We take the responsibility of securing passwords, including one-time passwords (OTPs), very seriously. Below are several key points on our architecture:
Passwords are encrypted with AES-256-bit encryption and a unique AES key is generated for each encrypted password.
RSA encryption is then used to encrypt the AES key used in the AES-256 password encryption with a 2048 bit RSA key pair. The RSA key pair is then encrypted with a secure RSA key passphrase and stored in an isolated key management system that is locked down to only allow access from our application servers as required for decryption.
The decryption process takes place server-side, however the private key passphrase (and the private keys themselves) are not stored in the database. The private keys are stored in a secured bucket that is only accessible via the servers used for decryption. Encryption is done in a two-step process whereby each password is salted/encrypted via AES-256. The encryption key for each password is further encrypted using the public/private key for the account (with the private key also having a separate passphrase, not stored in the DB).
Decrypted password data is never written to disk.
To decrypt the data, an attacker would need to effectively access each element of our encryption process making it very difficult. In addition, the web servers for our application are also locked down with multiple firewalls, whitelisting incoming and outgoing traffic, key-based access, and many other measures.
When a user needs to access a password, the decryption key that is stored in the isolated key management system and the encrypted password that is stored in the database are both sent to the IT Glue application to be processed. Then, it is sent to the user's browser securely through HTTPS for consumption.
Access to the entire IT Glue app is limited to strong SSL encryption over HTTPS to reduce any opportunity for attacks through active connections.
Access to passwords can be controlled at a granular level by limiting access to any combination of users and groups.
All password changes are version-controlled and immutable with full roll-back capabilities.
Revealed passwords only remain visible for a short time with each reveal resulting in an audit trail entry.
Default strong random password generator (32-character default).
In addition to password encryption in transit and at rest, we also operate a SOC 2 security assurance program.
With optional multi-factor authentication (MFA) enabled, users cannot log in to the app and view any passwords without having their username, password, and virtual appliance thereby securing enabled IT Glue IDs.
Once you use a third-party authentication application to generate a secret key, you can safely store your new OTP code in IT Glue or MyGlue. One-time passwords offer protection against replay attacks, weak password composition, and easily guessable passwords. Also, they greatly help mitigate risk in the case that you are sharing credentials on multiple accounts and systems.
If the IT Glue administrator has set up a Password Access Workflow, specific actions detailed in our KB article here will trigger a notification. This allows administrators to know immediately when highly sensitive passwords are accessed and reduces the time gap between a potential compromise/exposure and a subsequent audit performed by the administrator.