OneAuth 3.0 - Enhanced encryption & sync logic of OTP secret keys | Zoho OneAuth

OneAuth 3.0: Enhanced encryption & sync logic of OTP secret keys

The need for encrypting OTP secret keys

In OneAuth, you can back up your OTP secret keys with Zoho Cloud to have them synced across all your devices and to restore them whenever needed. More about backup and sync
Info: "Secret key" refers to the alphanumeric key that is used to generate OTPs for your 2FA accounts. These keys are provided by your online account (such as Facebook, Twitter) in the form of a QR code or as plaintext.

During this backup process, we won't store your secret keys in the plaintext form. We will encrypt your secret keys using a passphrase you set and then store them in Cloud. This encryption is to make sure your secret keys are confidential and known only to you, which means neither Zoho nor any attacker can see them.

There is another reason to encrypt your secret keys, which is to maintain the integrity and authenticity. It makes sure the secret keys stored in Cloud are modified only by you and not by an attacker.

The encryption/sync logic used in version 2.0 and the concerns

Following are the practices in version 2.0 that we wanted to improve in version 3.0:

1. Usage of AES-ECB method

In v2.0, we used the AES-ECB method for converting your plaintext secret keys into ciphertext (i.e., the encrypted form of secret keys). The ECB method is a rudimentary encryption method, which creates identical ciphertext blocks for identical plaintext blocks. This makes the data susceptible to replay attack, since an attacker could predict a pattern of how we're encrypting the secret keys. Although this doesn't allow an attacker to read the encrypted data, there's a chance that the attacker can modify the data. That is, confidentiality is maintained, but integrity and authenticity cannot be guaranteed.

2. Encrypted passphrase in Cloud

We encrypt your passphrase and store it in Zoho Cloud in v2.0. When a user is unable to sign in with multi-factor authentication (MFA), they can use their passphrase to recover access to their account. During this account recovery, we check if the user is entering the correct passphrase by comparing it with the encrypted passphrase in Cloud. Although, the stored passphrase is not readable by Zoho or an attacker (since it is encrypted), it is susceptible to man-in-the-middle attack.

3. Control of data loss

Once the backup and sync is enabled, whenever you make changes to your OTP accounts, we will make the same changes in Cloud. The changes includes adding a new account and editing or deleting an added account. In v2.0, whenever a change happen on your device, we will remove the secrets on Cloud and replace them with the secrets on your device, i.e, complete replacement. In some scenarios, this practice led to loss of data from devices. Ideally, CRUD (Create, Read, Update, Delete) operations should be followed. For example, if you add a new account, only this addition should be reflected in Cloud and other existing secrets should not be completely replaced. The same goes for every kind of change.

To address these drawbacks, in version 3.0, we've made changes and improved our encryption and sync process.

The enhancements made in version 3.0

To address the concerns mentioned previously, we've made the following changes in OneAuth 3.0 to improve the encryption and sync logic.

1. Moved to AES-GCM method

To encrypt the plaintext OTP secret keys into ciphertext, we've used the AES-GCM method in OneAuth 3.0. The AES-GCM mode introduces a randomness in the encryption process, and makes sure that no two ciphertexts are identical to one another (as opposed to AES-ECB). In addition to confidentiality, this method also guarantees integrity and authenticity of the data in Cloud. This form of encryption is referred to as authenticated encryption.

2. Zero-knowledge architecture

In v3.0, we've implemented a Zero-knowledge architecture, which lets us provide passphrase-based account recovery without having to store the passphrase in Cloud. Instead of encrypting and storing the passphrase in Cloud, we will generate a PBKDF2 key from the passphrase and store it locally on the device temporarily. This PBKDF2 key is then used for encrypting your secret keys. Hence, only you will have access to your passphrase and not even Zoho can decipher it.

3. CRUD implementation

As stated before, when you make changes on your device, CRUD operations should be followed instead of complete replacement. We've implemented this in v3.0. This negates any possibility of data loss.

Overview of the whole encryption & decryption process

When users initiate backup

When users initiate the backup for the first time, they will need to set up a passphrase. Using this passphrase, all their OTP secret keys will be encrypted and stored in Cloud.

The encryption logic we follow during that process is detailed below:
  1. Generate two random 128 bit salts–encryption salt and recovery salt.
  2. Store the two generated salts in Cloud.
  3. Using the passphrase and the recovery salt, generate a key with the PBKDF2 function. This is called the recovery key.
  4. Using the passphrase and the encryption salt, generate another key with the PBKDF2 function. This is called the encryption key.
  5. Encrypt the unique ID of the user with the recovery key. AES-GCM mode is used for encryption. (The unique ID is an identifier specific to each Zoho user and used for identification.)
  6. Store the encrypted unique ID in Cloud. This will be used later when user wants to restore their secret keys or recover their account.
  7. Encrypt the OTP secret keys of the user with the encryption key. AES-GCM mode is used for encryption.
  8. Store the encrypted secret keys in Cloud.

When users restore secrets

When a user wants to restore their OTP secret keys on a new device, they will need to enter their passphrase. Using this passphrase, their encrypted secret keys will be retrieved from Cloud and decrypted.

The decryption logic we follow during that process is detailed below:
  1. Retrieve the recovery salt from Cloud.
  2. Using the passphrase and the recovery salt, generate a key with the PBKDF2 function. This is called the recovery key.
  3. Retrieve the encrypted unique ID of the user from Cloud.
  4. Decrypt the unique ID using the recovery key. If decryption is successful, the process will continue. If not, “Incorrect passphrase” error will be shown for the user and they will be prompted to enter the correct passphrase.
  5. Using the passphrase and the encryption salt, generate another key with the PBKDF2 function. This is called the encryption key.
  6. Retrieve the encrypted OTP secret keys from Cloud.
  7. Decrypt the secret keys using the encryption key.
  8. Restore the secret keys on user’s device.

