XCreds Security

XCreds supercharges your Mac login window. First, use your Azure, Google Cloud, Okta or any OpenID Connect password to log in to your Mac. Then, XCreds verifies the password with your identity provider and saves the tokens to the user keychain for validation that the cloud password is in sync with the local password.

To implement this functionality, XCreds has access to sensitive user information. This guide documents how this information is handled.

Architecture

XCreds is a macOS app that consists the following components:

1. XCreds app bundle installed to /Applications
2. Login window overlay that provides the “Return to XCreds” button on the macOS login window
3. Security Agent Mechanisms to provide the login window replacement and verify user authentication

Code Signing and Notarization

All binaries provided for XCreds are signed and notarized by Apple.

Encryption

XCreds uses the built-in TLS of macOS to encrypt all network traffic.

User Information

XCreds is not a cloud service and user accounts and information (including passwords) are not sent to Twocanoes Software. All user information and passwords are transmitted over a TLS encrypted channel to the customer’s identity provider.

User Password

When XCreds authenticates a user during login or password reset, the unencrypted password is captured by XCreds running on the macOS system. The password is then stored in the user’s login keychain, which is encrypted using AES256 symmetric encryption. Access Control is added to the keychain item to only allow the XCreds components and login security agents to have access to the password stored in the keychain without providing the user password. This password is used to re-key the keychain when a user’s password is updated and the user account password and the password for the keychain need to be updated. Saving the password to the user’s login keychain gives XCreds access to the password that is currently used to encrypt the user’s keychain.

Personal Identifiable Information

XCreds does send Personal Identifiable Information (PII) to Twocanoes servers, however all user information (including user names and passwords) is only sent between the local Mac and the Identity Provider. Twocanoes Software sends license key information to Twocanoes servers for the purpose of validating license usage, but this process does not include any user information. We also collect information during the purchase and support process to complete the transaction. We do not sell any information that is collected and use it only for order fulfillment, support, and license validation.

Logs

XCreds does not store sensitive information in the user logs by default. The administrator can enable debug logging which may contain sensitive information. The log information is written to both the macOS logging system and log files in /tmp/xcreds/xcreds.log and ~/Library/Logs/xcreds.log. Debug logging should be disabled when a Mac is deployed with XCreds.

Privacy Policy

Please see the Twocanoes privacy policy at https://twocanoes.com/privacy/

Notification of Updates and Security Issues

To be notified of important update and security related information , we provide both email and an RSS feed:
Email:https://twocanoes.com/products/mac/xcreds/#sign-up
RSS:https://twocanoes.com/knowledge-base/tag/xcreds/rss

Issue Reporting

For security related issues, please email info@twocanoes.com. We monitor this email for security related issues and will respond within 1 business day as appropriate.