- Getting Started
- Recommended Integration & Registration Flow
- Admin Console Overview
- User Onboarding and Management
- User Registration and Login
- Enterprise Applications
- Microsoft Integration
- Installing TraitWare PAM Module for SSH and SFTP
Enterprise Recovery
Posted on February 5, 2021
The TraitWare Console allows Account and Customer Owners (see Owners documentation) to provision Recovery Users and Paper Keys.
Owners may provision recovery users and paper keys for any Accounts or Customers that they own. Anybody who knows this paper key, has access to the recovery email, and is able to provide identity proofing to TraitWare support can utilize this process to provision a new Owner without access to an Owner’s device and device credentials. With this in mind, protect these secrets the same way you would protect a phone that automatically unlocks.
TraitWare strongly suggests provisioning multiple owners for any Account or Customer. This recovery process is intended to only be used as a final protection against Account or Customer access loss, in cases where all owners simultaneously lose access to their devices.
How Enterprise Recovery Works
Provisioning Recovery Users and Paper Keys
The TraitWare Console utilizes well established client-side cryptography to provision Recovery Users. When an owner creates a Recovery User, the browser client generates a new symmetric encryption key and uses it to encrypt the Recovery Email and associated information (AES-GCM encryption using a random initialization vector and a 256 bit key). Only this encrypted recovery payload is sent to the TraitWare servers along with an associated nickname.
Once the encrypted recovery payload is successfully registered, the encryption key is serialized into a hexadecimal string and displayed on the screen along with an entity ID and the Recovery User nickname. Record all three of these strings and store them somewhere secure.
TraitWare does not know what your recovery email is, and cannot be phished for this information. However, TraitWare also cannot perform any validation on this email, so use the Recovery Email Checklist to ensure all email requirements are met.
Initiating Recovery
Recovery may only be initiated by TraitWare administrators when contacted by an Organization. This process is performed over the phone or by other virtual means with TraitWare Support.
The means to identity proof recovery users is at the sole discretion of TraitWare unless otherwise stipulated in a contractual agreement. TraitWare makes every effort to ensure recovery users are authorized to recover their account on behalf of their Organization.
Once TraitWare support has validated your identity, they will ask you for the recorded entity ID and use this for lookup. These entity IDs are not protected like a secret, but they are much more private than Company names. This acts as some extra protection against phishing and unintended recovery attempts.
Upon a successful lookup, TraitWare will select the Recovery User using the nickname you provide, and ask you for your recovery encryption key. This is the only time TraitWare will ever ask you for this key, ensure that it is never shared outside of this context. Once this key is entered by TraitWare support and sent to the server, the recovery process is initiated and all of the following happen:
1. Owners are sent notification emails, alerting them that the recovery process has been initiated.
2. The server attempts to decrypt the recovery payload.
3. On successful decryption, the key is marked as no longer private. This will show on the Recovery User page, to ensure that you know the key needs to be re-provisioned after this process is complete.
4. The server attempts to provision the new user. This provisioning will fail if the email already belongs to another Owner. If the user already exists and is not an owner, all existing application access is removed from the user.
4. A recovery session is generated, and a redirect link that authorizes a browser to this session is sent to the recovery email address.
5. A recovery PIN is generated and returned to TraitWare support.
Check your recovery email for the redirect link and click it to establish a recovery session. You will arrive at a page asking you for a PIN. TraitWare support will provide you with a secret PIN to ensure this recovery email cannot be intercepted, and only when the PIN is provided will a device activation code be generated, and returned to the user as an activation QR code. Additionally, a string representation of the code will be presented for use in situations where scanning a QR code is unavailable.
Selecting a Recovery Email Checklist
TraitWare strongly suggests using an email not associated with any TraitWare account. You can use the following checklist to ensure an appropriate email is chosen:
– [ ] Ensure that the email login is not protected by TraitWare MFA, or that TraitWare MFA can be disabled.
– [ ] Ensure that the email is provisioned to prevent recovery emails being forwarded to “wildcard” or “catch-all” email addresses.
– [ ] Ensure that the email is not a pre-existing Account or Customer Owner, and will not be provisioned as one
– [ ] The TraitWare server cannot inspect the recovery email, so this is up to you to ensure.
Example Guidance for Backup Email Account
- For O365 and Google Workspace provisioned email accounts, those providers require a super user with credential access to prevent account lock-out. Those credentials are usually stored securely and may not be protected with TraitWare. These credentials can be used to turn off TraitWare federation (SSO) for those providers in the event that access by TraitWare is unavailable (loss of all admin access tokens, service unavailable).
- A TraitWare-protected email may be used for recovery provided the above is true and credentials for accessing that recovery email account are known (reminder note: existing Owner’s emails may not be used for recovery)
- If your super user credentials are stored in a TraitWare-protected credential vault, ensure you have paper key recovery access credentials securely stored for emergency/break-glass scenario access to your credential vault.
- The super user credentials can be used to disable the TraitWare service to gain credential-based access to the recovery email accounts.
- It is recommended that you run a test of this scenario as part of your business continuity/disaster recovery plan testing.
- Make sure to add support@traitware.com to the safe sender list of your recovery email account to prevent any delivery issues.
- It is recommended that you gain access to your recovery email account prior to engaging with TraitWare for recovery support.
Protect Your Paper Key
Immediately after provisioning a Recovery User, you will be shown the nickname you selected, an entity ID, and a hexadecimal encoded recovery key. TraitWare strongly recommends recording all of these on paper and storing them somewhere secured by lock and key.
You should additionally record and securely store the recovery email selected for recovery, as TraitWare support will never have knowledge of this.