How Password Vault syncs between devices when one is turned off after some changes have occurred

TVC15
TVC15 Posts: 74 Active Engager
edited October 18 in Password Vault

Hello :)

Could you help me to understand this please, if our passwords are not stored online, on your servers, but only in our Total apps, how does it sync when my notebook is offline, but I created a test login site on another PC. I shut that PC down, then start my notebook and it's synced to that device? Is it synced through our account somehow? How does it sync in that regard?

I'm used to password managers that sync through the vendors online server, but since the Vault doesn't store our passwords on your server, how does that work → one device is shut down/off, on the other device a test password site is created, then that PC is shut down so it's not connected to the internet, then the other device is started, and the test password gets synced, how? Where is it between that gap of time and of the PC's being offline?

The links below my question are amazing in the replies given, and was explained that the sync happens via backend HTTPS, but where is that new password when it's created, then the PC is shut down, then the other one started and its synced? Is it syncing though my account, even though our personal F-Secure portals do not have a Vault? Is there a backend HTTPS on you servers, that syncs it? Sorry for repeating myself a bit, but I'm just trying to make my question and thoughts clear 😊

During syncing, this same encrypted json structure is sent to the backend via HTTPS. and then other devices get it when they are running, still fully encrypted. So, the password data never get decrypted during its travel from one device to another. Only the local devices themselves are able to perform the decrypting.

I apologize if I'm missing something so obvious that it may be laughable, but try not to laugh to hard 😊I'm just used to the online/server password managers, as I've let my 1Password subscription lapse for what I think is a more secure password manager with F-Secure's Password Vault 😊

Here are the threads that are very helpful and informative in understanding the Vault's security and how the Vault (aside from my question) works.

TIA 😊

Accepted Answers

  • Ukko
    Ukko Posts: 3,773 Superuser
    Answer ✓

    Hello,

    Sorry for my input. You mentioned examples of good discussions. I apologize if all your questions have already been resolved.

    sidenote

    What might be interesting to me is how long such an opportunity would last. Let's say two devices. Both are synchronized. Both are turned on. One was then turned off. On the second one, we made a change, clicked the "sync" button (to be sure), turned off the device. What happens if I don't turn on these devices again during the entire subscription period. And, let's say, only on the last day I turn on the first one to receive (or not to receive) the change from the second. If it works after a sufficient period of time (say 11 months and 29 days), then it's interesting

    . I would think that there should be some limits; but it is also so-so decision.

    Otherwise, If the first device did not sync after that (and then the second device was not turned on again to check whether it was "synchronizing" now - because I would have considered "yes") - then I could understand the design in a rough view.

    *If it does synchronize after an almost year of "offline", then probably everything is a little simpler with the design and it's surely described somewhere (how long the date can be stored for specific operations within the framework of the service provided).

    introductory part

    I'll try to describe my perception on a very basic (non-technical level). I mean, my perception is very basic and non-technical.

    And all possible details or additional things (like “what then”, “why then”, “where then”, "how then" and so on) are the reasons that here and there some bugs appear, problems with the synchronization of some and then specific parts, and so on (which is then discussed in the Community as a sudden trouble). By gradually solving them, they get some know-how and solution design that distinguishes them from the rest. In particular, otherwise everyone would make their own "same" one.

    And although I haven't checked the scenario you described for a long time, but I think that it always corresponded to my style of use - I never kept my devices turned on at the same time OR if I did - the application itself was not unlocked. But we will assume that your experiment reflects the real state of how it works.

    I also think there is a point with expectations. When you are surprised that devices keep synchronize even when one of them (or even several at once; and there were changes on each) is offline or completely turned off, then you probably assume the presence of some kind of direct p2p (peer-to-peer) design.

    While more closer design is e2e (end-to-end), but more precisely utilising points of client-side encryption.

    main part

    Anyway, I think the design is around so called zero-knowledge (and sometimes "zero-access", which is a bit more ambitious name).

    "They do not store them, but operate them". What from the point of view of “privacy” (?) - everything is stored only on the user side, but from the point of view of the “user in a pensive state” - it is still stored on the 'third-party' side.

