There are 3 situations when you access your Tresorit account via a browser:
When you log into…
- …Tresorit Web Access (all users)
- … your Account Portal from the Tresorit app (Premium, Basic users)
- …The Admin Center from the Tresorit app (Business admins)
In all of these situations, Tresorit’s end-to-end encryption technology guarantees the zero knowledge service: only you can access your account, password and data. These never leave your browser and device without being encrypted first. Encryption guarantees that no one else – including Tresorit admins – can access it. Here’s how we ensure this.
1) Login to Tresorit Web Access
- If no valid session is found then the user will be redirected to https://web.tresorit.com/login to log in.
- During a challenge-response protocol we gather proof, that you have the correct password and serve you your encrypted profile stored on our servers.
- We decrypt your profile on your device with the password you entered. Using that we generate your device certificates – with 2048 bit RSA keys. The device certificates are sent for signing (SHA512) to the server. Visit our post for more details about online password management.
- As a result the you will be logged in to the web client with a fresh new device certificate
- From here the same protocol is played in the background as described below – the device certificate is used to obtain a login session and later on an active session to https://accountapi.tresorit.com
- Accessing your files: you have received your encrypted profile during the authentication process, so you will be able to access all your files securely by clicking < Tresors > tab on the menu bar. This process is mutually exclusive: If you are logged in the Tresorit Web Access you can visit your Account Portal by clicking the < Account > tab in the menu bar.
2) & 3) Login to the Account Portal or Admin Center from a desktop app
- By clicking < Visit My Account > or < Admin Center > in the Tresorit app, you call one of our servers. You will be authenticated with your device certificate and receive a login URL with a random identifier which can be used for 15 minutes (pointing to https://login.tresorit.com).
- The Tresoritclient opens the received URL in the default browser where the data in the URL will be posted to https://accountapi.tresorit.com
- The server checks the parameters and generates a new session for the client which will be valid for 30 minutes. The client stores this information in a HttpCookie (HttpOnly, which is non-reachable from JavaScript and Secure: sent only over a HTTPS connection).
- Regardless of the check you will be redirected to the < Account > tab of your Web Access.
- Your Tresorit client always calls accountapi.tresorit.com on this website, and with all calls the Cookie is also sent which is checked before each call.
- Accessing your files: if you use this login method, you will need to re-authenticate on the website if you would like to go to your < Tresors > tab to access your files via the browser.
Thanks for your attention. Now that you are familiar with how Tresorit manages your password when you access your account via a browser, please make sure to keep up the good vibe. Add an extra layer of security to your account by enabling 2-Step Verification.
You can always contact us if you have any questions.