With some fanfare we announce the release of Topicus KeyHub 18.2, our summer holiday release. With this release we realize a long-held wish to offer our users an easier way to recover their password, including vault access. Via a social recovery protocol other users can approve the reset and recover the vault access. This same protocol will also be used to recover 2FA in case of a broken phone. As usual, we also implemented a number of smaller improvements and fixes for several issues.

Important notice: Undisclosed security vulnerability

TKH-1827 A weakness in the federated login flow used with OIDC directories was resolved. We strongly recommend all installations to be upgraded to 18.2. Topicus KeyHub users can inquire for more information.

Social recovery for password and 2FA

TKH-327 TKH-1517 TKH-1766 TKH-1787 TKH-1788 TKH-1789 We added an ability to use a social recovery protocol to safely and easily recover your access to KeyHub, including your vault access. We use a form of Shamir's Secret Sharing to safely distribute a personal recovery key among a selected set of colleagues. If at least two of these colleagues approve your password recovery, you can use the new password to login and/or access your vaults. The same protocol is use for a 2FA reset, to allow you to link new 2FA devices in case your current devices are unrecoverable.

After two users have approved the request, you can finish it to recover access to your vaults.

The group of colleagues is chosen from among the group managers of the groups you use the most. This determination will be re-evaluated on a regular interval. If a helpdesk group has been configured for your account, all colleagues approving account recovery will be chosen from that group.

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-1661 We added a button in the appliance manager to force renewal of Let's Encrypt certificates, in case the automatic renewal process does not get triggered.
  • TKH-1747 Uploading a PKCS#12 (.p12/.pfx) certificate should no longer result in form validation errors if you upload the certificate before entering the password.
  • TKH-1757 Dropdown fields should once again automatically gain focus after opening.
  • TKH-1762 Manually deactivating an account now immediately invalidates all sessions for that account.
  • TKH-1765 Salt calls between our appliance manager and the VM should now in all cases refresh the authentication token if expired, leading to less errors in the log.
  • TKH-1768 We fixed a bug in our authentication process that could cause the browser extension to open new tabs in the background with every click without closing them.
  • TKH-1769 We fixed various errors on pages related to private groups.
  • TKH-1771 The /account/me and /client/me REST resources should now return the proper error status when called with the wrong credential type.
  • TKH-1774 A logout now actively closes the vault by removing the active vault session, instead of just making it inaccessible and letting it expire.
  • TKH-1779 Approving an activation request for an authorized group will once again show the requester as the one who activated the group, instead of the approver.
  • TKH-1782 It will no longer seem to be possible to transfer certain internal applications away from the 'KeyHub Administrators" group.
  • TKH-1783 The 'KeyHub Appliance Manager' application can be transferred to another group, but that group can then no longer be removed.
  • TKH-1784 We solved an error during group removal related to linked systems that could lead to a KeyHub error page and block you from removing said group.
  • TKH-1802 Shared vault records could lead to incorrect audit records or errors in cases where the source or target vault was not visible to the user.
  • TKH-1813 A starvation issue was fixed that could cause the update process to miss an available Topicus KeyHub update.
  • TKH-1822 A concurrency issue was fixed that could result in an error when changing the password. This issue was patched in version 18.2-3.