The 12 Security Reasons for SecureSafe

SecureSafe is a maximum security Internet service (SaaS) developed by DSwiss AG and leading Swiss IT-Security and engineering companies. Furthermore, innovations emerging from research at universities – recognized and supported by the Swiss federal government - contribute to current and future security innovations.
The following 12 reasons include a summary highlighting the most important security features of SecureSafe: 

1. Strong authentication

SecureSafe has implemented the "secure remote password protocol" (SRP). The method was invented at Stanford University by Tom Wu (RFC 2945). Using SRP SecureSafe provides maximum security against internet threats like eavesdropping and dictionary attacks and still is easy to use. Another important aspect of SRP is that SecureSafe does not need to store your password nor any one-way function of the password anywhere. Consequently, passwords and documents are not exposed to accidental data loss or malicious data-leakage risks.

More information on this topic under http://en.wikipedia.org/wiki/Secure_remote_password_protocol

2. DoubleSec: 2-factor authentication (mTAN, SRP)

SecureSafe targets maximum security for our clients. SecureSafe therefore offers to all clients a strong authentication method (see user preferences for activation) called mTAN. We recommend to our clients to make use of this additional strong security feature. With mTAN activated the user will be asked at login to type in a one-time password that was delivered to him over the mobile network by text-message (SMS). This so called mTAN is proven to be more secure than many other 2-factor authentication methods such as TAN or iTAN.

Our 2-factor authentication is included in Password PRO, SILVER and GOLD.

Read more about DoubleSec

3. Login Recovery Code

No one else can ever read a user's data or login secret (password). Therefore the user's data is highly secure and protected against fraud. This also means that the user is never to forget his password because nobody else knows his password and consequently it cannot be reset or recovered. If a user forgets his password all of his data would be irretrievably lost. To help in situations of lost or forgotten login SecureSafe provides users with the “Login Recovery Code” document (Button "My Account, Tab "Recovery", "View PDF"). The user's personal login recovery code can be printed from within the user's account.

4. Encryption in the memory of the user's computer

Strong encryption is a core quality and competence of the SecureSafe application. SecureSafe even encrypts passwords in the memory of the user's computer when the SecureSafe password safe is in use. Only when a single password is actually viewed or used by the user it will be temporarily decrypted and displayed.

5. Encryption on the iPhone/iPod/iPad

As in the memory of a user's computer, SecureSafe encrypts all data stored on the iPhone/iPod/iPad using a strong AES-256 key and only decrypts passwords on demand. This makes sure that even if a malicious application on the iPhone/iPod/iPad would be able to read the local SecureSafe data database, it can not access any of the passwords or data stored in it. Also, all SecureSafe passwords and data are secured against iPhone/iPod/iPad-theft that way.

6. Double protection during transport over Internet

SecureSafe uses strong security EV SSL certificates (so called Extended Validation) certificates. You can recognize the certificates in your browser's URL bar, as the company name or the whole URL field is shown with a green background (depending on the browser). All of the data that is passed to SecureSafe servers is encrypted with the strong SSL keys. In addition, using a unique session key that is established in a secure way during each login all password safe entries, meta data and user data is double encrypted, such that even man in the middle attackers targeting the SSL-session cannot access that data. This session-specific key also prevents from replay-attacks because all encrypted data look different during each session. This fact theoretically allows to use the SecureSafe data safe even over channels without SSL protection in a secure way.

7. Strong encryption of user data with SecureSafe

SecureSafe encrypts all user data with highly secure and worldwide acknowledged encryption methods (RFC 2898). No hackers, government agencies or SecureSafe staff members can ever access user data and information that is stored with SecureSafe. SecureSafe makes use of well-established cryptographic standards such as AES-256 and RSA-2048, without compromise. Both standards provide a proven security for many years to come.

8. Help to choose strong passwords

SecureSafe designed and developed together with its scientific partner Zurich University of Applied Sciences a new way how to generate easy to memorize (but still strong) passwords and visualize the "how secure the password is" in the most simple way.

9. Secure coding practices

The DSwiss software engineering team that created the SecureSafe has long experience in creating high security and banking applications. The team adheres to the top 10 secure coding practices and in particular strives always for simple solutions.

10. SecureSafe datacenters in Switzerland

The SecureSafe application and data storage – and therefore all client data – are only hosted with highly secure datacenters inside of Switzerland. SecureSafe datacenters further comply with the specific regulations of the Swiss Federal Banking Commission.

11. Continuous external security testing

SecureSafe subscribes to McAfee Secure service that performs vulnerability scans and compliance checks of SecureSafe’s web services on a daily basis. Please see the corresponding seal shown on the bottom of this page. Clicking on the seal will reveal the latest scan reports.

12. DSwiss security team

DSwiss employs well-known security specialists that contribute their know-how in international security associations. Dr. Inf. Ing ETH Tobias Christen, CTO of DSwiss, is the co-founder of the world largest security architecture community "OpenSecurityArchitecture.org". Tobias Christen frequently gives presentations on "Security versus Usability" and co-hosts the OWASP Switzerland chapters. Before joining DSwiss, Tobias was responsible for the security architecture of a large insurance and prior to that he was CTO of the leading European firewall and IPS company. Michael Tschannen, Lead Security Engineer of DSwiss, is known for his work in the mobile security area and is an active member of OWASP Switzerland. Thanks to his former employment as a penetration tester, he understands how attackers target systems and how systems can be secured against hackers. Tobias Christen and Michael Tschannen are active members of the Information Society Switzerland (ISSS). The DSwiss security team had and is currently participating in several research projects that are carried out with security research teams from leading universities.