End-to-End Encryption of passwords

End-to-end encryption (E2EE) of user passwords ensures uninterrupted protection from the web browser all the way to Airlock IAM. Passwords entered by the user into the Airlock IAM Loginapp are encrypted directly in the browser using JavaScript and only decrypted at the endpoint where the password is verified (or otherwise used). The E2EE feature can be used, e.g., to comply with certain regulations in the banking sector.

  • E2EE of passwords is independent of the SSL/TLS encrypted client-server communication.
  • E2EE guarantees a higher level of security than traditional client-server communication, where the data is typically only encrypted on the transport layer and only up to the first TLS-terminating component (typically Airlock Gateway).
  • In addition to the standard Java Keystore plugin, Airlock IAM also supports hardware-based encryption using an HSM device with an HSM Keystore plugin. See HSM encryption support for passwords.
E2EE_simplified

The E2EE feature is designed for web browsers with JavaScript support, but can also be used with any other type of HTTP client as long as the client can compute the required encryption.

E2EE password encryption can be configured in Airlock IAM for any step that requires the end-user to enter a password.

  • For example in:
  • Authentication flows: password check, mandatory and voluntary password change.
  • Public self-services: password reset.
  • Self-registration flows: when setting an initial password.
  • Protected self-services: voluntary password change.

The E2EE configuration is basically the same for all the above use cases.