@@ -200,6 +200,27 @@ For the purposes of the present document, the [following] terms [given in ... an
Password Manager: Products with digital elements that store passwords, locally on a device or on a remote server, with a view to facilitate password management, including activities such as generation of passwords as well as password sharing and integration with local or third-party applications for usage of passwords.
Password Manager: Products with digital elements that store passwords, locally on a device or on a remote server, with a view to facilitate password management, including activities such as generation of passwords as well as password sharing and integration with local or third-party applications for usage of passwords.
This category includes but is not limited to local password managers, password managers provided as browser extensions, enterprise password managers as well as hardware-based password managers.
This category includes but is not limited to local password managers, password managers provided as browser extensions, enterprise password managers as well as hardware-based password managers.
Password is a type of Secret
Password management
Generation of Password
Usage of Password
Local password manager
Browser extension PM
Personal PM
Enterprise PM
Hardware PM
OS-based PM
We are not talking about biometrics (that's IAM), really we mean the "proper password management service layer"
Others?
- Passkeys are a different authentication mechanism beyond a username/password
- Properties of the "authentication service" are similar enough
- This is a class 1 product, so that manufacturers have the opportunity to achieve the presumption of conformity - that standard doesn't care what is stored as long as it is stored securely
-
## 3.2 Symbols
## 3.2 Symbols
For the purposes of the present document, the [following] symbols [given in ... and the following] apply:
For the purposes of the present document, the [following] symbols [given in ... and the following] apply:
@@ -258,7 +279,58 @@ In accordance with the proportionality principle mandated by the CRA, this claus
Each use case is associated with a general risk level, derived directly from the application of the risk assessment methodology detailed in Annex A. This risk management level serves as a foundational element for determining the stringency of security requirements. While these use cases are representative, specific deployment scenarios will necessitate a more granular and detailed risk assessment, also guided by Annex A.
Each use case is associated with a general risk level, derived directly from the application of the risk assessment methodology detailed in Annex A. This risk management level serves as a foundational element for determining the stringency of security requirements. While these use cases are representative, specific deployment scenarios will necessitate a more granular and detailed risk assessment, also guided by Annex A.
## 5.2 Use Cases for Password Managers
## 5.2 Use Cases for Password Managers
UC-PM1: Passwords managers on edge device for isolated, non-critical functions
every password manager in existence (the entire class)
- Description
- Example environments:
Note: How you integrate a password manager whether standalone, in a browser, as a browser extension, in the OS, the key question would be, what are the security requirements necessary for each of these? They could be very similar
The bare minimum for a level of security:
- Encrypt at rest
- Always authenticate access at the scope of the password store (can't view a password unless I go through some hoops to auth myself)
-
local password manager
- Description: An application that manages passwords for "daily life", such as logging into email and undertaking banking.
- Example environments: Desktop, laptop, mobile device (local hard drive)
- Risk level: Low
cloud-backed password manager as a service
- Description:
- Example environments:
- Risk level: (see Annex ??)
hybrid local + cloud ???
- Description: offline access to cloud-stored passwords...
- Example environments:
- Availability concern: synced locally,
- Risk level: (see Annex ??)
password managers provided as browser extension
- Description:
- Example environments:
- Risk level: (see Annex ??)
password managers provided BY a browser
- Description: A subcomponent integrated into a browser (primary product)
- Example environments:
- Availability concern:
- Risk level: (see Annex ??)
enterprise password manager
- Description:
- Example environments:
- Risk level: (see Annex ??)
hardware-based password manager
- Description:
- Example environments:
- Risk level: (see Annex ??)
UC-PM1: Passwords manager on a user's laptop for personal use
