Linuxfr.org Connect Passbolt, the Password Manager for team, launches its mobile applications Latest Comments Labels (TAGS) Popular Sites Friends About Linuxfr.org
Passbolt is a free password manager designed for team use and collaboration.The first version of the software was announced here on Linuxfr a few years ago.
Since its initial launch in 2016, Passbolt has evolved a lot: many features have been added as well as the support of many systems.The Passbolt server can now be installed on a wide range of Linux servers (Packet Debian, Ubuntu, Centos, Redhat ...), Docker, or even on Raspberry Pi.In terms of security, the various components of the solution were fully audited in 2021 by an independent company (cure53).
Passbolt has a community forum on which members can offer or vote for new features.The most requested feature being for a while and far the availability of mobile applications, it became important to prioritize these developments.
After more than a year of work and a lot of sweat, the Passbolt team is therefore proud to announce the release of its two iOS and Android mobile applications, both entirely free, fully audited, and compatible with allSoftware editions: community, pro and cloud edition.
Before going into details, here is a short demonstration video (in English).
Native applications, for better compatibility and more security
The first difficulty upstream of the development was to establish the specifications and to decide how to build these applications.The market currently having a large number of options, it can be easy to get lost.
Certain hybrid technologies (react nativ, flutter, iconic, etc.) can be tempted both from the ease of development point of view and reuse of the code base for several platforms.Being a small team of developers in Passbolt, so it is naturally the first option that was explored.However, the numerous constraints linked to the security aspects of the software and the needs of access to the diapers closest to the system (secure storage, management of the keystone system) pushed us to give up this hybrid option fairly quickly.
Finally, and despite the harsh implications of this choice, the team therefore opted for a fully native development.It is therefore two completely different applications, one for iOS, the other for Android, with distinct user experiences, which have been developed for more than twelve months.The effort was expensive, but the result is largely worth the candle in terms of software possibilities offered.
The source code of the two applications, as well as the compilation instructions are available here:
OpenPGP keys transferring
Passbolt being based on OpenPGP for the encryption part, and each user with their own private key which as its name suggests is not transmitted to the server, the first difficulty consisted in allowing the transfer of this key between the browser and themobile.
After having studied the possibility of carrying out the transfer of the key by certain exotic methods such as NFC or sound frequencies, we finally retained the more traditional, but proven method of the QR code.“Most openpgp keys are too big to be contained in a QR code” you will tell me.You are quite right.This is the reason why the transfer takes place through the scan of several QR codes in turn, automatically linked without user intervention.This takes place in a few seconds at most, judge for yourself.
Connexion sanspassword
Rather surprisingly for a password manager, connection to Passbolt from the mobile application can be done without ....password.This thanks to biometrics.
From a technical point of view, the secure storage of the device is used to store the secret sentence allowing to encrypt the OpenPGP key.The secret sentence is therefore unlocked by the user using his biometrics, which is then used to decipher the OpenPGP key, connect and access the passwords contained in Passbolt.
The operations supported
This first version of mobile applications supports software basic operations such as creation, reading, updating and deleting passwords. Il est également possible d’accéder aux données méta d’unpassword.Finally, it is possible to use the application to automatically fill the identifiers on any website or known Application of Passbolt.
Advantages linked to granular architecture
Sur passbolt, chaquepassword a sa propre entrée en base de données et sa propre granularité en termes de permissions d’accès au moment d’un éventuel partage sécurisé.This has many advantages compared to Vault type solutions where the entire vault is shared with other users therefore posing bandwidth constraints, competitive entries and keys.
In the specific case of mobile applications, this ensures that a user will always have access to the latest version of a shared secret and that the access logs maintain their integrity.
To find out more about the security model, do not hesitate to consult the white paper of the safety model (in English).
The next steps
Despite the release of this first version for mobile applications, the roadmap remains relatively ambitious. Les prochaines évolutions incluront entre autres la possibilité de partager unpassword depuis l’application mobile ou encore la possibilité d’effectuer des opérations passbolt sur desktop intégralement grâce à la biométrie (connexion, déblocage d’unpassword, recouvrement d’un compte).
Share your feedbacks
The team behind Passbolt being mostly French-speaking, do not hesitate to share your feedback directly in the comments below.Linuxfr being at the origin of the very first publication during the initial release of Passbolt, now almost five years ago already, it is with great pleasure that we will answer your questions, messages or critics.