How JEMPass Protects You Against Device Loss, Theft or Compromise
JEMPass incorporates a number of safeguards to protect you and your data when your devices are lost or stolen. The safeguards we have implemented are designed to address all major scenarios that create the risk of data compromise or loss as discussed below.
The JEMPass technical architecture contributes significantly to its security. At a high level, the JEMPass architecture includes two principal components:
JEMPass Keychain, which receives encrypted data from JEMPass servers after you authenticate herself using your JEM AirKey.
JEM AirKey, which is responsible for secure cryptographic operations to authenticate you and securely provide Keychain the resources it needs to decrypt the encrypted data it receives from JEMPass servers.
A User Device is any device on which you have added your JEMPass Keychain. This includes iPhone, iPad, Android devices, Macs, and PCs. Instances of Google Chrome and Microsoft Edge on which you have added JEMPass Keychain browser extension are also considered User Devices.
JEMPass Keychain on User Devices
The following discussion summarizes how JEMPass protects different parts of your Keychain data.
Keychain Table Data
When you sign in to JEMPass (using your JEM AirKey) on a User Device, an authenticated session is created and a subset of your Keychain Table Data is transmitted by our servers to your User Device and decrypted using your JEM AirKey.
Keychain Table Data contains information about each record in your Keychain, and includes the following elements:
Title
App or website to which that record applies
Username - the username that you use to sign in to the app or website
Password Data
Password data includes the password and other password-like elements associated with each Keychain record.
Password data associated with each Keychain record is encrypted using a unique cryptographic key, can only be decrypted by your JEM AirKey, and is only decrypted on demand. Decrypted password data is never saved to disk or local storage. Decrypted password data is erased from User Devices' system memory after a short while.
JEM AirKey HD (hardware device)
JEM AirKeys make JEMPass special, and play a crucial role in securing your data. It is responsible for secure cryptographic operations to authenticate you to JEMPass servers and securely provide Keychain the resources it needs to decrypt the encrypted data it receives from JEMPass servers.
Our design, and our manufacturing and operational processes and procedures reflect the importance of this component. For example:
Cryptographic keys that are essential to unlock your Keychain are present in your JEM AirKey only very briefly, and are never persisted.
Communications between JEM AirKey and other system components follow a strict protocol that ensures confidentiality and autheticity of message payloads.
JEM AirKey HD is designed to only run approved software signed by us.
JEM AirKeys HD are assembled in the US using globally sourced components and we apply strict access controls to ensure the security of our firmware, keys and other sensitive material.
JEM AirKey SD (aka "softJEM") on User Devices
JEM AirKey SD are versions of JEM AirKey that "live" on your supported User Device.
By their nature and design, User Devices are based on large and complex operating systems, are meant to run multiple apps. End users also have the ability to configure, add or modify software on their User Devices to meet their preferences and needs. This circumstance naturally gives rise to risks that we do not encounter when we manufacture the hardware as well, as we do in JEM AirKey HD.
We take a number of steps (in addition to those described above) to mitigate these risks to protect your data when you use JEM AirKey SD. For example:
JEM AirKey SD (aka "softJEM") on Android devices requires Class 3 or "strong" biometric implementation on devices. Class 3 Biometric implementations on Android devices represent the highest level of security, based on detailed evaluation of architectural security and biometric security performance.
On iPhone, iPad and Mac (Apple Silicon) JEM AirKey SD uses Touch ID and Face ID.
Notwithstanding the mitigations described above, we believe JEM AirKey HD offers the strongest level of security while maintaining convenience and usability, especially for the most demanding use cases, e.g., protection of Keychain records that contain private keys associated with cryptocurrency wallets, API keys, server certificates and SSH keys.
JEMPass Keychain can contain records that can be unlocked by any type of JEM AirKey (SD or HD). You cal also designate certain (or all) records are especially sensitive "Level 2" records. These Level 2 records can only be decrypted by your JEM AirKey HD.
You can also configure your JEMPass Keychain such that all records in the Keychain are protected by JEM AirKey HD. This option may be usefully implemented an as organizational policy. Learn more about our solutions for organizations here.
If you are would like to learn more about the JEMPass Security Model, please contact us with details about the nature of your questions, concern or interest and your organizational affiliation. We will evaluate your request and get back to you.