      Create. Review. Publish.

      Write, edit, collaborate on, and publish documents to different content management platforms.

      Get Started Now


        Access your files securely from anywhere

          Zoho CRM Training Programs

          Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

          Zoho CRM Training
            Redefine the way you work
            with Zoho Workplace

              Zoho DataPrep Personalized Demo

              If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

              Zoho CRM Training

                Create, share, and deliver

                beautiful slides from anywhere.

                Get Started Now


                  Zoho Sign now offers specialized one-on-one training for both administrators and developers.

                  BOOK A SESSION







                              Quick LinksWorkflow AutomationData Collection
                              Web FormsRetailOnline Data Collection Tool
                              Embeddable FormsBankingBegin Data Collection
                              Interactive FormsWorkplaceData Collection App
                              CRM FormsCustomer ServiceForms for Solopreneurs
                              Digital FormsMarketingForms for Small Business
                              HTML FormsEducationForms for Enterprise
                              Contact FormsE-commerceForms for any business
                              Lead Generation FormsHealthcareForms for Startups
                              Wordpress FormsCustomer onboardingForms for Small Business
                              No Code FormsConstructionRSVP tool for holidays
                              Free FormsTravelFeatures for Order Forms
                              Prefill FormsNon-Profit
                              Forms for Government
                              Intake FormsLegal
                              Mobile App
                              Form DesignerHR
                              Mobile Forms
                              Card FormsFoodOffline Forms
                              Assign FormsPhotographyMobile Forms Features
                              Translate FormsReal EstateKiosk in Mobile Forms
                              Electronic FormsInsurance
                              Drag & drop form builder

                              Notification Emails for FormsAlternativesSecurity & Compliance
                              Holiday FormsGoogle Forms alternative GDPR
                              Form to PDFJotform alternativeHIPAA Forms
                              Email FormsWufoo alternativeEncrypted Forms
                              Accessible FormsTypeform alternativeSecure Forms

                              WCAG

                                          Create. Review. Publish.

                                          Write, edit, collaborate on, and publish documents to different content management platforms.

                                          Get Started Now






                                                            You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.




                                                                Manage your brands on social media

                                                                  Use cases

                                                                  Make the most of Zoho Desk with the use cases.

                                                                   
                                                                    

                                                                  eBooks

                                                                  Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho Desk.

                                                                   
                                                                    

                                                                  Videos

                                                                  Watch comprehensive videos on features and other important topics that will help you master Zoho Desk.

                                                                   
                                                                    

                                                                  Webinar

                                                                  Sign up for our webinars and learn the Zoho Desk basics, from customization to automation and more

                                                                   
                                                                    
                                                                  • Desk Community Learning Series


                                                                  • Meetups


                                                                  • Ask the Experts


                                                                  • Kbase


                                                                  • Resources


                                                                  • Glossary


                                                                  • Desk Marketplace


                                                                  • MVP Corner



                                                                    Zoho Sheet Resources

                                                                     

                                                                        Zoho Forms Resources


                                                                          Secure your business
                                                                          communication with Zoho Mail


                                                                          Mail on the move with
                                                                          Zoho Mail mobile application

                                                                            Stay on top of your schedule
                                                                            at all times


                                                                            Carry your calendar with you
                                                                            Anytime, anywhere




                                                                                  Zoho Sign Resources

                                                                                    Sign, Paperless!

                                                                                    Sign and send business documents on the go!

                                                                                    Get Started Now




                                                                                            Zoho TeamInbox Resources





                                                                                                      Zoho DataPrep Demo

                                                                                                      Get a personalized demo or POC

                                                                                                      REGISTER NOW


                                                                                                        Design. Discuss. Deliver.

                                                                                                        Create visually engaging stories with Zoho Show.

                                                                                                        Get Started Now









                                                                                                                            • Related Articles

                                                                                                                            • OneAuth 3.0: Updating your app to the new encryption process

                                                                                                                              What happens while updating To upgrade your OneAuth app and move to the new encryption process, we will ask you to enter your passphrase. Using your passphrase, we will decrypt the OTP secret keys in Cloud (which were encrypted with AES-ECB mode) to ...
                                                                                                                            • Security key

                                                                                                                              What is a security key? Security key is a hardware device that can be used to enable multi-factor authentication (MFA). They don't require a battery to function and need no software installation to authenticate your accounts. How security keys work? ...
                                                                                                                            • OneAuth

                                                                                                                              Zoho's OneAuth is a multi-factor authentication (MFA) app designed to secure your Zoho accounts as well as other third-party accounts. The key features of OneAuth include the following: Passwordless sign-in allows you to sign in to your account ...
                                                                                                                            • Recover OneAuth account

                                                                                                                              Zoho OneAuth offers a secure way to sign in to your Zoho account and other 2FA supported online accounts. However, there may be instances where you could get locked out of your OneAuth account, such as: You uninstalled OneAuth from your device ...
                                                                                                                            • Get Started with OneAuth

                                                                                                                              What is OneAuth? OneAuth is a free industry-standard multi-factor authentication (MFA) app developed by Zoho for securing your Zoho accounts and social accounts such as Google, Facebook, and Twitter. Configuring MFA for your online accounts will ...
                                                                                                                              Wherever you are is as good as
                                                                                                                              your workplace

                                                                                                                                Resources

                                                                                                                                Videos

                                                                                                                                Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.



                                                                                                                                eBooks

                                                                                                                                Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.



                                                                                                                                Webinars

                                                                                                                                Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.



                                                                                                                                CRM Tips

                                                                                                                                Make the most of Zoho CRM with these useful tips.



                                                                                                                                  Zoho Show Resources