How does Password Manager by 2Stable work under the hood? Part 3, The Shared Groups.

How does Password Manager by 2Stable work under the hood? Part 3, The Shared Groups.

Alex Vera author picture

by Alex Vera

Founder & CEO

28 May 2024 · 7 minutes to read

In my last article, I talked about how Password Manager by 2Stable keeps your sensitive data secure. If you missed it, you can catch up here.

Now, let’s discuss another feature: Shared Groups.

Shared Groups are useful when you need to share passwords, notes, or files safely with others, such as your family or team. It enables everyone to collaborate without concerns about security. Let’s see how Password Manager by 2Stable simplifies and secures this process for everyone involved.

When starting a Shared Group, it all begins on one members’s device, as we talked about before with a GEK (Group Encryption Key). Next up, we need to invite others to join this group. To understand this better, let’s take a closer look at how CloudKit handles sharing.

In CloudKit, sharing a Zone with other members typically requires their email, phone number, or what’s known as a CloudKitUserID. However, it’s important to note that we intentionally avoid using any information that could compromise your privacy. That’s why we rely on your CloudKitUserID, which is unique for every app installed on Apple devices. After you have the member’s CloudKitUserID, you can share a Zone with them. At this point, it’s better to say that you can invite them to join the shared zone because they also need to accept a special link generated by CloudKit.

Ok, now that we have a basic understanding of the process, let’s move on. How can we obtain the CloudKitUserID, and how do we share this specially generated link to accept the invitation?

To start, we need:

  1. The member’s CloudKitUserID to invite them.
  2. To send a special link to the person we’re inviting so they can join.

To get the CloudKitUserID, we use a method on the device of the person we want to invite. After that, we need to transfer this ID to the admin’s device, so the admin can set up the invitation.

We’ve implemented a solution using a QR code for this process.

To add someone to a Shared Group, you need to scan or import their Profile QR code. This QR code is located in the Settings -> My Profile section of the Password Manager by 2Stable app. The Profile QR Code contains just the right amount of crucial information needed to securely incorporate a new member into the group.


struct QRCode {
    let cloudKitUserID: String
    let name: String
    let publicKey: Data

That’s it. We need the member’s CloudKitUserID to create our invitation, as discussed previously. The name is used to make the process more user-friendly; you can choose any name you want, and it will appear to the admin when they scan your QR code. The publicKey is quite interesting; let’s discuss it further below.

Remember, we must send a special link? This link is what the new member clicks to join. We could have used a different method to send this link back, like a new QR code, or we could ask the admin to email it, like you see in the Notes app or Reminders app. But we decided not to do that. Still, we need to keep the process secure. That’s where the publicKey comes in.

Right here, we need to talk about something called an Invitation struct. We make this on the admin’s device. It includes the group’s GEK, the link we talked about before, and a few other things like the group’s name and icon. This Invitation is key to making sure everything a new member needs to join is in one place.

For sending the Invitation back, we’ve set up a special communication channel using Firebase. This works through a technique called PubSub, where every member subscribes to a channel, allowing others to send data to that channel. To ensure security, each user generates a Profile struct when they first create their VaultStorage (as discussed in the previous article). It’s important to note that although we call it a Profile, it’s actually just an asymmetric key pair, accompanied by an icon and a chosen name.

To send the invitation link safely, we use a special kind of protection called asymmetric encryption. When someone creates their Profile, they get two keys: one is public, and the other is private. We encrypt, or lock, the invitation with the recipient’s public key. This means only their private key can unlock and read the invitation. This way, the invitation stays safe while it’s sent over the internet, and only the person being invited can open it. This method helps keep everything secure, even us at 2Stable can’t read that invitation, the use of asymmetric encryption ensures that only the intended recipient, with their private key, can unlock and read the invitation.

Despite using asymmetric encryption, it’s important to mention that we’ve developed a special login mechanism to authorize access to Firebase. This is to prevent someone from flooding a channel with unnecessary data. Every time a user logs into Firebase, which happens when they open the app, they sign a challenge generated on Firebase with their PrivateKey. This signature is then verified on the server with the respective PublicKey. This ensures that the server can trust the user really possesses the correct PrivateKey. This verification process, enabled by the principles of asymmetric cryptography, adds an extra layer of security by confirming user identity and permissions.

Now, we have the Invitation and the PubSub channel to send the encrypted invitation to the member.

Once the invitation is sent, the invited member receives it through the PubSub channel. Since the invitation is encrypted using asymmetric encryption, only the intended recipient, with their private key, can unlock and read it. This ensures that the invitation remains secure even while transmitted over the internet.

When the invited member’s device receives the invitation, it decrypts the message using their private key. This uncovers the CloudKit link and the GEK. With these, the member can create a new Storage that uses the GEK and connects to the Shared Group CloudKit Zone. Also, the invitation’s metadata, like the group icon and name, gives useful details about the Shared Group.

It’s important to note that the member has 7 days to open the app and accept the invitation. If they don’t do it within this time frame, the invitation will expire, and the process will need to be started over.

In conclusion, the Shared Groups feature in Password Manager by 2Stable makes it easy and safe to share important stuff with others. It keeps your info private and secure using different technologies.

With this feature, you can invite people to join your group and share things like passwords, notes, files, etc. Everything is kept safe with strong encryption, so only the right people can see it.

Password Manager by 2Stable is all about making your digital life simpler and safer.

Keep an eye out for more tips and tricks about Password Manager by 2Stable in future articles.

Until then, stay safe online!

Share this article: