3.4.4 Lockdown Mode

3.4.1 Lockdown Mode

Note: As of version 5.15.10, lockdown mode is only available (and required) for EAs (see Section 3.8.1).

As detailed in Section 3.4, a standard user can add new devices at any time, and start using them immediately (except for accessing previously encrypted data) without approval from previous devices. This allows newly added unapproved devices to immediately start issuing PUK rotations to encrypt encrypted data on behalf of the user, while not granting it access to previously encrypted data until a previous device comes online to approve it. While this device model may be appropriate for most users, some users may benefit from additional security guarantees, namely that new devices cannot be used without the consent of an existing device. This prevents a compromised server or an attacker who learns the user’s password from adding a device and impersonating the user without prior user approval (though imposing additional usability burden on the user).

Lockdown mode can be enabled or disabled for the user from a user’s device in the oldest non-empty approval class. When in lockdown mode, new devices can be added, but are not permitted to rotate the PUK or approve new devices on behalf of the user until they are themselves approved by a device in the oldest class (and thus join that class). We refer to these new devices as unconfirmed, and older devices in the oldest class as confirmed.

If a confirmed device revokes itself (although in the self-revoke case, the rotation will be performed by another confirmed device once it comes online). Unconfirmed devices are allowed to perform rotations of any device, but other clients will not accept any PUK rotations performed by unconfirmed devices while the user is in lockdown mode.

Lockdown mode reduces the number of necessary key rotations, in addition to preventing a compromised server from impersonating a user. On the other hand, the user will need to have access to at least one confirmed device in order to add and use new devices. If the user loses or revokes all of their devices, then data encrypted for their use will unrecoverable, and their account will be essentially unusable.

The “locked out” user would have to create a new user account (note that Zoom allows email addresses to be reassigned). To reduce the likelihood of this “locked out” scenario, the Zoom server requires users to create a backup key (see Section 3)

Previous3.4.3 Escrow KeysNext3.5 Consistent Identities With Sighchains

Last updated 3 months ago