Securing Password Management Using AWS Nitro Enclaves with Dashlane

A cornerstone of Dashlane’s security is zero-knowledge architecture, which means that the only entity that can access a customer’s data is the customer. Over 15 million individuals and 20,000 organizations worldwide use Dashlane’s browser extension or iOS and Android mobile applications to securely store passwords, payment means, and identity information and to autofill forms and log-ins online. Customers value that Dashlane is simple to onboard and use daily.

Although Dashlane’s original SSO integration checked the secure box, it did not check the convenient box. Organizations could connect their SSO identity provider to Dashlane only if they could host their own SSO keys. However, many of Dashlane’s customers were too small to have their own infrastructure and IT teams. Those that did still needed a lot of support from Dashlane to install the feature.

Since it was founded in 2009, Dashlane has exclusively used AWS as a cloud provider, using services such as Amazon Elastic Compute Cloud (Amazon EC2), which offers secure and resizable compute capacity for virtually any workload. AWS shares Dashlane’s commitment to security and has virtually zero access to customer data. When AWS launched AWS Nitro Enclaves, which organizations can use to create isolated compute environments to further protect and securely process highly sensitive data within Amazon EC2 instances, Dashlane knew it would be a good fit. By hosting the SSO keys in AWS Nitro Enclaves, Dashlane wouldn’t have access to customer data and customers wouldn’t need to self-host.

Dashlane wanted the SSO integration to offer IT administrators a secure and more convenient customer experience. The company invested in research and development to identify the best technical solution before its engineers began building the backend. Besides re-architecting Dashlane’s SSO solution, the engineers learned to use AWS Nitro Enclaves and the integration with AWS Key Management Service (AWS KMS), which Dashlane uses to create, manage, and control cryptographic keys across its applications and AWS services.

Dashlane initially rolled out the feature to 10 customers for beta testing and then slowly added more in a public beta test in April 2023. The feature launched in May 2023 after 1 year of research and development.

Today, if customers want to integrate their SSO with Dashlane, they can configure it with just a few clicks. “Customers love the simplicity of our Confidential SSO solution,” says Frederic Rivain, chief technology officer at Dashlane. “SSO with the self-hosted encryption service was part of our offering for 3 years, but a limited number of customers used it because it was difficult to adopt.”

Now, deployment is simpler for customers and Dashlane’s sales engineering team. “Previously, our team helped customers set up their SSO,” says Rivain. “There was always a configuration specific to each organization and its identity provider. That required a lot of internal support. Today, customers need way less configuration support, which makes us more scalable.”

Running on a software-as-a-service basis makes the Confidential SSO feature more scalable. Instead of helping each customer deploy the solution, Dashlane deploys the solution once for all its client applications (iOS, Android, and browser extensions) and can simply scale it on AWS.

Dashlane’s Confidential SSO feature on AWS also saves the development team time because it runs on open standards, such as Security Assertion Markup Language, for exchanging authentication and authorization data between an identity provider and a service provider. “Our competition builds solutions specific to identity providers, but our solution is agnostic,” says Cyril Leclerc, chief information security officer at Dashlane. “It’s simple for our user base and for us because we don’t need to build multiple versions.”

Confidential SSO on AWS Nitro Enclaves doesn’t compromise on data protection for simplicity’s sake. “We have built a service that—if exposed servers such as our APIs are compromised—leaks nothing because AWS Nitro Enclaves offers an isolated, hardened, and highly constrained environment,” says Leclerc. “The exposed surface is much smaller, and the encryption keys are better protected.” Even if the servers are compromised, the enclaves and the cryptographic materials they contain won’t be.