* create libs/assets * treeshake lib and filter out non-icons from icon story * update docs * fix icon colors in browser and desktop * better name for vault icon * move illustrations
Master Password Management Flows
The Auth Team manages several components that allow a user to either:
- Set an initial master password
- Change an existing master password
This document maps all of our password management flows to the components that handle them.
Table of Contents
Acronyms
- MP = "master password"
- MPE = "master password encryption"
- TDE = "trusted device encryption"
- JIT provision = "just-in-time provision"
The Base InputPasswordComponent
Central to our master password management flows is the base InputPasswordComponent, which is responsible for displaying the appropriate form fields in the UI, performing form validation, and generating appropriate cryptographic properties for each flow. This keeps our UI, validation, and key generation consistent across all master password management flows.
Set Initial Password Flows
| Flow | Route (on which user sets MP) |
Component(s) |
|
Account Registration
|
/finish-signup |
RegistrationFinishComponent
- embeds InputPasswordComponent
|
| Trial Initiation (🌐 web only) | /trial-initiation or/secrets-manager-trial-initiation |
CompleteTrialInitiationComponent
- embeds InputPasswordComponent
|
|
Upon Authentication (an existing authed user)
|
/set-initial-password |
SetInitialPasswordComponent
- embeds InputPasswordComponent
|
* A note on JIT provisioned user flows:
- Even though a JIT provisioned user is a brand-new user who was “just” created, we consider them to be an “existing authed user” from the perspective of the set initial password flow. This is because at the time they set their initial password, their account already exists in the database (before setting their password) and they have already authenticated via SSO.
- The same is not true in the Account Registration flows above—that is, during account registration when a user reaches the
/finish-signupor/trial-initiationpage to set their initial password, their account does not yet exist in the database, and will only be created once they set an initial password.
Change Password Flows
| Flow | Route (on which user changes MP) |
Component(s) |
|
Account Settings (Docs) (🌐 web only) User changes MP via account settings. |
/settings/security/password
( security-routing.module.ts)
|
PasswordSettingsComponent
- embeds ChangePasswordComponent
- embeds InputPasswordComponent
|
|
Upon Authentication
|
/change-password |
ChangePasswordComponent
- embeds InputPasswordComponent
|
|
Emergency Access Takeover (Docs) (🌐 web only) Emergency access Grantee changes the MP for the Grantor. |
Grantee opens dialog while on /settings/emergency-access |
EmergencyAccessTakeoverDialogComponent
- embeds InputPasswordComponent
|
|
Account Recovery (Docs) (🌐 web only) Org member with "manage account recovery" permission changes the MP for another org user via Account Recovery. |
Org member opens dialog while on /organizations/{org-id}/members |
AccountRecoveryDialogComponent
- embeds InputPasswordComponent
|