Skip to main content

Account Registration

What is the Login Mechanism in tiCrypt?

Every user in tiCrypt has a private and public key. Public keys can and should be shared with other users as there is no risk in sharing a public key. There is, however, a huge risk in sharing a private key.

Hypothetically, private keys could be stored in a secure place, such as a protected key store. However this is not how tiCrypt operates.

Storing private keys in a secure location can still result in theft if the location is hacked, especially through the impersonation of the Site-key Admin, creating a potential breach in the system.

By splitting the key into multiple parts and fully separating the power of control between escrow users, you can achieve a much higher level of security, all coordinated by cryptographic mechanisms.

To better understand this process, consider the following analogy.

You live in your house.

You want to give other people the key to your house in case you ever lose your key. However, you only want people to be able to get into your house if you are there.

You can give a key to a friend, but they can still go behind your back and enter your house. The same applies to your family members. You think about giving half of one key to one of your friends and the other half of the key to another friend. This idea could work, but they will enter the house if the two friends collaborate and put their keys together.

This solution does not suffice.

You cannot issue the pieces of the key to people that are related to each other. Hence, you give 1/3 of the key to a family member, 1/3 of the key to one of your friends, and 1/3 to a co-worker. None of the individuals in the three groups know each other, nor do they know who holds the different parts of the key. This solution works. And the more pieces of the key that the owner of the house issues out, the more secure their house will be.

The way that Escrow works in tiCrypt is the same.

tiCrypt enforces a minimum of three escrow groups but encourages the use of more. Each time a user's key is escrowed, the backend receives "fragments" of it. If the user ever loses their private key, one member from each escrow group must get and put the pieces together.

This solution ensures that no single individual can obtain another user's private key.

note

Once a key is escrowed, each escrow group delegates a distinct member to hold 1/3 of the key.

What is the page showing up after the login?

Once you log in, a page will pop up requiring you to re-enter your details. This is a 2FA page whose purpose is to verify your user identity.

note

This page may be customized by your host institution.

How do I Set my Local Browser to Remember my 2FA Credentials?

Mac Users | Chrome Browser

  1. Click the Three dots menu in the top right of your chrome tab.
  2. Select Settings | optionally, press + ,
  3. Select Auto-fill and passwords in the left panel.
  4. From the options, click Addresses and more.
  5. Click the Add button in the top right corner.
  6. In the prompt, enter your secure enclave email, user name and organization name.
  7. Click Save.
tip

To learn more about auto-fill in Chrome browser, navigate to fill out forms automatically.

Mac Users | Firefox Browser

  1. Click the Menu in the top right of your firefox tab.
  2. Select Settings | optionally, press + ,
  3. Click Privacy & Security in the left panel.
  4. Scroll down to Autofill section.
  5. Click the Saved Addresses button.
  6. In the prompt, click Add.
  7. Enter your secure enclave email, user name and organization name.
  8. Click Close to save & exit.
tip

To learn more about auto-fill in Firefox browser, navigate to automatically fill in your address on web forms.

Windows Users | Chrome Browser

  1. Click the Three dots menu in the top right of your chrome tab.
  2. Select Settings | optionally, press Alt+ F or Alt + E or F10 + Enter.
  3. Select Auto-fill and passwords in the left panel.
  4. From the options, click Addresses and more.
  5. Click the Add button in the top right corner.
  6. In the prompt, enter your secure enclave email, user name and organization name.
  7. Click Save.
tip

To learn more about auto-fill in the Chrome browser, navigate to fill out forms automatically.

Windows Users | Firefox Browser

  1. Click the Menu in the top right of your firefox tab.
  2. Select Settings | optionally, press Alt + Home.
  3. Click Privacy & Security in the left panel.
  4. Scroll down to Autofill section.
  5. Click the Saved Addresses button.
  6. In the prompt, click Add.
  7. Enter your secure enclave email, user name and organization name.
  8. Click Close to save & exit.
tip

To learn more about auto-fill in the Firefox browser, navigate to automatically fill in your address on web forms.

How do I Activate a New tiCrypt Account?

Prerequisites

Before activating a new user, admins should have the following in place:

  • A Site-key Admin account.
  • At least three escrow groups with at least three escrow users each.
  • At least one Super-admin account (preferably two).
  • At least one team.
  • Preferably three predefined user profiles.
  • Preferably a fully working virtual machine with a fully working drive.
  • Confirmation that the user has registered for an account and are pending activation from an admin.

Find and Select the Newly Registered User

  1. Go to the Management icon in the top left taskbar.
  2. Navigate to the Users section.
  3. Click the Users in the top left panel.
  4. Select the user(s) who you want to activate.
tip

Select multiple users to activate them in bulk.

Add the User to a Team

  1. Click the Open Full Menu button in the top right panel.
  2. Select Add to team(s).
  3. In the pop-up, enter the team name to join.
  4. Click Save.
note

If you forgot to create a team, follow the instructions in Create a new Team.

Change User State to Active

  1. Reselect the user(s) added to the team.
  2. Click the Open Full Menu button in the top right panel.
  3. Select Change State.
  4. In the pop-up, select Active.
  5. Click Activate.
note

If you forgot to create a user profile, follow the instructions in Create a User Profile.

