5

Sync.com proudly advertise that the company can't access your data but they do provide an optional email-based password reset.

Most cloud storage providers differ from Sync because they can access, scan and read your files. Sync's end-to-end encrypted storage platform and apps ensure that only you can access your data in the cloud. We can’t read your files and no one else can either.

When activating or using the password reset function they state that their system has temporary access to your encryption keys. What does temporary mean here and how does it work?

This feature does not expose your password to Sync, however it does give Sync’s automated systems temporary access to your encryption keys when the feature is enabled or used. We cannot enable or disable the feature on your behalf.

Does this mean that while having this function activated they could actually access my data? I don't see how it could work any other way but I find it a bit dishonest then to have zero-knowledge as their main selling point while still recommending people to use this "feature".

https://www.sync.com/help/passwords/#securitypassword

D.H.
  • 181
  • 4

2 Answers2

3

This is the official answer that I received from sync.com. So, as suspected, the promise of zero-knowledge only holds when this option is not enabled.

Temporary means that your keys are briefly exposed to automated systems (not people).

With the feature enabled, we store a backup key in escrow (on a separate offsite "cold server", not accessible from the public Internet or by Sync employees). The backup key can be used to reset your password, but not directly access your files.

The password reset feature itself can only be enabled or disabled by you (technically we are unable to do so because enabling the feature requires your current password).

We provide this feature because many industries require an email-based password reset feature for compliance purposes.

For example, in some countries, legal firms that store client data in the cloud must be able to recover their data at all times, even in the event that they have lost their password and do not have the Sync desktop app installed (in which case they would be permanently locked out of their account).

As long as you have the Sync desktop app installed, you do not need to enable this feature as the desktop app also provides a password reset mechanism that is fully zero-knowledge

D.H.
  • 181
  • 4
  • Thank you for sharing it back with us! I am still not convinced and I wish there was a more reliable alternative out there. The whole idea of encrypting my files using only a hash of my password, generated by their app, is already shady enough. And then this... If they have the power to do such thing, what stops them from having extra "backup keys" around without us knowing? – zVictor Mar 28 '21 at 19:52
2

Additionally I found on their site:

YOU MUST SAFEGUARD YOUR PASSWORD AND KEYS. Your password and keys are not stored on the Sync system. Consequently, should you lose or forget these, we cannot provide these to you or reset your password. (https://www.sync.com/privacy/)

Their whitepaper doesn't mention this feature either. So it seems that this feature was added later and since this feature is optional and only recommended when you don't have the desktop app installed (which has another reset option which could be implemented securely) and from my knowledge from other similar systems my educated guess would be that the promise is only true when this feature is not enabled.

H. Idden
  • 2,988
  • 1
  • 10
  • 19