Super PIN Functionality¶
The Super PIN functionality makes it possible to recover access to a user account if the password is lost. The full Super PIN functionality is available to the TeamDrive client version 4.6.9 or later.
Without the Super PIN, a user can “reset” their password if they forget it, however this results in loosing access to the Space Key Repository. This is because the Key Repository stored on the Registration Server is encrypted using the user’s password.
As a result, without the Super PIN, users must ensure that they have a local backup of their space keys. The Super PIN functionality must be enabled by the user in the TeamDrive client. This can be done manually by enabling local encryption or by using a Web Portal that uses local encryption. In this case the Super PIN is activated automatically.
Once activated, the user will be required to export their Super PIN recovery data, and store it in a secure place. This includes the Super PIN itself, which is a character sequence of the form:
AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA
and a QR-Code which contains a “Recovery URL”, that can be used to generate a “Recovery Code” for the user account. If the user has the Super PIN, it can be used anywhere in place of the user’s password. Alternatively, upon accessing the Recovery URL the Registration Server will send a Recovery Code via email. The Recovery Code can then be used to login to the user’s account.
Once the Super PIN has been activated, the user can no longer change their password without first authenticating themselves by either entering their currect password, the Super PIN, or a Recovery Code. As a result, if a user looses both their password, and their Super PIN recovery data, they have lost access to their user account, unless the user’s Super PIN has been stored in the Super PIN Repository (see below).
External Authentication¶
If an user account uses external authentication (for example, an LDAP server or Active Directory), then the Super PIN is still used for local encryption, however, the Super PIN or Recovery Code cannot be used in place of the password in order to login.
This is also not required because the manager of the external authentication service can change the user’s password, or allow a password change without loosing access to the Space Key Repository on the Registration Server.
Account Super PIN Settings¶
The Super PIN settings for all accounts under your control can be changed on the edit account page under the “Extended Settings” section in the “Master Data” setting box.
Here you will also see the current values for the Super PIN settings of your account, which includes:
- Whether Super PIN is currently required for account users.
- If the Super PIN Repository is activated.
- View the change history for Super PIN Settings.
Requiring Super PIN Activation¶
The Super PIN is automatically activated when the user enables local encryption of their TeamDrive client installation, or if a user logs into a Web Portal using encryption.
Local encryption provides additional security by encrypting user data in a local device installation in addition to the standard TeamDrive end-to-end encryption. Local encryption requires the Super PIN because the local data is encrypted using the Super PIN. The Web Portal uses local encryption automatically to protect user data in the container that serves as an end-point for the Web.
However, it makes sense to activate the Super PIN even when local encryption is not being used as this provides extra protection against loosing account access and, in particular against loosing space keys (as described above). This is especially the case when the Super PIN Repository is enabled (see below).
In order to ensure the extra security, you can require users of your account to enable the Super PIN functionality.
Super PIN Repository¶
The Super PIN Repository stores the Super PIN recovery data of all users of an account.
When enabled you can use the recovery data stored in the repository to send a user of the account a “once-off” Recovery Code via email. The user can use the Recovery Code in place of a password to login to their user account.
When the Super PIN Repository is enabled users will be requred to upload their recovery data. For this purpose they will be prompted to login. If the are using the Web Portal, then the recovery data will be uploaded automatically after login.
When you enable the Super PIN Repository you will be required to create a “Master Password” which must be at least 20 characters long. This password can only be changed by first disabling the Super PIN Repository, which will delete the recovery data stored in the repository.
Store the master password in a safe place, and make it only avalable to trusted managers of the account. In order to send a Recovery Code to a user, you will be required to enter the master password.
Recovering from Lost Password¶
A manager can help users that have lost their password, if the Super PIN Repository has been activated.
In the Admin Console, go to the User Edit page, of the user that has lost their password. In the “User Data” section you will find Super PIN status of the user.
If the user’s recovery data is stored in the Super PIN Repository it will be indicated here. In this case, the “Send Recovery Code” button will be enabled.
Click this button to send the user a recovery code which they can use to login, and/or access the Registration Server Space Key Repository. You will be required to enter then Master Password in order to do this.
If this button is not enabled, then the user’s recovery data has not been uploaded to the Super PIN repository. This is possible if the user has not logged-in to a TeamDrive client, since the Super PIN Repository was activated.