Super PIN Functionality¶
The Super PIN functionality is required for local encryption and makes it possible to recover access to a user account if the password is lost. The full Super PIN functionality is available to the TeamDrive client version 4.7.0 or later.
Without the Super PIN, a user can “reset” their password if they forget it, however this results in losing access to the space keys in the Key Repository stored on the Registration Server. This is because the keys in the Key Repository are encrypted using the user’s password. As a result, without the Super PIN, users must ensure that they have a local backup of their space keys.
If local encryption has been enabled by the Provider, then Super PIN functionality
can be enabled by the user in the TeamDrive client by enabling local encryption.
This is done by adding the setting allow-local-encryption=true
to the CLIENT_SETTINGS
.
Alternatively, the account manager can require all members of the account to activate the Super PIN, or the manager can require Local encryption for certain user installations. Once activated, the user will be prompted to export their Super PIN recovery data, and store it in a secure place.
This includes the Super PIN itself, which is a character sequence of the form:
AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA-AAAAAA
and a QR-Code which contains a “Recovery URL”, that can be used to generate a “Recovery Code” for the user account. If the user has the Super PIN, it can be used anywhere in place of the user’s password. Alternatively, upon accessing the Recovery URL the Registration Server will send a Recovery Code via email. The Recovery Code can then be used to login to the user’s account.
Once the Super PIN has been activated, the user can no longer change their password without first authenticating themselves by either entering their current password, the Super PIN, or a Recovery Code. As a result, if a user looses both their password, and their Super PIN recovery data, they have lost access to their user account, unless the user’s Super PIN has been stored in the Super PIN Repository (see below).
The Super PIN can be reset by an account manager but this means that the user will use access to the space key in the Key Repository. Users will also be enable to access any installation that use local encryption.
External Authentication¶
If an user account uses external authentication (for example, an LDAP server or Active Directory), then the Super PIN is still used for local encryption, however, the Super PIN or Recovery Code cannot be used in place of the password in order to login.
This is also not required because the manager of the external authentication service can change the user’s password, or allow a password change without losing access to the space keys in the Key Repository on the Registration Server.
Account Super PIN Settings¶
The Super PIN settings for all accounts under your control can be changed on the edit account page in the “Security and Keys” settings box.
Here you will also see the current values for the Super PIN settings of your account, which allow you to:
- require local encryption for Web and Desktop installations,
- require members to activate the Super PIN,
- enable the Super PIN Repository,
- view the change history for Super PIN Settings.
The Super PIN status for each user can be found on the Edit User page in the “User Data” settings box. Here it is also possible to enable the Super PIN for users individually. In addition the User Devices list indicates if an installation is using local encryption.
Local Encryption¶
TeamDrive local encryption can be enabled for Web access and for Desktop installations. Mobile installations do not require TeamDrive local encryption as these installations can be encrypted and protected by the functionality provided by the mobile device if required.
Local encryption protects all security sensitive data stored by a so-called TeamDrive “endpoint”. An endpoint is wherever the data that is stored and transported securely by TeamDrive can be accessed.
In addition, local encryption also encrypts user data that is cached by the endpoint. This means that if data is accessed “virtually” as is done when using the TeamDrive Web client, or when using the FUSE virtual file system on desktop installations, then all user data remains encrypted on the endpoint.
In order to access an encrypted installation the user must login or provide other credentials when TeamDrive is started. As an alternative to login with password, on desktop installations, users can activate “Application Protection”. In this case users setup a 6 digit PIN which will be required on startup in order to unlock the installation.
Requiring Super PIN Activation¶
The Super PIN is automatically activated when the user enables local encryption of their TeamDrive client installation, or if local encryption is required for web access to spaces, and the user logs into a Web Portal.
Local encryption provides additional security by encrypting user data in a local device installation in addition to the standard TeamDrive end-to-end encryption. Local encryption requires the Super PIN because the local data is encrypted using the Super PIN. In order to provide access to a space via the browser, a Web Portal creates a virtual device (endpoint) in the form of a container for the user. If local encryption is enabled then all data in the container is encrypted, which provides additional security in the case that Web Portal is the target of a cyber attack.
Besides local encryption, activating the Super PIN provides extra protection against password loss and against losing access to space keys stored in the Registration Server Key Repository. In addition, by enabling the Super PIN Repository managers are able to help users that loose access to their user account (see below).
In order to ensure the extra security, you can require users of your account to enable the Super PIN functionality
Super PIN Repository¶
The Super PIN Repository stores the Super PIN recovery data of all users of an account.
When enabled you can use the recovery data stored in the repository to send a user of the account a “once-off” Recovery Code via email. The user can use the Recovery Code in place of a password to login to their user account.
When the Super PIN Repository is enabled users will be requred to upload their recovery data. For this purpose they will be prompted to login. If the are using the Web Portal, then the recovery data will be uploaded automatically after login.
When you enable the Super PIN Repository you will be required to create a “Master Password” which must be at least 20 characters long. This password can only be changed by first disabling the Super PIN Repository, which will delete the recovery data stored in the repository.
Store the master password in a safe place, and make it only avalable to trusted managers of the account. In order to send a Recovery Code to a user, you will be required to enter the master password.
Recovering from Lost Password¶
A manager can help users that have lost their password, if the Super PIN Repository has been activated.
In the Admin Console, go to the User Edit page, of the user that has lost their password. In the “User Data” section you will find Super PIN status of the user.
If the user’s recovery data is stored in the Super PIN Repository it will be indicated here. In this case, the “Send Recovery Code” button will be enabled.
Click this button to send the user a Recovery Code which they can be used to login, and access the Registration Server Space Key Repository. You will be required to enter then Master Password in order to do this.
If this button is not enabled, then the user’s recovery data has not been uploaded to the Super PIN repository. This may happen if the user has not logged-in to a TeamDrive client, since the Super PIN Repository was activated.