Account Recovery provides business users with a simple and secure way to recover access to their Dashlane account if they forget their Master Password.
Our patented process leverages the role of the account admin to guarantee the user’s identity, all while preserving our zero-knowledge architecture. Once enabled, if a user forgets their Master Password, they can rest assured that they can recover their data.
Overview of Account Recovery
To use Account Recovery:
- You must have a Dashlane business account.
- Your Dashlane admin must have enabled the feature.
- Your Dashlane apps must be running the following versions:
- Chrome extension: 6.2121.1 or higher
- Firefox extension: 6.2121.1 or higher
Account Recovery is not available on mobile or in the Safari app.
Enabling Account Recovery
An admin can choose to enable the Account Recovery feature in the Dashlane Admin Console (Settings > Account Recovery). The admin will be prompted for their Master Password to confirm the setting.
Once the Account Recovery feature is enabled, all team members will receive an activation notification the next time they log in.
To enable Account Recovery for your account, select Activate Account Recovery.
Opting out of Account Recovery
For privacy reasons, each team member has the option to disable the Account Recovery feature for their account and can re-enable it at any time.
To disable Account Recovery for your account, select Not now on the web app in the popup that you receive after your admin has enabled Account Recovery for your team.
If you have already enabled it but change your mind later, you can disable Account Recovery in your Security settings by going to My account > Security settings > Account Recovery.
Sending a recovery request
Once an admin has enabled the Account Recovery feature and a user has activated it, the user can request admin approval to recover access to their account.
Users can make a recovery request by selecting Forgot your password? on the web app login screen or Forgot password? on the login screen from the extension popup.
Users are asked to verify their account—using two-factor authentication when available—and create a new Master Password as part of the request.
- Users must send a recovery request from a previously authenticated device. Each browser is considered a device and must be authenticated, so you cannot send a recovery request from a new browser that hasn’t been authenticated. Similarly, uninstalling and reinstalling the extension or clearing your cookies will remove the secret key established when the user enabled Account Recovery, and your extension will be considered a new device.
- Users must complete the recovery on the same device used to send the recovery request. If a user tries to use their new Master Password on a different device before completing the request, the user will receive an invalid password error message without any mention of the pending recovery attempt.
When a user sends a recovery request, Dashlane sends an email notification to all admins of that user’s business plan. The user must wait for an admin of their business plan to respond.
Canceling a recovery request
Team members can cancel recovery requests before an Admin responds.
Answering a recovery request
When a team member sends a recovery request, Dashlane sends an email notification to all admins of that user’s business plan.
Notification badges display in the Admin Console on the Activity Log tab where admins can review and approve or deny recovery requests.
Important: We strongly recommend that admins validate the authenticity of requests in person when possible.
Recovering account access
The user will receive an email notification when an admin responds to their recovery request.
If approved, the user can recover access to their account by clicking the Log in to Dashlane link in that email and entering their new Master Password. Note that all devices using Dashlane will need to be re-authenticated following recovery.
If denied, users should contact their admin(s) to understand why before sending a new request.
The user can now recover their entire vault, including the data from both their personal and business spaces. Note that admins do not have access to users’ personal information at any point in the recovery process.
Are emergency contacts or shared items affected by Account Recovery?
No. Any items shared between users will be intact, and emergency contacts will remain in place.
Do Account Recovery requests expire?
Can an admin recover their own request?
No. We recommend having more than one admin on your account if admins would like to have the option to recover their accounts.
Can an admin disable Account Recovery when there is a pending request?
What happens if a request is made and then the user is revoked?
Revoked users do not have access to Account Recovery, which is currently available only for business users.
Why do users have to re-authenticate all their devices after recovering their accounts?
Account Recovery requires a user to change their Master Password. Any time a user’s Master Password is changed, all previously authenticated devices must be re-authenticated for security reasons.
Why can users disable Account Recovery?
Account Recovery allows admins to help users recover their accounts. We understand that some users may prefer not to have this option available. For privacy reasons, we allow users to opt out of their accounts. Users can always opt back in later.
How can admins know which users have disabled Account Recovery?
Dashlane will provide this level of reporting in the Admin Console in the future.
How does Zero-Knowledge Account Recovery work?
We recommend reviewing our Security Whitepaper. Dashlane does not send nor store any users’ Master Passwords on its servers, including during the Account Recovery process.
Will an Account Recovery request work if the user was removed from a plan before being added back?
No. An Account Recovery request can work only if the secret key established when Account Recovery was set up is still valid. Removing a user from your plan will invalidate that user’s key.