Close

Security

Files, data, and accounts are some of the company's most valuable - and therefore most wanted - assets. Securing them requires a lot of attention, of responsibility, and of effort from users in organizations embracing SaaS and mobile applications. As a result, these assets are poorly protected. Even assessing the actual security level is usually out of reach, especially when your organization uses collaboration, communications, and cloud storage tools where multiple, ever changing groups of users have access.


zipLogin provides a security overview for your organization and makes sure that users no longer bear the security effort. To do this, we've gone beyond the state of the art. There's no equivalent.


1. No one but users has access to their passwords

The zipLogin Cloud stores and synchronizes credentials (passwords) only in encrypted mode. Encryption keys are not contained, handled, or even accessible to the zipLogin Cloud or to its administrators. In order to sign in to a service, a user needs his / her encryption key to decrypt the credentials stored by zipLogin. For this, we use an external, certified, and independent key management service provided by inWebo. That service is both used to authenticate users to their zipLogin vault, and to provide encryption keys to authenticated users. inWebo implements FIPS-104-2 Level 3 certified cryptographic equipment to protect encryption keys. The user encryption key is not kept in the vault client, even when a user is logged in to the vault, so that a malware targeting the client would not steal the key.


2. Built-in strong authentication

zipLogin implements a built-in 2-factor authentication. It means that access to the applications is restricted to the users' trusted devices (computers, smartphones, tablets) that your policy authorizes. A bad guy wanting to access one of your applications would have BOTH to steal a trusted device AND to crack the user's vault password. This makes it really difficult for the bad guys! And if you decide to enforce mobile-based 2-factor authentication for some applications, it becomes virtually impossible to enter for anyone but the legitimate user.


3. Complex & unique passwords

Passwords created by users are - at best - built with basic, repetitive rules. This makes them very weak, since many password databases have been cracked these last years, exposing hundreds of millions of user credentials, and giving a simple way to hackers to rebuild valid passwords for other websites. To prevent this and to offload the password creation hassle from users, zipLogin vault randomly issues complex passwords that don't follow any pattern.

 

4. Hidden passwords

The best way to prevent users from sharing their passwords in an uncontrolled way is that they have no access to these passwords. zipLogin allows you to share access to accounts WITHOUT actually sharing the passwords. If for some reason you need to revoke access rights (e.g. temporary staff leaving), you can do so without impacting other team members, and you'll be sure that no one has left with the company's credentials.  


5. Central management

Once you've given access rights to some application or account, it's virtually impossible to revoke them if the application itself doesn't handle delegation. Even so, you may end up having to control access rights at a lot of different places. That's one of the key features of zipLogin: you have a unique and central interface where you can monitor who has access, who did actually access, but also revoke rights in one click if they are no longer needed. 


6. Back-up and recovery

Needless to say, encrypted credentials are backed-up in zipLogin Cloud. Also, in case a user gets locked out of his vault, you're able to give him a new access, but also to define what self-recovery methods are acceptable for your organization.

Our commitments to your security