Securing Your Data

Written by: Franz Josef Drexler

September 14, 2024

Phone displaying a lock, a floating fingerprint next to the phone.

youProof claims to keep your data secure. You’ll often see terms like end-to-end encryption, digital signatures, and biometric authentication. But what does that mean, and how do we actually keep your data safe? This article won’t go into too much technical detail—just enough so you can understand the basics of what youProof does.

Three Security Measures

First, let’s start by understanding what each security measure is good for:

  • End-to-end encryption (E2EE) is used to control who can read what data. It ensures that only you and the persons you explicitly give your data to are able to understand it. (Let’s call the people you share your youProof profile with your visitors from now on.) Any intermediaries (this includes your ISPs, hackers, and even us) can only see gibberish. To encrypt data, a private key is required (a randomly generated sequence of characters and numbers). This is similar to a locked diary and its key but is much more secure.

  • Digital signatures ensure data integrity. This does not mean that no one can edit your data, but it does mean that the computer can instantly check whether your data was tampered with. To create a digital signature, you need a private key. Digital signatures are somewhat similar to seals used for things like tamper-evident packaging.

  • Biometric authentication is a means of identifying you using biological attributes like your fingerprint or the shape of your face. In the context of mobile devices, it usually describes phones storing some data encrypted until you authenticate the decryption using your fingerprint or face. Note that on phones, this can often be bypassed if someone knows the lock screen PIN.

Three Locations to Secure

Keeping your data secure happens in three different places: your own devices, our backend, and the browsers of the people viewing your youProof profile.

Your Own Devices

To create/manage a youProof profile, you need to download the youProof app. It’s not possible to create a youProof profile using a normal web browser. This is intentional—why? As explained above, E2EE and digital signatures both need a private key. These private keys are too complex to remember, and even entering them in a browser would already be insecure. Instead, they are stored securely encrypted on your phone using—yes, you guessed it—biometric authentication (or your lock screen PIN) to unlock it.

This has a few neat side effects: In addition to being very secure,

  • You don’t need to enter any email or password to create a new profile.
  • Logging in on another device is as simple as scanning a QR code.
  • All of that E2EE and digital signature stuff can be handled automatically in the background.

If you now want to share your youProof profile, you can simply show your profile’s QR code to your visitors or tap the share button to get a link.

The youProof Backend

Thanks to E2EE and digital signatures, we can neither tamper with nor read your data. The only things we need to ensure on our backend are:

  1. Only you (i.e., no other users or hackers) can delete your data.
  2. Your data is always accessible (though outages can happen—we can’t control that).
  3. We serve a correct, fully functional, and secure homepage and web app.

The Browser

What web app, you might ask? This leads us to the third and final location: the browser of your visitors. The QR code or link you use to share your profile contains a key used to decrypt your youProof profile. However, this data must never be sent to our backend (remember, we shouldn’t be able to read your data). Therefore, we need a web app that processes this key and all profile data locally. It first decrypts your data, then verifies its authenticity, and finally shows it to your visitors.

TL;DR

To summarize, your phone ensures that your youProof profile is always secure and easy to use. Our backend ensures that your data is always accessible. Lastly, the web app ensures that your visitors can actually see your profile and that your data has not been tampered with.

Finally, don’t forget to download and try out youProof—it’s free and doesn’t even require an email address.