    So, you said:

    if our passwords are not stored online

    means: passwords are really stored only locally on user's devices in the form of local 'database'; Offline. encrypted, partially protected and access to it (well, its content actually) is possible only by the user. The remark here is that this is only possible for 'anyone' who has access to the device and the masterpassword.

    Alternatively, to the 'localstorage' file itself and knowing the masterpassword/way-to-utilize-localstorage (I haven't checked it in a long time, but I’ve never been able to get the storage to depend on a specific device, which is what I kind of expected (especially for a single instance of password vault); … perhaps, now with F-Secure Total's Password Vault it is done or maybe still not).

    Additionally, if (especially before) it was an installation for one device (F-Secure KEY, for example) without a Premium state (available as Free) - it was just a Password manager with no syncing feature. But still storing "everything" locally, and not on servers somewhere. Which may probably be different for some other password manager solutions (even without syncing functionality).

    Then,

    are not stored on your servers, but only in our Total apps, how does it sync when my notebook is offline

    means: by utilising their servers to transfer 'changes' from one client to another client (belonging to a particular user ID / device ID). At the same time - perhaps saving or recording some kind of metric or queue to avoid confusion and errors.

    When such "changes-for-synchronization" land on the servers, everything proceeds there within the concept of any "best practices" for privacy and other regulations. Physical, logical and other protection of servers (and their location). In other words, access control and so on. It is "impossible" to access user's passwords here; it is difficult to determine the owner of certain data. Carried out an operation → probably removed any information (data) that should no longer be on the server.

    Also, even if temporarily, some parts of your data (which will be encrypted locally beforehand and the like) will be on the server, then all the data on the server is also "encrypted". Formally, even "stolen" information on the server would have to be chewed up, and even more if the received date is again encrypted without a known "key" and method of use. And the main thing is that masterpassword in not stored anywhere.

    so, by creating a "change" (for example, a new entry in your local storage on one of your devices) - this event triggered sync-functionality. Let's say this is a new "database" (encrypted and so on in the form of a certain item). Maybe every time you connect to the F-Secure server (cloud), it checks whether this item is the latest (the most relevant). Thus, each time extending the storage period of the "temporary" instance.

    A slightly more complex design (but one I always imagined). The item sent for synchronization is directly just the "change" itself (new entry or edits). Or there is some diff between what happened a second before and after the change was made. Everything is also "seriously" encrypted. Another client takes this change from cloud. And after unlocking Password Vault locally (or all happened when vault is unlocked), applies the change.

    More realistic take on both: 'localstorage/database' as an item is combined with 'diff'-item with the instructions about changes.

    So, basically, entire design is close to zero knowledge/access type. Just as some email providers can claim that they do not store users' emails or 'more realistic' cannot access user's emails and so on.

    Actually, it is described in F‑Secure ID Protection privacy policy (including where pass­words are stored and what it means).

    // I remember filling out one particular beta report for early versions of F-Secure KEY, from which I only have an answer. Recently, when I re-read it, I was very interested and, I must say, intrigued. Therefore, I would probably clarify with you (or correct) the title of the topic. Because I think If you have your device offline the synchronization between devices will not work.

    I mean, "How Password Vault syncs between devices when one is offline" - no way. In the context that, let's say, two devices are turned on. One is "online" and the other is "offline" (without a network connection). Any changes made on any device should not result in synchronization between them as a real-time event. (Subsequently) - yes..; this is the whole answer above (when the device returns to online state).

    So, basically the question is "How Password Vault syncs between devices when one is turned off after some changes have occurred on it".

  • JOnes
    JOnes Posts: 717 Forum Champion
    Answer ✓

    "

    A Password Vault typically synchronizes passwords and other stored data between devices using cloud-based storage. Here's how the sync process usually works when one device is turned off after changes have been made on it:

    1. Local Changes on the Device (Before It's Turned Off)

    • When you make changes (such as adding, updating, or deleting a password) on one device, these changes are stored locally on that device's vault.
    • The vault is then set to sync with a remote cloud server. If the device has an active internet connection, these changes are usually uploaded to the cloud server immediately.

