How does Tresorit manage my password when I access my account via a browser?

There are 3 situations when you access your Tresorit account via a browser:

When you log into…

1. …Tresorit Web Access (all users)
2. … your Account Portal from the Tresorit app (Premium, Basic users)
3. …The Admin Center from the Tresorit app (Business admins)

In all of these situations, Tresorit’s end-to-end encryption technology guarantees the zero knowledge service: only you can access your account, password and data. These never leave your browser and device without being encrypted first. Encryption guarantees that no one else – including Tresorit admins – can access it. Here’s how we ensure this.

1) Login to Tresorit Web Access

1. If no valid session is found then the user will be redirected to https://web.tresorit.com/login to log in.  
2. During a challenge-response protocol we gather proof, that you have the correct password and serve you your encrypted profile stored on our servers.
3. We decrypt your profile on your device with the password you entered. Using that we generate your device certificates – with 2048 bit RSA keys. The device certificates are sent for signing (SHA512) to the server. Visit our post for more details about online password management.
4. As a result the you will be logged in to the web client with a fresh new device certificate
5. From here the same protocol is played in the background as described below – the device certificate is used to obtain a login session and later on an active session to https://accountapi.tresorit.com
6. Accessing your files: you have received your encrypted profile during the authentication process, so you will be able to access all your files securely by clicking < Tresors > tab on the menu bar. This process is mutually exclusive: If you are logged in the Tresorit Web Access you can visit your Account Portal by clicking the < Account > tab in the menu bar.

2) & 3) Login to the Account Portal or Admin Center from a desktop app

1. By clicking < Visit My Account > or < Admin Center > in the Tresorit app, you call one of our servers. You will be authenticated with your device certificate and receive a login URL with a random identifier which can be used for 15 minutes (pointing to https://login.tresorit.com).
2. The Tresoritclient opens the received URL in the default browser where the data in the URL will be posted to https://accountapi.tresorit.com
3. The server checks the parameters and generates a new session for the client which will be valid for 30 minutes. The client stores this information in a HttpCookie (HttpOnly, which is non-reachable from JavaScript and Secure: sent only over a HTTPS connection).
4. Regardless of the check you will be redirected to the < Account > tab of your Web Access.  
5. Your Tresorit client always calls accountapi.tresorit.com on this website, and with all calls the Cookie is also sent which is checked before each call.
6. Accessing your files: if you use this login method, you will need to re-authenticate on the website if you would like to go to your < Tresors > tab to access your files via the browser.

Thanks for your attention. Now that you are familiar with how Tresorit manages your password when you access your account via a browser, please make sure to keep up the good vibe. Add an extra layer of security to your account by enabling 2-Step Verification.

You can always contact us if you have any questions.