Does ID Protection send my passwords over Internet when I synchronize two devices?
 
            I use ID Protection on my computer and I want to use it on my phone too. I can see the synchronize option which requires me to type a code from one device (where IDP is installed) to another.
What will happen then?
Does it mean that all my passwords stored within IDP vault well be transferred via Internet? Are the password still encrypted in both at rest and in transit? Can I synchronize the devices by using Bluetooth instead of Internet?
Frankly speaking, I don't like the idea that my passwords will be send via Internet. In every materials about ID Protection you emphasize that passwords are stored only on user's device and neither of the materials explains how the passwords and transfered (i.e. synchronized) between devices.
Accepted Answer
- 
            Hi @JoannaPL 1. How strong encryption is applied to the json file? We have no way of decrypting any information that you have saved in the app. Anyone using F-Secure ID PROTECTION is anonymous to F-Secure, so we have no way of identifying an individual user's data. We never see any of your information at any stage, and therefore we can't decrypt it or hand it over to a third party. This level of privacy is enabled by the Advanced Encryption Standard (AES) with the 256-bit block cipher that we use in the product. Alongside AES-256, we also use a block cipher mode of operation called CCM mode (Counter with CBC-MAC). This is an authenticated encryption algorithm that provides both authentication and confidentiality. Both the choice of encryption and safeguarding anonymity have been conscious decisions made to improve the security of the product and protect the privacy of our customers. The F-Secure ID PROTECTION servers are owned and operated by F-Secure within the European Union in compliance with Finnish law and applicable to EU rules. https://help.f-secure.com/product.html#home/id-protection/latest/en/id_80975-id-protection-latest-en 2. How securely the password (symmetric key) is distributed across the devices where the ID Protection is installed? And does it get stored anywhere in the F-Secure tenants in the cloud? The data stored in the app is encrypted and decrypted only on your own device. Every time you enter your ID PROTECTION master password, this password adds another layer of encryption, as it is used to generate an encryption key that descrambles your encrypted ID PROTECTION data. This process is carried out by using the PBKDF2 (Password-Based Key Derivation Function 2) standard, which adds a salt (random data) value to the password, and hashes the resulting data with the HMAC-SHA256 function. This process gets repeated 20,000 times. Your master password and the master encryption key are never stored anywhere. The encryption keys exist only when you use the product. When you turn off F-Secure ID PROTECTION, the encryption key is destroyed. We have no way of decrypting any information that you have saved in F-Secure ID PROTECTION. This level of security also means that there is no way for F-Secure to recover your password or data for you if you forget the master password. Furthermore, F-Secure does not track you when you synchronize your data across devices. Thank you and stay safe. Firmy 
 Community Manager | F-Secure Community
 🔐 Strengthening digital security through knowledge and collaboration
 🌐 Explore our User Guides | Knowledge Base for self-help resources
 💻 Empower yourself with Cybersecurity Insights and protect what matters
Answers
- 
            Hi @JoannaPL Thank you for your post. With ID PROTECTION, all the data is encrypted, and the only way to access it is with your master password. Not even F-Secure can access your data. Furthermore, the service is anonymous, which means that there is no way for anyone else to link you to your data. There is no web browser access to your data, so nobody can access it without stealing your device first. F-Secure ID PROTECTION stores your personal data, such as usernames, passwords, and credit card details on the computer or mobile device you use to run the app. You can sync your passwords across your devices. For security reasons, we do not provide access to the passwords through F-Secure servers. We recommend that you sync your passwords with another device running the ID PROTECTION app, just in case you lose or break your device. No matter what happens to one of your devices, sync ensures that you will always have access to your passwords on the other devices. Keep your passwords safe with Vault | ID PROTECTION | Latest | F-Secure User Guides However, you are not able to sync your vault/passwords by using Bluetooth because ID PROTECTION is using a unique generated code from the app to sync the password between devices. Syncing your Vault data with other devices | ID PROTECTION | Latest | F-Secure User Guides Thank you and stay safe. Firmy 
 Community Manager | F-Secure Community
 🔐 Strengthening digital security through knowledge and collaboration
 🌐 Explore our User Guides | Knowledge Base for self-help resources
 💻 Empower yourself with Cybersecurity Insights and protect what matters
- 
            Dear Firmy, As far as I understand the question is on how the synchronization takes place? If the devices cannot be synchronized through Bluetooth, then the only the sync can happen is THROUGH the Internet. (not TO the internet). If so, can you tell whether there's another level of encryption within TLS/HTTPS which obviously must take place over the Internet. For instance I can see that my ID Protection connects to F-Secure AWS tenant. So what's the purpose of such connection in the synchronization process? Looking forward to your feedback on that, thank you. 
- 
            Hi @ThePaszczak We use TLS/SSL to protect your information during the entire data transfer process. The password is kept in json structure which is always in encrypted form even on the user's local computer. The user's Master Password is the key that is needed for decrypting the json data when the app needs to show it to a user. During syncing, this same encrypted json structure is sent to the backend via HTTPS. and then other devices get it when they are running, still fully encrypted. So, the password data never get decrypted during its travel from one device to another. Only the local devices themselves are able to perform the decrypting. Thank you and stay safe. Firmy 
 Community Manager | F-Secure Community
 🔐 Strengthening digital security through knowledge and collaboration
 🌐 Explore our User Guides | Knowledge Base for self-help resources
 💻 Empower yourself with Cybersecurity Insights and protect what matters
- 
            Thanks Firmy, your second answer explains a little bit more. However, I have further doubts. From what you wrote I understand that F-Secure uses symmetric encryption while syncing data between the vault on one device with the vault on another. Therefore, I would like to know: 1. How strong encryption is applied to the json file? 2. How securely the password (symmetric key) is distributed across the devices where the ID Protection is installed? And does it get stored anywhere in the F-Secure tenants in the cloud? 

