UI changes​

The application interface has been completely redesigned. The new UI was created from scratch and complies with current design standards. Thanks to this, the user experience has become much more comfortable and modern.

A unified interface has been implemented for all types of clients: web version, browser extension and desktop application.

Updating the browser extension​

Browser extension has received a completely updated interface and now has all the functionality of the main system - from creating and managing repositories to administering the server part.

Important features added:

• securely save passwords;
• automatic updating of saved passwords when they change on sites;
• auto-fill authentication forms.

New client type - desktop application​

A full desktop version of the application has been released for Windows 10/11, Linux and macOS.

One of the key benefits is local caching of encrypted storage. Even if there is no connection to the central server, the user retains access to the latest current version of his data. This significantly reduces infrastructure requirements and eliminates the need for complex failover clusters in many scenarios.

Working with repositories​

Updates for working with repositories​

• Implemented a convenient tree folder structure
• Added support for tagging elements with the ability to create custom tags
• Implemented work with several vaults simultaneously
• The operations of transferring and copying data have been significantly simplified - both within the same storage and between different ones

Security​

New platform security options​

Added a master key brute force protection mechanism with automatic blocking of the account when suspicious activity is detected.

Password policies​

• Saving compromised passwords is prohibited
• Limited password changes to too similar (less than a specified number of characters is different)
• Control has been introduced for the validity period of the storage master password

Database of compromised passwords​

When deleting a user you can now automatically mark all passwords associated with it as compromised. The system also automatically notes all credentials that this user has ever had access to.

New tool "Parcels"​

It is now possible to create protected notes with attachments, which are automatically deleted after a specified period.

Notes support additional protection via a PIN or master password. All data is encrypted at the same level as the main storage.

Audit and control of duplicates​

An intelligent mechanism for identifying duplicate passwords has been implemented. Users can now quickly identify and eliminate reuse of the same passwords across multiple systems, improving overall security.

Fixed a bug that in some cases could lead to an error in integration with Active Directory

📁 Storage archive​

Now, when a vault is deleted, it is first archived. To activate this function, you must first configure the recovery system. The archive automatically clears storages that have been in it for more than 90 days. The storage threshold can be changed in the application settings. This innovation allows you to protect against accidental or intentional deletion of storage.

🔐 Password archive​

Similar to vaults, when a password is deleted, it is moved to the archive. The archive is cleared for passwords deleted at least 90 days ago. The storage period is configured by the administrator. This increases security and resistance to user error.

📅 Password expiration​

Added a new criterion for evaluating passwords - expiration date. The system tracks the date the password was last updated and notifies you if it has been used for longer than allowed. This helps ensure that credentials are kept up to date.

⏱ Last user login​

Implemented the ability to display last login time of the user into the system. The functionality is designed to monitor user activity, optimize the number of licenses and timely delete inactive accounts.

🔒 Session Management​

A new section has been added to the administrative panel - "Sessions". It displays active user sessions that can be terminated manually. This increases control over session security.

📝 Logging extension​

Additional attributes have been added to the logging system: userAgent and client IP address. This will help in incident investigations and improve tracking of sources of potential threats.

Installation Guide​

🛡 DB connection configuration security​

It is now possible to set database connection parameters (DB_DATABASE, DB_USERNAME, DB_PASSWORD) in an .env file in the base64 format. Example:``` DB_DATABASE=MWs=

• Fixed errors in sending logs to fully comply with the CEF format

🛡 Security​

🔔 Notification system​

• Added multi-domain (LDAP) support, allows you to integrate OneKey with several domains in parallel
• Added user groups, will allow you to assign unique security rules to individual users
• Added support for sending anonymous email notifications
• Added functionality automatically deleting deactivated UZ in the domain

📂 Working with repositories​

• Added support for keyboard shortcuts for quick actions with passwords

⚙️ Technical improvements​

• Expanded API agent capabilities - added support for the /auth/logout method and other improvements.
• Storage log queries have been optimized - working with large volumes of data has become faster and more stable.
• Bug fixed - the history of previous passwords is now displayed correctly.
• Added navigation through fragments - inside an element you can see in which fragments it is used, and go to them in one click.
• Interface and UX improvements - small but important changes for a more comfortable experience.

🛡 Security and audit​

🔔 Notification system​

• [Notifications for owners and editors](../../administrator description/notifications#mailing-user settings)
  Customizable notifications about changes in storage records.

• Notifications for the security service (SecOps)
  Alerts about weak or compromised passwords without revealing their contents.

• Checking passwords during generation
  The password generator automatically checks new passwords against the database of compromised ones.

