Fejoa: The Portable Privacy-
Preserving Cloud

FejoaAuth: Single Password Authentication and Secure Password Management (Dev Release)

May 17, 2018    Blog Post

I’m happy to announce the first release of FejoaAuth. After developing a first working version of FejoaAuth it’s now about time to get feedback, find bugs or even get new developers on board.

What is FejoaAuth?

FejoaAuth combines secure password-based authentication and password-encrypted data storage to provide a true one-password solution for privacy-preserving cloud storage. The difference to other password-based authentication methods is that FejoaAuth does not reveal the user password to the remote server during the authentication process. This means that users can reuse their authentication password for other purposes such as data encryption. FejoaAuth makes use of this nice property and integrates a password-encrypted password manager which can be stored locally or at a FejoaAuth storage provider. More information of how it works can be found here.

Features:

  • Secure password-based authentication
  • Passwords are not leaked to the authentication server during authentication
  • Authentication passwords can be reused for password-protected cloud storage
  • Local or cloud-based password manager; all with a single password

Get in touch on riot.im or by email.

How to try it?

FejoaAuth requires a browser addon to perform secure registration and authentication at a FejoaAuth provider (web authentication is not possible since a provider could easily manipulate the web page and read out the password).

After installing the addon in Chrome or Firefox you will find two tabs; a FejoaAuth tab for registration and authentication and a Password Manager tab for the password manager. Authentication can be tested on pages that support FejoaAuth, e.g. fejoa.org. On all other pages the addon will only display the password manager tab and the authentication tab is disabled.

Registration

When registering at fejoa.org using the FejoaAuth browser addon you need to provide a valid email address. To do so go to Account and follow the instructions to finalize the registration.

Note that in the future this email registration might be replaced or dropped completely. It was mainly developed to show how FejoaAuth can integrate user verification during the registration, e.g. to prevent automatic registrations.

Password Manager

To use the password manager a local account needs to be created. Once an account is open it can be used to store and fill web form passwords. To backup the password manger in the cloud you need to be authenticated at a FejoaAuth provider (see above). After adding a remote, e.g. fejoa.org, to the account, the account data can then be synchronized with the remote server.

An existing account at a remote can also be downloaded into the browser. Use the “Retrieve Account” menu to do so. Here the local account name needs to be specified, i.e. how the account should be identified locally. Moreover, for the retrieval process the account decryption password is required.

Warning: at this stage we can’t guarantee storage reliability and retain the right to delete your remote testing account (obviously we would try to avoid that).


Comments: