Skip to content

Enhancing the protection of the password manager database using a smart security key.

Assumption

Password manager users may have at least one problem -- the master password itself. Having to remember it and typing it whenever necessary, may be a hassle. The lack of the required amount of entropy for a strong key derivation and the input of the master password via keyboard, might pose security risks.

The risks may be even higher in the case of passwords shared within a team or organization. Here, all shared passwords are only as secure as the weakest master password within the team.

Another major risk may come from leaving the password manager database unlocked on a potentially insecure client device for an extended period of time. This potentially makes all passwords and secrets in the database vulnerable to malware and supply chain attack vectors.

Solution & Proposal

Integrating the password manager with Crayonic's smart security key can significantly enhance the protection of users' secrets, reduce user errors, and protect them against the most common attack vectors.

We propose to integrate the Crayonic KeyVault as a complement to the password manager, matching the existing password manager business model.

From the architecture point of view, we are suggesting splitting the functions of password-manager-specific key management from the actual management of passwords. To increase security and even usability these two systems should work independently of each other in two distinct environments.

Technical Summary

We propose to individually encrypt each password / secret in the password database with a unique encryption key derived from a strong entropy. Similarly, decrypt each individual password within the smart security key only just before it is injected by the password manager autofill feature. Before a password is decrypted, using this unique key derived within the smart hardware security key, the user must authorize the decryption on the security key. This is done after a visual check and confirmation on the device display.

Integration with the password manager could be done via SDK or directly by Crayonic.

Benefits

The solution prevents the theft of the password database due to user errors, weak master passwords, malware on the client device, as well as possible password manager SW stack supply chain attacks.

Furthermore, if deployed in a team or across an organization, the shared passwords are not open to attack by the weakest master password and keys can be securely rotated as passwords are being used.

Crayonic sees the following user benefits in complementing the password manager with a smart security key:

  1. A single recovery seed that is stored offline. Instead of a weak master password generated by the user, this eliminates all brute force and password spraying attacks.

  2. Unified user experience. Whether on PC, mobile, or tablet, the user leverages the same biometric authentication for passwordless login or for authorizing the use of a password stored in the database.

  3. Always encrypted password database. No keys ever touch the insecure user devices. Based on the user's explicit approval by their fingerprint biometrics or PIN code the smart security key decrypts only one particular password ad-hoc and on a per-use basis.

Other benefits for the end-user may include:

  • Enabling passwordless access via FIDO standards to supporting services.

  • Key recovery or key custody. The user only needs one single seed to recover a lost smart security key, without a need for a backup device.

  • Enabling X.509 access via PKI supporting services.

  • More secure OTP experience, independent from the smartphone.

  • Backup of password database within the smart security key mass storage itself for offline environments.

  • Automatic key rotation for extra security, including shared passwords.

  • Protection from all currently known attack vectors on password managers.

Business Model

Crayonic offers the KeyVault smart security key for a yearly fee as a private labeled product or a ready-to-deliver product under Crayonic's brand. This fee includes the hardware, accessories, and firmware updates. Optionally, the service of HSM-secured custody of keys for disaster recovery can be offered as well.

The password manager vendor may offer Crayonic KeyVault as a complement to the existing functionalities of the password manager or as another higher-priced subscription tier.

Crayonic delivers the smart security keys directly to the customer and provides L2 support.

In the enterprise environments, the password manager vendor and its partners can leverage the KeyVault i.e. for certificates-based authentication, e-signing, data encryption or physical access use cases. These will be treated as separate projects and quoted individually.

Next Step

Book a meeting with Crayonic to discuss the partnership options via www.crayonic.com/calendar