OneAuth 3.0 - Enhanced encryption & sync logic of OTP secret keys | Zoho OneAuth

OneAuth 3.0: Enhanced encryption & sync logic of OTP secret keys

The need for encrypting OTP secret keys

In OneAuth, you can back up your OTP secret keys with Zoho Cloud to have them synced across all your devices and to restore them whenever needed. More about backup and sync
Info: "Secret key" refers to the alphanumeric key that is used to generate OTPs for your 2FA accounts. These keys are provided by your online account (such as Facebook, Twitter) in the form of a QR code or as plaintext.

During this backup process, we won't store your secret keys in the plaintext form. We will encrypt your secret keys using a passphrase you set and then store them in Cloud. This encryption is to make sure your secret keys are confidential and known only to you, which means neither Zoho nor any attacker can see them.

There is another reason to encrypt your secret keys, which is to maintain the integrity and authenticity. It makes sure the secret keys stored in Cloud are modified only by you and not by an attacker.

The encryption/sync logic used in version 2.0 and the concerns

Following are the practices in version 2.0 that we wanted to improve in version 3.0:

1. Usage of AES-ECB method

In v2.0, we used the AES-ECB method for converting your plaintext secret keys into ciphertext (i.e., the encrypted form of secret keys). The ECB method is a rudimentary encryption method, which creates identical ciphertext blocks for identical plaintext blocks. This makes the data susceptible to replay attack, since an attacker could predict a pattern of how we're encrypting the secret keys. Although this doesn't allow an attacker to read the encrypted data, there's a chance that the attacker can modify the data. That is, confidentiality is maintained, but integrity and authenticity cannot be guaranteed.

2. Encrypted passphrase in Cloud

We encrypt your passphrase and store it in Zoho Cloud in v2.0. When a user is unable to sign in with multi-factor authentication (MFA), they can use their passphrase to recover access to their account. During this account recovery, we check if the user is entering the correct passphrase by comparing it with the encrypted passphrase in Cloud. Although, the stored passphrase is not readable by Zoho or an attacker (since it is encrypted), it is susceptible to man-in-the-middle attack.

3. Control of data loss

Once the backup and sync is enabled, whenever you make changes to your OTP accounts, we will make the same changes in Cloud. The changes includes adding a new account and editing or deleting an added account. In v2.0, whenever a change happen on your device, we will remove the secrets on Cloud and replace them with the secrets on your device, i.e, complete replacement. In some scenarios, this practice led to loss of data from devices. Ideally, CRUD (Create, Read, Update, Delete) operations should be followed. For example, if you add a new account, only this addition should be reflected in Cloud and other existing secrets should not be completely replaced. The same goes for every kind of change.

To address these drawbacks, in version 3.0, we've made changes and improved our encryption and sync process.

The enhancements made in version 3.0

To address the concerns mentioned previously, we've made the following changes in OneAuth 3.0 to improve the encryption and sync logic.

1. Moved to AES-GCM method

To encrypt the plaintext OTP secret keys into ciphertext, we've used the AES-GCM method in OneAuth 3.0. The AES-GCM mode introduces a randomness in the encryption process, and makes sure that no two ciphertexts are identical to one another (as opposed to AES-ECB). In addition to confidentiality, this method also guarantees integrity and authenticity of the data in Cloud. This form of encryption is referred to as authenticated encryption.

2. Zero-knowledge architecture

In v3.0, we've implemented a Zero-knowledge architecture, which lets us provide passphrase-based account recovery without having to store the passphrase in Cloud. Instead of encrypting and storing the passphrase in Cloud, we will generate a PBKDF2 key from the passphrase and store it locally on the device temporarily. This PBKDF2 key is then used for encrypting your secret keys. Hence, only you will have access to your passphrase and not even Zoho can decipher it.

3. CRUD implementation

As stated before, when you make changes on your device, CRUD operations should be followed instead of complete replacement. We've implemented this in v3.0. This negates any possibility of data loss.

Overview of the whole encryption & decryption process

When users initiate backup

When users initiate the backup for the first time, they will need to set up a passphrase. Using this passphrase, all their OTP secret keys will be encrypted and stored in Cloud.

The encryption logic we follow during that process is detailed below:
  1. Generate two random 128 bit salts–encryption salt and recovery salt.
  2. Store the two generated salts in Cloud.
  3. Using the passphrase and the recovery salt, generate a key with the PBKDF2 function. This is called the recovery key.
  4. Using the passphrase and the encryption salt, generate another key with the PBKDF2 function. This is called the encryption key.
  5. Encrypt the unique ID of the user with the recovery key. AES-GCM mode is used for encryption. (The unique ID is an identifier specific to each Zoho user and used for identification.)
  6. Store the encrypted unique ID in Cloud. This will be used later when user wants to restore their secret keys or recover their account.
  7. Encrypt the OTP secret keys of the user with the encryption key. AES-GCM mode is used for encryption.
  8. Store the encrypted secret keys in Cloud.

