Mitigating The Need for Internet Access

Mobile Client support, introduced back in Passwordstate 6.2 (2013), enabled access to your password credentials from iOS, Android, Windows Phones and Blackberry devices.  Its primary focus was providing remote access to managed credentials while away from your normal place of work, be it your day-to-day PC or LAN, or while out of the physical office. 

The architecture required a Mobile Gateway, installed on either your main Passwordstate webserver, or optionally, on a separate webserver hosted in your DMZ (Demilitarized Zone) talking back to your main Passwordstate instance. Once configured within Passwordstate, all that was required was a supported mobile device, capable of HTML5 rendering via its web browser.  Users would effectively login to Passwordstate, via the Mobile Gateway using their UserName and the preconfigured PIN. 

Under this architecture a user would access credentials live against their Passwordstate instance.  The implications being that network coverage using either, a WiFi connection for access inside your network, or cellular connection for access outside of your network, was required.  If there wasn’t an active network connection, you couldn’t talk to the Passwordstate instance, and you couldn’t access your credentials.    

Replacement under Version 9

The approach to mobile device access under V9 has been completely redesigned and the original Mobile Client support, as it existed under Version 6.0 through 8.9, has been deprecated. 

The new architecture requires the installation of a Passwordstate App Server.  This replaces the previous Mobile Gateway and is an extensible platform for future requirements.  Under the new architecture the App Server brokers the connectivity between the client device and the Passwordstate instance.  The App Server can again be installed on your main Passwordstate instance, or on a webserver within your DMZ.

The smartphone clients are now purpose-built iOS and Android apps, that authenticate using an independent credential set.  The smartphone apps allow for storing password records that a user is authorized to access, locally on the smartphone, within an encrypted cache.  Security has been increased, and also allows the option for using the biometric capability of the smartphone, when accessing the data within the encrypted cache.  All authentication and access of credentials is audited and synced back automatically with Passwordstate on next connection.    

Advantages of the new Architecture

From a usability perspective the primary benefit of the new architecture is that all the password credentials, and only those that the user has been authorized access to, can now be stored in an offline encrypted cache on their device.  This effectively provides the user with access to the credentials anywhere, anytime and regardless of the need for an active network connection. 

This cache is valid for the number of days set at Specify the number of days the user can access their offline cache before they need to re-authenticate again to the Passwordstate App Server.  This is set globally under Administration->System Settings->mobile access options->Mobile App Settings or individually under Administration->User Accounts-> “select a user” ->Edit User Details->Mobile Access Options.  The latter option overriding the global setting for that user. 

Please note that every time the user performs a sync within the Mobile App the time to live for the offline cache will be reset back to the specified number of days for that user.

From a security perspective the biggest benefit is that you potentially no longer need to have your Passwordstate Server running the “mobile gateway” internet facing.  As long as your staff have internal network access to the Passwordstate App Server, and can resync their offline encrypted cache before it is due to be wiped, then you potentially no longer need Passwordstate to be internet facing. 

Note that this currently only applies to the use of the Mobile App.

Levels of Security on the Mobile App

There are a number of levels of security associated with the use of the Mobile App, ranging from the length of time an offline cache can remain valid, the password strength for each user’s Master Password, protection against brute force dictionary and Man-in-the middle attacks,

Add to this the previously mentioned biometric capability of most current smartphones and access to the offline cache is kept secure.

How to Source and Install the App Server

To source and install the App Server you need to be on Passwordstate Version 9.  Simply navigate to Administration->System Settings->mobile access options and click on the Download App Server Installer.  Both the installer file and install guide are sourced from your existing Passwordstate Installation and the file is located under \inetpub\Passwordstate\downloads,

If you don’t have V9 installed then you’ll first need to perform a Manual Upgrade to Version 9.  Instruction for this can be found at and is located under Upgrade Instructions on the page.

The use of the Passwordstate App Server and native iOS and Android apps can mitigate the risk of having your Passwordstate instance internet facing in some use cases.  Each organization should look at their usage requirements and perform internal risk assessments to ensure their design, risks and associated mitigating factors are appropriate for their business.

Once again if you have feedback, we’d love to hear it via