You’ve likely heard about systems being compromised, allowing malicious actors to obtain usernames, passwords, and other sensitive data. For example, 3 billion Yahoo user accounts were compromised in 2014, the vast majority of which included passwords. Sensitive information for 150 million users of Under Armor’s MyFitnessPal application was exposed in 2018 including usernames, email addresses, and passwords for many accounts.
This blog post briefly explains how the robust cloud security technology we use makes it impossible to have your password exposed…because we don’t know what your password is.
The very first step of logging into your Ondema Workspace is to change your password. When you create a new password, software running in your browser creates a cryptographic token called a verifier that is stored on our server. We never receiver the actual password you select.
When you log into your Workspace, your browser uses Secure Remote Password (SRP) protocol. What this means is that:
- When you type your password into the browser, the browser uses your password to perform a cryptographic calculation. The result of this calculation is shared with Ondema’s authentication service without sending the actual password.
- The authentication service evaluates the result of the calculation that took place in the browser to validate that you typed in the correct password (using the verifier mentioned above). Your password is checked without ever leaving your browser.
SRP is one of the many benefits of cloud, and just the beginning of what we do for authentication.
Managing secure authentication involves solving a number of complicated problems. Rather than trying to reinvent the wheel, we use Amazon Web Services (AWS) Cognito. Cognito is a leading authentication and identity solution maintained by one of the best security teams in the industry. Meanwhile, we can stay focused on constantly improving the user experience and creating features that are important to our customers.
Cognito also allows us to robustly support our enterprise customers with a variety of features including federation, two-factor authentication, custom password rules, and single-tenant directories.
While we’re on the topic of passwords, please remember that it is extremely important to use different passwords for different accounts (use a password manager for this)!
To learn more about SRP or Cognito: