Skip to main content

How the Cerby browser extensions work

This article covers the supported browsers, how certain permissions are used, as well as the key operations of the Cerby browser extensions.

Cerby Team avatar
Written by Cerby Team
Updated over 2 weeks ago

The Cerby browser extension is a critical part of the streamlined approach to account access management.

Key operations

The Cerby browser extension facilitates four main actions:

  • Streamlined login: After clicking on an account tile within the Cerby web app or a Cerby browser extension. The Cerby browser extension automatically directs the user to the appropriate login page of the account. Once on the login page, the Cerby browser extension auto-inserts the following information into the login form without the user needing to see any of the inserted data:

    • Account username

    • Account data

    • Account multi-factor authentication (MFA) code (from SMS or TOTP)

      NOTE: If the MFA autofill feature is disabled for the account, the Cerby browser extension issues a step-up identity challenge to the user’s Cerby mobile app when detecting an MFA field for the associated account. After the user accepts the identity challenge, the Cerby extension will autofill the MFA code and complete the login process.

  • In-page insertion of passwords: When visiting the login page of an account directly, the Cerby logo appears within the login and MFA fields, enabling the user to select from a set of accounts belonging to the DNS-checked application domain. After selecting the account, Cerby autofills the following data:

    • Account username

    • Account data

    • Account MFA (from SMS or TOTP)

  • Credential validation: When adding an account to the Cerby web app for the first time, Cerby requires that you validate the credentials provided. The browser extension is responsible for executing this action within the user’s browser. This is necessary to ensure that downstream operations like MFA setup and password rotation leverage actual login data.

  • Managing In-App Access: For certain accounts, such as Instagram and X, the browser extension can block access to certain pages within the application experience. For example, if a user receives the Collaborator access to a shared X account, the user will not be able to access the Settings & Privacy page within the logged-in application experience.

Supported Environments:

The Cerby browser extensions are currently supported across the latest two versions of each of the following browsers on any supported Operating System:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Apple Safari

Authentication:

The Cerby browser extension currently shares a JSON Web Token with the Cerby web app. This means that if you log out of the Cerby web app, it will also terminate the session within the Cerby browser extension. Cerby sessions are typically established after a valid authentication sequence through a customer’s configured Identity Provider (e.g., Okta or Azure AD).

Permissions Used:

The Cerby browser extensions (CBE) request as few permissions as possible to conduct the Key Operations referenced above. The specific permissions and how they are used are detailed below:

  • storage: The storage permission enables the CBE to store information about the last selected account within the extension UI, enabling users to avoid navigating to the same account multiple times within a single login attempt.

  • https://*/: The all hosts permission enables the CBE to validate that credential insertion occurs only on domains that the user has designated as valid. The user defines valid host or domain information within the Cerby web app.

  • cookies: The cookies permission enables the CBE to detect whether a user already has a valid session for the account the user is attempting to leverage. This enables the Cerby browser extension to power a more streamlined login user experience for each account, avoiding the login form if a valid session cookie is detected.

  • tabs: The tabs permission enables the CBE to open new tabs to execute login and credential validation flows for accounts it manages on behalf of its users.

  • webNavigation: The webNavigation permission enables the CBE to detect whether a login attempt was successful or failed.

  • contextMenus: The contextMenus permission enables the CBE to be activated from within the context menu of a right-click operation for any login fields that the CBE does not auto-detect.

  • webRequest: The webRequest permission enables the CBE to monitor the success or failure of certain account provisioning or deprovisioning API calls between the CBE, the Cerby Web App, and the third-party application’s web services.

Did this answer your question?