One-click Auto Logon
Zoho Vault provides the option to launch direct connection to your web applications on a single-click from the GUI.
How does One-click Auto Logon Work?
One-click auto logon is achieved by installing the Zoho Vault bookmarklet (in the form of 'Click-to-login' button) in the browser bookmark toolbar. Browsers allow users to create bookmarks for URLs. A browser bookmark typically contains a static URL and clicking the bookmark opens the URL. A bookmarklet is similar to a browser bookmark, but additionally it contains a piece of unobtrusive script. Clicking on the bookmarklet not only opens the URL, but executes the script which can be used to perform a few tasks on the opened URL. A bookmarklet is a secure mechanism to bring dynamism to browser bookmarks.
As explained above, users should install 'Click-to-login' button on his/her browser bookmark toolbar, which is a one-time configuration. After installing this button, to login to any website, you will first click required secret in this page or the 'Auto Logon' icon of the respective secret in the 'Secrets' page. This will open a browser and you need to press the 'Click-to-login' button installed on the browser bookmark toolbar. Upon doing this, Zoho Vault will automatically fill the username and password and log you into the website or application without requiring you to copy and paste the password.
Security Aspects Behind One-click Auto Logon
The click-to-login button is specific to the user. Internally, it contains details about the user in the form of a 'bookmarklet key', which is fully encrypted. As per host-proof-hosting, the browser holds the SHA-256 hash of the passphrase of the user. The user-specific bookmarklet key for one-click auto logon is generated by subjecting the hashed passphrase to one more SHA-256 hashing.
When the user initiates auto logon in Zoho Vault GUI, the secrets of that web application are first decrypted by the browser through the passphrase. The secrets are again encrypted using the 'bookmarklet key' installed by the user in the form of the 'Click-to-login' button. The encrypted values are sent to Zoho Vault server, which keeps them in temporary memory for a brief period of 100 seconds. After the 100 seconds, the values would be cleared. Users will have to click the button again.
Subsequently, when the user clicks the 'Click-to-login' button installed at the browser bookmark toolbar, the encrypted values temporarily stored in the server are retrieved and decrypted using the bookmarklet key. While this is happening in the background, Zoho Vault opens a browser, opens the URL of the web application and auto fills the user name and password for logging in.
As a best practice, users can regenerate the 'Click-to-login' button periodically and replace the old buttons. This creates new bookmarklet keys.
Just as in other cases, in one-click auto logon scenario also complete data privacy is ensured. Except you, no one else, including Zoho will ever get access to the data.