mSecure is secure by design. Learn how we encrypt your data and safeguard your information.
A good security system should be an open book. That is, as a security provider, we should be able to provide anyone with the details of how we store and encrypt our user’s data, and the system still remains secure. The reason is if the information we have would allow us to somehow access your data, it would mean that someone would eventually figure out how it was engineered, which would enable them to gain access to your data. Instead, we architected the system so even we have no way to access your data.
Many people often are concerned (and rightly so) that if big companies have security breaches, how can mSeven be any different. The fact is, the problem we are solving is very different than the problem other typical websites face. Most websites need to have access to the information in your account. For example, when you make a purchase with an online retailer, they need to know your credit card information in order to charge you. When you use your bank, they need to know how much money you have in your accounts and what transactions you’ve made.
With mSecure, we don’t need to ever have access to any of your information. Instead, we just need to store it away for you and provide with the secure means to retrieve it. The way our cloud storage system works is when you sign up for an account, we generate an extremely secure password on your behalf locally on the device. We call this password an account key. This password is 46 characters in length and includes both letters and symbols.
Let’s first talk about what a 46 character length password means. If a hacker were to somehow get a hold of our cloud database, and, for the sake of this example, they had access to a million dollar computer system that can process 360 billion different passwords a second, it would take approximately 1.5 * 10^49 years to get through all of the password combinations for one account. That is, it would take 150,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years. To put this into a bit of perspective, it’s generally accepted that the universe is 13,800,000,000 years old.
However, the super computer would not need to go through all of the possible password combinations. On average, it would find any given password in half that time. It might find your password a bit sooner or a bit later, but the odds of it finding your password within the next billion years is extremely low, and you’d have to be pretty unlucky for even that to happen.
So how does the system work then? As mentioned, when you first sign up for an account in mSecure 5 or sign in to an mSecure account for the first time in mSecure 5, mSecure 5 on your device generates a super secure password mentioned above that we call an “Account Key.” We then take a known piece of text (it doesn’t really matter what the text is, but it happens to be a copyright notice) and encrypt it with your account key. The encrypted text is then stored in your mSecure account.
To be clear, this is not the account key itself; it’s a known piece of text that has been encrypted with the account key. We then encrypt the account key with your account password – the password you use to unlock the app – and store it in the mSecure database locally on your device. We then send you an “mSecure Authentication” email that contains your encrypted account key, which is required to authenticate you as the owner of your account.
Your account key is not stored in our system.
When you log into mSecure on your device, it reads the encrypted account key out of your local database and decrypts it with your account password. This is why you don’t need to use the QR code each time you launch mSecure. When you want to install and use mSecure on a new device, we require you to sign in with your email and account password then ask you for the QR code. mSecure reads in the encrypted account key from the QR code, decrypts the data in the code with your account password then downloads the known piece of text mentioned earlier from your mSecure account.
Once the known piece of text is downloaded, mSecure attempts to decrypt it with the account key, and, if the decryption is successful, downloads the rest of your data that is also encrypted with your account key from your sync method of choice. After the data is downloaded using your sync method of choice, it can now be decrypted with the account key locally on your device.
To be sure, keeping your data secure is a complex process, but the most important point is this: Your information is never in a readable/decrypted state outside of the mSecure app running locally on your device.