Password Vault Security
The Password Manager SDK is designed to securely store a user's most important and sensitive data, including login credentials, credit cards and bank account details. To properly safeguard this data, the Password Manager leverages strong encryption and two layers of authentication to access the encrypted data.
To provide strong encryption and the ability to access the same data on multiple devices, the Password Manager SDK uses a combination of randomly generated secret code and user-chosen master password to generate the vault encryption key.
The first time that a user signs into the Sudo Platform and accesses the Password Manager SDK, a unique 42-character secret code is automatically generated and stored on the device. It is recommended that this secret code is downloaded by the user, but it can be accessed later on any device where the Password Manager is installed. It will be required if the user chooses to re-install their application or activate the Password Manager on a new device. The secret code is used as one of the inputs to the vault encryption key.
After the secret key is generated, the user is prompted to create a master password. It is recommended that a strong password is used, but it will be combined with the secret code to create a strong vault encryption key. The master password is not stored on the device, but instead is written down by the user or committed to memory. If the user forgets the master password, they will not be able to access their encrypted data in the future.
After the master password is created, the vault encryption key is derived from the combination of the master password and the secret code. Because the key is derived from these two inputs, it can be re-derived on other devices using those inputs. This removes the need to sync the vault encryption key across devices, ensuring that it never leaves the user's device. Using these two inputs, the vault encryption key that is generated is an AES 256-bit key. This provides the user with strong encryption to protect their Password Manager data.
Although strong encryption using an AES-256 key, derived from the master password and secret code, makes it extremely difficult to decrypt vault data, access to the encrypted data must be carefully protected, as well. This is achieved through two levels of authentication.
First, the user must be authenticated into the Sudo Platform. When a user signs into the Sudo Platform, typically via a customer's Identity Provider (IdP), the Sudo Platform issues OpenID Connect (OIDC) authentication tokens. Valid Sudo Platform tokens are required to access any service in the Sudo Platform, including the Password Manager service. These tokens expire after a set amount of time, requiring them to be refreshed prior to expiration or by having the user sign in again.
Second, an additional level of authentication is required to access the signed-in user's encrypted vault data. This additional protection uses Secure Remote Password (SRP) to securely validate that the user has access to the secret code and master password used to derive the encryption key described in the previous section. SRP is a well-established protocol that is used to verify that a user is in possession of credentials without actually transmitting them from the device to the backend services.
When a user first signs into the Password Manager and creates a vault, an SRP "verifier" is generated using the secret code and master password. The SRP "verifier" is a cryptographic signature that can later be used to verify that the user is in possession of the secret code and master password. The "verifier" and authentication salt are stored in the Password Manager service so that it can be used the next time the user attempts to access the encrypted data.
On subsequent attempts to access the user's encrypted data, an SRP "proof" is sent to the Sudo Platform that requires a One-Time Password (OTP). This "proof" is derived from the master password and secret code but is generated directly on the device, so they are never sent to the Sudo Platform. When the "proof" is received by the Sudo Platform, it is cryptographically compared to the original "verifier". If the comparison is successful, the OTP is provided. The OTP, along with the user's Platform authentication tokens, can then be used to access the user's encrypted vault data. Once the OTP is used, a new one must be requested to access the encrypted data again.
The combination of strong encryption and protected access to the encrypted vault data ensures that the user's secret data is well-protected. Using a password manager is critical to ensuring that user's are following best practices for their credentials, such as generating unique, strong passwords. The Password Manager SDK enables our customers to leverage password manager capabilities while ensuring the highest level of security, protection and privacy for their users.