When users restore secrets

When a user wants to restore their OTP secret keys on a new device, they will need to enter their passphrase. Using this passphrase, their encrypted secret keys will be retrieved from Cloud and decrypted.

The decryption logic we follow during that process is detailed below:
  1. Retrieve the recovery salt from Cloud.
  2. Using the passphrase and the recovery salt, generate a key with the PBKDF2 function. This is called the recovery key.
  3. Retrieve the encrypted unique ID of the user from Cloud.
  4. Decrypt the unique ID using the recovery key. If decryption is successful, the process will continue. If not, “Incorrect passphrase” error will be shown for the user and they will be prompted to enter the correct passphrase.
  5. Using the passphrase and the encryption salt, generate another key with the PBKDF2 function. This is called the encryption key.
  6. Retrieve the encrypted OTP secret keys from Cloud.
  7. Decrypt the secret keys using the encryption key.
  8. Restore the secret keys on user’s device.

    Access your files securely from anywhere

      Zoho CRM Training Programs

      Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

      Zoho CRM Training
        Redefine the way you work
        with Zoho Workplace

          Zoho DataPrep Personalized Demo

          If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

          Zoho CRM Training

            Create, share, and deliver

            beautiful slides from anywhere.

            Get Started Now


              Zoho Sign now offers specialized one-on-one training for both administrators and developers.

              BOOK A SESSION









                                            You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.




                                                Manage your brands on social media

                                                  Zoho Desk Resources

                                                  • Desk Community Learning Series


                                                  • Digest


                                                  • Functions


                                                  • Meetups


                                                  • Kbase


                                                  • Resources


                                                  • Glossary


                                                  • Desk Marketplace


                                                  • MVP Corner


                                                  • Word of the Day


                                                    Zoho Marketing Automation

                                                      Zoho Sheet Resources

                                                       

                                                          Zoho Forms Resources


                                                            Secure your business
                                                            communication with Zoho Mail


                                                            Mail on the move with
                                                            Zoho Mail mobile application

                                                              Stay on top of your schedule
                                                              at all times


                                                              Carry your calendar with you
                                                              Anytime, anywhere




                                                                    Zoho Sign Resources

                                                                      Sign, Paperless!

                                                                      Sign and send business documents on the go!

                                                                      Get Started Now




                                                                              Zoho TeamInbox Resources



                                                                                      Zoho DataPrep Resources



                                                                                        Zoho DataPrep Demo

                                                                                        Get a personalized demo or POC

                                                                                        REGISTER NOW


                                                                                          Design. Discuss. Deliver.

                                                                                          Create visually engaging stories with Zoho Show.

                                                                                          Get Started Now









                                                                                                              • Related Articles

                                                                                                              • OneAuth 3.0: Updating your app to the new encryption process

                                                                                                                What happens while updating To upgrade your OneAuth app and move to the new encryption process, we will ask you to enter your passphrase. Using your passphrase, we will decrypt the OTP secret keys in Cloud (which were encrypted with AES-ECB mode) to ...
                                                                                                              • Secure non-Zoho accounts using OneAuth's OTP authenticator

                                                                                                                Note : This article explains how you can use OneAuth to secure your non-Zoho accounts. If you want to secure your Zoho account using OneAuth, check out the article Set up OneAuth for your Zoho account. Using OneAuth's OTP authenticator, you can ...
                                                                                                              • OneAuth features in macOS and Apple Watch

                                                                                                                OneAuth is available for macOS . You can download it from the Mac App Store. You can also use OneAuth in your Apple Watch. OneAuth for macOS macOS-specific features Widget You can create widgets for the OneAuth app and view the OTP codes of selected ...
                                                                                                              • OneAuth

                                                                                                                Zoho's OneAuth is a multi-factor authentication (MFA) app designed to secure your Zoho accounts as well as other third-party accounts. The key features of OneAuth include the following: Passwordless sign-in allows you to sign in to your account ...
                                                                                                              • Recover your OneAuth

                                                                                                                OneAuth provides a secure and seamless way to sign in to your Zoho account. However, losing access to Zoho OneAuth can get you locked out of your account, unless you have configured at least one recovery mode of Zoho OneAuth. We recommend that you ...
                                                                                                                Wherever you are is as good as
                                                                                                                your workplace

                                                                                                                  Resources

                                                                                                                  Videos

                                                                                                                  Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.



                                                                                                                  eBooks

                                                                                                                  Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.



                                                                                                                  Webinars

                                                                                                                  Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.



                                                                                                                  CRM Tips

                                                                                                                  Make the most of Zoho CRM with these useful tips.



                                                                                                                    Zoho Show Resources