Zero-knowledge service
E2E
Thanks to end-to-end encryption
the heylogin GmbH does not see any logins
the heylogin GmbH does not see any logins
2FA
2-factor secure as standard and
only decryptable via hardware
only decryptable via hardware
KRYPTO
Modern cryptographic algorithms
XSalsa20 + Poly1305 and Curve25519
XSalsa20 + Poly1305 and Curve25519
Strict separation between safes and users
Logins are encrypted in strictly separated vaults with the security chips of the respective user devices. This allows normal users of an organisation to access their personal vault and all team vaults for which they have permissions.
In addition, all vaults within an organisation are also encrypted with the security tokens of the admins. This makes it possible to cryptographically restore an account if a device is lost or needs to be replaced. In terms of security, however, admins do not have access to the passwords in the personal safes.
All access, whether by admins or users, is end-to-end encrypted and requires the respective security chip for decryption. Our platform offers a strict security architecture where we as heylogin GmbH have no access to your logins.
In addition, all vaults within an organisation are also encrypted with the security tokens of the admins. This makes it possible to cryptographically restore an account if a device is lost or needs to be replaced. In terms of security, however, admins do not have access to the passwords in the personal safes.
All access, whether by admins or users, is end-to-end encrypted and requires the respective security chip for decryption. Our platform offers a strict security architecture where we as heylogin GmbH have no access to your logins.
Hardware-based end-to-end encryption
1
Synchronisation of the encrypted safes
All safes belonging to a user are automatically synchronised in the background. All devices, i.e. apps and browser extensions, are connected to the cloud via a streaming connection and receive vault updates immediately. The heylogin cloud serves as a simple data storage and has no means of decrypting the tresors.
2
Unlocking the security chip
If a browser extension requests decryption, the associated device is notified. The security chip is now unlocked locally on the device using a second factor, such as fingerprint, face unlock or PIN. The unlocked security chip now generates a temporary key. This is transmitted end-to-end encrypted to the browser extension.
3
Temporary key decrypts the safes
The key received in this way is used by the browser extension to decrypt the synchronised vaults. The sensitive data can now be used to log the user into websites. In addition, changes can be made to the data, which in turn lead to synchronisation.
The explanations on this page are simplified for easy understanding.Details on cryptography and security protocols can be found in the Security Whitepaper.
The explanations on this page are simplified for easy understanding.Details on cryptography and security protocols can be found in the Security Whitepaper.
Locations
heylogin GmbH is based in Braunschweig. Our productive system is operated by Hetzner in Nuremberg. A standby server is operated in Falkenstein, which can be quickly switched to in an emergency. Independent backups are currently stored at IONOS, which can be used in the event of a complete failure at Hetzner.
The ISMS of heylogin GmbH is ISO 27001:2022 certified. heylogin is GDPR-compliant and only uses European sub-processors.
The ISMS of heylogin GmbH is ISO 27001:2022 certified. heylogin is GDPR-compliant and only uses European sub-processors.
The security whitepaper about our end-to-end encryption
Thank you! Your submission has been received!
