Essential cybersecurity requirements for password managers
</div>
@@ -23,7 +19,6 @@ Release #
<br/>
<br/>
_Should you need a step-by-step guide for drafting an ETSI deliverable, please consult the "_[_Principles for Drafting ETSI Deliverables_ ](_Principles for Drafting ETSI Deliverables_ )_" document. Otherwise you may contact us at_ [_edithelp@etsi.org_ ](mailto:edithelp@etsi.org).
<br/>
@@ -146,14 +141,27 @@ In the present document "**should** ", "**should not** ", "**may** ", "**need no
# Introduction
This European harmonised standard defines cybersecurity requirements applicable to password managers.
This document will provide security requirements and assessment criteria covering all elements defined in CRA Annex I Part 1 and Part 2 for password managers for ICT common use, as mentioned in CRA Annex III Class I important products.
This work item intends to produce an EN as candidate for harmonisation, under the standardisation request in support of the implementation of the CRA (M/606).
<br/>
# 1 Scope
The present document ...
This standard focuses on password managers. These are designed to securely store and retrieve passwords, locally on a device or on a remote server, with a view to facilitate password management.
## 1.1 Password managers
Password managers can be built on top of secret managers and function as a comprehensive management service.
When a password manager includes password rotation it transcends being just a storage tool and becomes an active service that proactively manages credentials over time, this makes it a management service rather than simply a storage tool.
## 1.2 What is a password
Passwords are typically associated with user accounts and are a form of secret that users know and use to authenticate themselves to a system. They play a role in secure authentication and access control and verify a user's identity or authorisation to access a system or resource. They are integrated into applications, systems and services to verify user identity during login processes. The activity of using a password is the entering of this secret information at authentication points to gain authorised access to protected information.
# 2 References
@@ -183,17 +191,79 @@ For the purposes of the present document, the [following] terms [given in ... an
## 3.2 Symbols
For the purposes of the present document, the [following] symbols [given in ... and the following] apply:
Password managers: products with digital elements designed to store passwords, locally on a device or on a remote server, with a view to facilitate password management, including activities such as generation of passwords as well as password sharing and integration with local or third-party applications for usage of passwords. This category includes but is not limited to local password managers, browser-based password managers, enterprise password managers as well as hardware-based password managers.
Likelihood: The probability or frequency of a threat event occurring. This is influenced by various likelihood factors.
Impact: The magnitude of harm if a threat event materialises. This is determined by various impact factors.
Intended purpose: [to be defined]
Operational environment/categories of users: [to be defined]
Reasonably foreseeable use: [to be defined]
## 3.3 Abbreviations
For the purposes of the present document, the [following] abbreviations [given in ... and the following] apply:
LPM: Local Password Managers
BBPM: Browser-Based Password Managers
EPM: Enterprise Password Managers
HBP: Hardware-Based Password Managers
TPM: Trusted Platform Module
API: Application Programming Interface
# 4 Compliant Products
## 4.1 Password Manager
A password manager is a product with digital elements designed to store passwords, locally on a device or on a remote server, with a view to facilitate password management, including activities such as generation of passwords as well as password sharing and integration with local or third-party applications for usage of passwords.
### 4.1.1 In-Scope components
The following components are within the product boundary of the standard:
- [to be defined]
- Standalone apps, OTP service, local storage, team management, CI/CD secrets, browser extension
- Service, application, product
- Other identity provider services
### 4.1.2 Out-of-scope components
The following are considered outside the product boundary but may be security-relevant environmental components:
- [to be defined]
- Secure element in and of itself is not a password manager
- Secrets, API keys, Passwords relate to the authentication of a user with a “password”
- Keys are NOT passwords, but they can help us understand.
- Generating one-time-passwords (just a token, valid only once, two-factor) is different as opposed to static password
# 5 Representative Use Cases
## 5.1 Purpose and Rationale
In accordance with the proportionality principle mandated by the CRA, this clause defines representative use cases for password managers. These use cases illustrate typical deployment contexts that influence the selection and applicability of security requirements.
Each use case is associated with a general risk level, derived directly from the application of the risk assessment methodology detailed in Annex A. This risk management level serves as a foundational element for determining the stringency of security requirements. While these use cases are representative, specific deployment scenarios will necessitate a more granular and detailed risk assessment, also guided by Annex A.
## 5.2 Use Cases for Password Managers
UC-PM1: Passwords managers on edge device for isolated, non-critical functions
