A good security system should be an open book. That is, as a security provider, we should be able to provide anyone with the details of how we store and encrypt our user’s data, and the system still remains secure. The reason is if the information we have would allow us to somehow access your data, it would mean that someone would eventually figure out how it was engineered, which would enable them to gain access to your data. Instead, we architected the system so even we have no way to access your data.
Main points of interest
- Encrypted from End to End: Every time you use mSecure, your data is encrypted before a single byte ever leaves your devices. Your encryption keys are protected by your Account Password, so only you have the keys to unlock your secrets.
- Protection: Our security recipe starts with AES-256 bit encryption and uses multiple techniques to protect your data at rest and in transit.
- Account Password: Not just the password you use to unlock the app, it also plays a key role in encryption. Only you know your Account Password.
- Account Key: Also a star player in key derivation, this random 46 character key is generated locally on your device. Only you have your Account Key.
- TLS encryption: All communication is done with TLS/SSL encryption.
- Account Key, a form of Two Factor: Security professionals recommend using multiple authentication factors: “something you know”, like your password, and “something you have”, like an authenticator app on your phone. The Account Key takes this idea to the next level. It doesn’t just authenticate you with our servers; it also plays a direct role in encrypting your data. That’s important, because it strengthens your Account Password exponentially. And since it never gets sent to us, your Account Key can’t be reset, intercepted, or evaded.
Many people often are concerned (and rightly so) that if big companies have security breaches, how can mSeven be any different. The fact is, the problem we are solving is very different than the problem other typical websites face. Most websites need to have access to the information in your account. For example, when you make a purchase with an online retailer, they need to know your credit card information in order to charge you. When you use your bank, they need to know how much money you have in your accounts and what transactions you’ve made.
With mSecure, we don’t need to ever have access to any of your information. Instead, we just need to store it away for you and provide with the secure means to retrieve it. The way our account system works is when you sign up for an account, we generate an extremely secure password on your behalf locally on the device. We call this password an account key. This password is 46 characters in length and includes both letters and symbols. This account key is the encryption key needed to access your information.
Password length and entropy
Let’s first talk about what a 46 character length password means. If a hacker were to somehow get a hold of our cloud database, and, for the sake of this example, they had access to a million dollar computer system that can process 360 billion different passwords a second, it would take approximately 1.5 * 10^49 years to get through all of the password combinations for one account. That is, it would take 150,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years. To put this into a bit of perspective, it’s generally accepted that the universe is 13,800,000,000 years old. However, the super computer would not need to go through all of the possible password combinations. On average, it would find any given password in half that time. It might find your password a bit sooner or a bit later, but the odds of it finding your password within the next billion years is extremely low, and you’d have to be pretty unlucky for even that to happen.
So how does the system work then? As mentioned, when you first sign up for an account in mSecure or sign in to an mSecure account for the first time in mSecure, mSecure on your device generates a super secure password mentioned above that we call an “Account Key.” mSecure will then take a known piece of text (it doesn’t really matter what the text is, but it happens to be a copyright notice) and encrypt it with your account key. The encrypted text is then stored in your mSecure account on our system.
To be clear, this is not the account key itself; it’s a known piece of text that has been encrypted with the account key. We then encrypt the account key with your account password – the password you use to unlock the app – and store it in the mSecure database locally on your device. We then send you an “IMPORTANT: mSecure Account QR Code” or “mSecure Authentication” email that contains your encrypted account key, which is required to authenticate you as the owner of your account. The encrypted account key is displayed in the form of a QR code image and in text form in the email.
Once signed in, when you unlock mSecure on your device, mSecure reads the encrypted account key out of your local database and decrypts the account key with your account password. This is why you don’t need to use the QR code each time you launch mSecure.
When you want to install and use mSecure on a new device, we require you to sign in with your email and account password then ask you for the QR code (if one of the automated authentication options does work or is not set up). mSecure reads in the encrypted account key from the QR code or encrypted account key text available via email, decrypts the data in the QR code or encrypted account key text with your account password then downloads the known piece of text mentioned earlier from your mSecure account. Once the known piece of text is downloaded, mSecure attempts to decrypt the known piece of text with the account key, and, if the decryption is successful, mSecure will authenticate locally on your device.
After being authenticated, mSecure downloads the rest of your data that is also encrypted with your account key from your sync method of choice (additional sync setup might be required). After the data is downloaded using your sync method of choice (additional sync setup might be required), your data can finally be decrypted with the account key locally on your device and saved locally.
To be sure, keeping your data secure is a complex process, but the most important point is this: Your information is never in a readable/decrypted state outside of the mSecure app running locally on your device.
Did you find it helpful?