    2. Device Is Turned Off Before Syncing

    • If the device is turned off before changes are synced to the cloud (e.g., if it loses an internet connection or is shut down), those local changes remain stored in the vault on that device.
    • The unsynced changes are not yet available to other devices because they haven't been uploaded to the cloud server.

    3. Cloud-Based Sync

    • The cloud server acts as the "central" version of your vault. When changes occur on any device, they are uploaded to the server (as long as there is an internet connection), and the vault on other devices syncs by downloading the latest version from the cloud.
    • Since the device that was turned off did not upload its changes, the cloud still holds the last known version, without the latest changes made on the now-offline device.

    4. Other Devices Sync to Cloud

    • Other devices that are turned on and connected to the internet will continue to sync with the cloud. However, they will not receive the changes made on the turned-off device, as those changes were not uploaded to the cloud.

    5. Turning the Offline Device Back On

    • When the previously turned-off device is turned back on and reconnected to the internet, it will upload its local changes to the cloud.
    • The cloud server will update with the most recent data from that device, and all other devices connected to the same vault will sync with the new changes from the cloud.

    Handling Conflicts

    • If any conflicts occur (e.g., if passwords were changed on another device while the first device was offline), many password vaults have built-in conflict resolution systems:
      • Automatic resolution: The latest change may overwrite the older one, or the vault may merge changes if possible.
      • Manual resolution: The vault may prompt you to choose which version of the data (from which device) should be kept.

    Common Vault Sync Methods:

    • End-to-end encryption: Most password vaults encrypt data locally before it is uploaded to the cloud, ensuring that only encrypted data is transmitted and stored.
    • Periodic sync: Vaults will periodically check for updates from the cloud and apply changes across all devices automatically.

    In summary, the sync occurs only when the device with local changes is online and connected to the cloud server. If the device is turned off before syncing, the other devices won’t reflect those changes until the offline device reconnects and uploads its data.

    "

Answers

  • TVC15
    TVC15 Posts: 74 Active Engager
    edited October 18

    @Ukko thank you for your post, and very helpful information :) :)

    "Then, are not stored on your servers, but only in our Total apps, how does it sync when my notebook is offline"

    means: by utilising their servers to transfer 'changes' from one client to another client (belonging to a particular user ID / device ID). At the same time - perhaps saving or recording some kind of metric or queue to avoid confusion and errors.

    When such "changes-for-synchronization" land on the servers, everything proceeds there within the concept of any "best practices" for privacy and other regulations. Physical, logical and other protection of servers (and their location). In other words, access control and so on. It is "impossible" to access user's passwords here; it is difficult to determine the owner of certain data. Carried out an operation → probably removed any information (data) that should no longer be on the server.

    I also agree with your last comment, and changed my thread title accordingly :)

    @JOnes You did an amazing job as well, you answered my question pretty much with the 1st couple of examples, the rest was bonus follow-up information :) :)

    My takeaway from your posts. So yes, our vaults do use a F-Secure server to sync. It is all encrypted and secure and uses our ID/device ID to sync and uses end to end encryption. And yes, they do reside on a server to be able to sync the devices when and how as needed. They are not in a usable, editable etc. app form like 1Password website/online, but they do reside on a server, maybe and sounds like temporarily (limited amount of time?), as the installed apps are still the foundation of our password storage and then will resync and refresh on the server.

    I appreciate the above and beyond replies from both of you, in helping me to understand this. I was used to Bitdefender Wallet before it was discontinued, which was only Windows based, that was included in the app (like Password Vault is in Total) and only synced to the supported browsers, free from any Bitdefender server, just totally between the client app and the browser extension. There was no server or server backup involved, you needed to create a manual backup, just in case.

    When the Wallet was discontinued, I used a desktop app, online password manager, 1Password which the passwords do reside on their servers (like Bitwarden, LastPass etc). So to me, Password Vault seemed to be in-between those two types of technologies, and just need better understating and clarity of how it worked with F-Secure's Vault

    Thank you both very much for the replies, as well as the wonderful job you do on this forum 😊😊

    edit:sp

  • Ukko
    Ukko Posts: 3,773 Superuser

    Overall a great discussion :)

    and sorry for my 'spam' comment again

    My takeaway from your posts. 