• Audit and logging

  • The password audit page has been redesigned: work has been sped up, sorting by security level has been added.
  • Storage recovery logging is enabled.
  • Added logging for password export.
  • A field with the history of previous passwords has been added to the export.

• Control of storage fragments
  Administrators can now manage external links to fragments and disable them if necessary.

• [Control of user sessions](../../administrator description/sessions#main-capabilities)
  Added viewing of client metadata for each active session.

• Password Security Criteria
  Added the ability to enable a ban on the use of passwords that do not meet the complexity criteria.

🔐 Access and role management​

• Mapping groups via Keycloak
  When authorizing via SSO, it became possible to configure a role model and provide access to repositories through groups.
• Local rights for external users
  Users authorized via SSO or LDAP can have roles reassigned locally.
• Temporary access to fragments
  Access to storage fragments can be limited by days of the week and time intervals.
• Manage local users
  A full-fledged local account management system has been implemented:
  • Users can independently change passwords.
  • Assignment of primary passwords by the administrator.
  • Automatic blocking of inactive users.
  • Notifications about the need to change your password.
  • Setting up blocking for unsuccessful login attempts.
  • Forced password change after a specified period.

📂 Working with repositories​

• Hide repositories from the main page
  Users can hide obsolete repositories while maintaining access to them through a separate section.
• Custom fields
  Added the ability to create your own fields to store additional information in repositories.
• Audit inside the repository
  Owners and editors can audit the vault to check for security compliance and the presence of compromised passwords.
• Import and export
  • Added default folder setting for import.
  • A progress bar has been introduced to display the import process.
  • Optimized export of large storages.

• A description of the agent API, its installation and HTTP methods has appeared in the system, the entire description is available here

Audit panel​

• The possibility of automatic audit has been expanded. Password checking is now available against a provided database of more than 40 million compromised passwords. The administrator can add his own passwords for control - only hashes are stored in the system, which guarantees security.

Admin panel​

1. The administrator can choose which levels of protection will be available to users when creating vaults or fragments. To do this, use [interface](../../administrator description/settings#setting-available-protection-levels) with checkboxes.

User Guide​

1. The possibility of fragments has been added - individual parts of storage for sharing.

Fragments are parts of repositories that can be shared by link or with specific users. When creating, you specify a name, description, access period and level of protection: without protection, password or 6-digit PIN code. You can select the entries to share and specify recipients. A fragment can be edited or deleted at any time.

2. Users can set the security level for stores and shards to control access to sensitive data.

Fixed a bug that could lead to incorrect group associations when integrating with Active Directory

• Now on the authorization page when entering your login and password, it is now possible to preview the password.

Admin panel​

• [functionality](../../administrator description/users#opportunity-to-add-local-user) has been expanded; when creating a local user, it became possible to generate a password by clicking on the 💡 icon.

• Password generation when [resetting](../../administrator description/users#ability-to-make-edits-to-created-users) user password. The administrator, while resetting the user's password, can also take advantage of the opportunity to generate a new password by clicking on the 💡 icon. The generated password will be automatically filled into the appropriate field, and the administrator will be able to send it to the user for further login.

• Added the ability to filter the list of [repositories](../../administrator/repository description) by user and access level. Administrators can now easily find the storage they need by selecting a specific user and access level from a drop-down list. This feature greatly simplifies navigation and improves storage management, especially when there are a large number of objects in the system. Filtering is carried out in real time, which ensures that the list of storages is instantly updated depending on the selected criteria. This allows administrators to more effectively manage access and control resources.

Audit​

• The ability to automatically audit passwords has been expanded, now you can get detailed information about a low password score. This feature will help users better understand how to create strong passwords and improve the security of their accounts.

Fixed an LDAP bug that prevented connections to LDAPS from being established.

• Added SSO support (Keycloak Provider)
• Added 2FA support
• Support for sending logs to an external connector in CEF format
• Added a password recovery system implemented through a secret sharing scheme

Storage​

• Support for import/export of passwords in (csv) format - a universal method has been implemented. Import from any other systems is supported
• Storing one-time passwords in a vault (TOTP) - not recommended for use as there is a potential security penalty, but improves convenience
• Added file storage in storage
• Storing previous passwords in a vault
• Changing the master key from the storage

Password generation​

• Elimination of ambiguous characters in password generation
• Passphrase generation

Audit​

• Advanced logging (subject of change)
• Filter events in the system
• Uploading events in CSV format

Admin panel​

Added control sections:

• SSO
• Logging *Recovery *Settings
• License

Other​

• Bug fixes
• Optimization and acceleration of queries
• Expanded OS support