Apply the User Profile

  1. Reselect the user(s) you want to apply profile to.
  2. Click the Open Full Menu button in the top right panel.
  3. Select Apply profile.
  4. In the pop-up, select the custom profile to apply to user(s).
  5. Click Apply.

Notify the user that they can log into the system.

Additional Actions
tip

You can allow the user(s) to create their own virtual machines and drives.

How do I Fix the Login Error Message "Bad MFA certificate for a different user" ?

Bad MFA certificate is for different user login error message will show when you input the wrong credentials in the 2FA (Two Factor Authentication) page.

Solution

  1. Click the Back arrow at the top left in your browser.
  2. Once on the login page, re-enter your correct account key and password.
  3. Press Enter.
  4. In the 2FA page, re-enter your correct credientials.
  5. Click Login.
note

The account key (usually your institution email), first and last name, contact email, department, and position must match the details used when registering your tiCrypt account.

What is the Best Browser to Run tiCrypt On?

In principle, tiCrypt works on Opera and Microsoft Edge, but we recommend using Chrome or Firefox for the best experience.

info
  • Microsoft Edge is using Chromium, Chrome’s engine.
  • tiCrypt is not working with the Safari browser.

What are the Best Practices when Registering a New User Account?

  1. Use Your Organization Email: Register your account using your organization email.
  2. Add Notes for Admins: Include notes for your admin during registration to provide context or additional information.
  3. Escrow Your Key: Ask your admin to escrow your key during the initial setup to ensure your account can be recovered in the future.

What are Best Practices for Users in Institutions with Multiple Deployments?

  1. Create separate accounts for each deployment: if your institution has multiple deployments, you may need an account for each one to have access to them.
  2. Use distinct usernames and emails: ensure you have different emails and user names for better local private key management across deployments.
  3. Use a similar password to avoid frequent escrowing: user accounts are tied to the deployment separately, passwords may be similar between deployments.

What are Best Practices when Operating on a Borrowed Local Machine?

  1. Download and Save: Save the frontend versions of your secure enclave in your personal storage.
  2. Shred Sensitive Files: If using a borrowed local machine, shred the tiCrypt Connect Application and .dep files from the desktop after completing your work.
  3. Protect Your Private Key: Never leave your private key on a borrowed machine.

What are Best Practices for Storing my Private Key?

  1. Keep your .json private key file secured: find the appropriate directory in your local machine to keep your private key secure for future logins.
  2. Secure your password the opens your private key box: store your password for your private key in a safe place as instructed by your institution.
  3. Remember your private key format: the user private key file format must always follow [your-user-name](date).key. Example: john(1_13_20).key. Keys that do not follow this format will not be accepted.

What is the Password Idle Time in the Login Prompt?

Passwords in the login prompt are automatically cleared after 10 seconds of inactivity to enhance security.

What do I do if I Forgot/Lost my Password?

Passwords in tiCrypt cannot be recovered. However, you can recover private keys through a process called Escrow.

To recover your private key, follow these steps:

  1. Contact your administrator or team support.
  2. Inquire if your administrator can escrow your key.
  3. Wait for them to escrow your private key.
  4. Re-login as usual.
info

To learn how to escrow a user's key as a Super-admin and prevent permanent account access loss, navigate to Set Up an Escrow Key for a User.

Is my Private Key Safe on my Local Machine?

tiCrypt never leaves your keys exposed. Your private key is always encrypted on your local machine. To use your private key in tiCrypt authentication, you must use your password to unlock the private key.

Your private key is the only password-protected resource in the system and is never saved nor stored on the server.

How do I Enable/Disable MFA Caching at Login?

  1. Go to the Management icon in the top left taskbar.
  2. Navigate to the Miscellaneous section.
  3. Click the System Settings in the left panel.
  4. In the right panel, under Caching select MFA Caching.
  5. Set MFA caching tokens to Always or Never.
  6. Click Save.
note

The multi-factor tokens get cached in session-local storage, then session storage gets cleared as soon as all tiCrypt tabs are closed.

info

To edit the MFA caching options follow the instructions from MFA Caching.

How Should I Make the Best Use of the Notes Field when Registering a New Account?

When registering a new tiCrypt account, it is best practice to include a message for your admins specifying the team, group, or project you intend to join.

This helps admins assign you to the correct team, group, or project, expediting your account activation process.

What is the Purpose of "Since you Last Logged In" Prompt?

The purpose of "Since You Last Logged In" prompt is compliance; it provides a summary of what has happened since you last logged into your account, including relevant information such as failed logins, groups or teams you were added to or removed from, updated permissions, etc. It is a global prompt for all users, regardless of their user role.

The prompt is computed by the backend.

info

Failed logins are an important metadata, because they can indicate if an unauthorized individual attempted to log in to your account.

What is the Purpose of Assuming a Temporary User Profile Upon Login?

Assuming a temporary user profile allows you to run the session with lower privileges to view certain functions in the system from the "eyes" of the user. This feature may be intrusive to the users and should never be used unless specifically needed.

In a real scenario, you might use the temporary admin downgrade to interpret compliance.

info

To learn how to enable this feature from system settings, go to Enable Admin Session Downgrades for a Limited Time.

note

When you disable admin session downgrades, you will log in directly to your default profile.