 or higher
Account Recovery is currently unavailable on Android and the web app.
Enabling Account Recovery
Admins can enable Account Recovery from within the Admin Console (Settings > Account Recovery). Admins will be prompted for their Master Password to confirm the setting.
Once Account Recovery is enabled, all users on the account will receive an in-app notification.
If you choose to setup Zero-Knowledge Account Recovery, you need to click Ok, log out of your Dashlane desktop application and log back in on the same device. This last step is required to complete a future Account Recovery request.
Opting out of Account Recovery
For privacy reasons, each user has the option to disable the feature for their account. Users can re-enable it at any time from the desktop app. To disable the feature, simply log into your Dashlane desktop application, select Disable Account Recovery on the pop-up, or uncheck the Account Recovery feature in your Security settings.
Sending a recovery request
Once Account Recovery is enabled, users can request an admin’s approval to recover access to their account.
A recovery request can only be sent from a previously authenticated device.
A recovery request can be made by selecting “Forgot your password?” on the app login screen. Users are asked to verify their account – using two-factor authentication when available – and create a new Master Password as part of the request.
Important: The recovery can only be completed on the same device from where the user sent the recovery request. If users try to use their new Master Password on a different device before completing the request, they will receive an invalid password error message, without any mention of the pending recovery attempt.
Once a request has been made, the plan's admins will receive notification by email and on the Admin Console. The requester will need to wait for an admin of their business plan to respond.
Cancelling a recovery request
Users can cancel recovery requests at any time before an Admin responds.
Answering a recovery request
When a team member sends a recovery request, an email notification is sent to all the admins of that user's business plan.
Notification badges are also displayed in the Admin Console on the Activity Log tab, where admins can review and approve or deny recovery requests.
We strongly recommend admins validate the authenticity of users’ requests in person where possible.
Recovering account access
Users receive an email notification once an admin has responded to their recovery request.
If approved, users can recover access to their account by logging into Dashlane using their new Master Password. Note that all devices using Dashlane will need to be re-authenticated following recovery.
If denied, users should contact their admin(s) to understand why before sending a new request.
A user's entire vault is recovered—the data from both their personal and business space data. Note that admins do not have access to users' personal information at any point in the recovery process.
Are emergency contacts or sharing through Dashlane affected by Account Recovery?
No. Any shares between users will be intact and emergency contacts remain in place.
Do Account Recovery requests expire?
Can an admin recover their own request?
No. We recommend having more than one admin on your account if admins would like to have the option to recover their accounts.
Can an admin disable Account Recovery when there is a pending request?
What happens if a request is made and then the user is revoked?
Revoked users do not have access to Account Recovery, which is currently only available for business users.
Why do users have to re-authenticate all their devices after recovering their account?
Account Recovery requires users to change their Master Password. Any time a user’s Master Password is changed, all previously authenticated devices must be re-authenticated for security reasons.
Why can users disable Account Recovery?
Account Recovery allows admins to help users recover their accounts. We understand some users may prefer to not have this option. For privacy reasons, we allow users to opt out for their account. Users can opt back in at a later time if they choose.
How can admins know which users have disabled Account Recovery?
We will provide this level of reporting in the Admin Console in the future.
How does Zero-Knowledge Account Recovery work?
We recommend reviewing our Security Whitepaper. Dashlane does not send nor store any users' Master Password on its servers, including during the Account Recovery process.
Will an Account Recovery request work if the user was removed from a plan before being added back?
No. An Account Recovery request can only work if the secret key established when the Account Recovery was set up is still valid. Removing a user from your plan will invalidate that user’s key.