    I don't know for sure about other password managers (I've never used any of them, it seems), but I think that most are striving for something similar to F-Secure KEY/IDP/Password Vault design. Or even F-Secure solution just followed those 'common' standards.

    The difficulty begins when users want (or it is simply required) access through the browser via web-resource; which can probably still be made relatively similarly "secure" by using additional keys and such; and, most likely, is also what many companies do (and, in particular, some file sharing or email services).

    or when for economy and simplification everything is stored in the 'cloud' (there access to the content of "filestorage" / "database" is only possible with a network connection through some interface; in this case, it would be a "certain" storage with passwords somewhere on the server, not on the user's system. In essence, it will be like using a regular website where you can enter or use the information entered there. Probably such solutions will not add any kind of autofill capability - however this maybe still possible via installed application and then browser extension on top of it; but just password managers with the ability to copy them and be an accessible "storage" on all devices).

    // I would not say that it would be less reliable in a particular case. Since, for sure, business solutions implement something similar. And I even think that WithSecure has some variation of Password Vault with the ability to access through a web interface.

    The way I understand it - for example, in solutions like F-Secure Password Vault, from a "simple" point of view - passwords (well, data) are also stored on the server. However, probably from a more objective point of view, it is not exactly “passwords” that are stored, but only a certain item (within which there may be another item, which is also stored on the user's systems, and within which passwords are really stored). Thus, a relatively useless "bogus" lump of something is stored on the server; for anyone else (including provider), but only the user (or someone with exactly the same capabilities) can find a use for them. It makes difference. Since it's not like passwords are stored, or passwords are stored in encrypted form. In a sense, they are not stored at all. Which would not be a completely correct statement and therefore Privacy Policies writes as is. They ('passwords' or 'data') are also stored on F-Secure servers, not just locally on the user's devices. And the important piece in the form of master-password is locally stored (or even not stored in any form at all, which is more likely or accurate wording). By the way, it would be nice to make the the master-password very strong.

    Same for the F-Secure IDP (F‑Secure ID Protection privacy policy | F‑Secure) and for the up-to-date F-Secure Total's Password Vault (F‑Secure Total privacy notice | F‑Secure).

    I am not entirely sure that the design of F-Secure Password Vault is a plain e2e concept, but.. I also think there will be very small number of well-known password manager providers that don't use end-to-end encryption. However, this approach is not enough (in my understanding). Perhaps client-side encryption is closer to how it works in the F-Secure approach.

    About your mentioned experience with the Wallet. Looks like it indeed was a real wallet. Just like, say, browsers' built-in wallet. Sounds that it was not possible to sync "content" between different devices (and only to use it for current system via a browser extension). I think that this completely (or at least this part) corresponds to the capabilities of F-Secure KEY in Free form. Just a place, where you can store "passwords" (mainly) and via extension to use it for autofill/autologin feature. No servers (no, they were still used, but not for storing (temporarily) local storage), stored locally and communication directly between application and extension. In this basic view - F-Secure IDP and F-Secure Total's Password Vault are the same. Just they are, mostly, always 'premium' with this paid feature of synchronisation.

    // Of course, the most important thing is to trust the provider. To the company whose solution you decided to choose. Since, in principle, all the security of such things as password managers is very conditional. Again, this could be either a "deliberate" nasty thing on the part of the company, or it could also be a "malicious" campaign within the company. For instance, changes or hacks could be made that would "remove" all the reliability and protection that existed. Also, some bugs…

    So, for example I like to use F-Secure solutions because at times I feel that they do this with some common sense. And let's say there are some standards for how long to store data, what to store, and so on. Including a more serious approach to things like privacy/legality than some companies (at least in theory). In general, I can only think of a couple or three cyber security companies that I would trust or consider reliable. Most likely, even only two (if you include password managers in this matter).

    Anyway, using something with some kind of safety net is very good pattern. And don't use "extra" stuff that you don't need.

    Thanks!

Feedback on New Design