How the Cerby browser extensions work

This article covers the supported browsers, how certain permissions are used, as well as the key operations of the Cerby browser extensions.

Cerby Team avatar
Written by Cerby Team
Updated over a week ago

The Cerby browser extensions are a critical part of the streamlined approach to access management of accounts. Read on to learn more about how the Cerby extension operates.

Key Operations:

The Cerby browser extensions facilitate four main actions:

  • Streamlined login: After clicking on an account tile within the Cerby web app or within a Cerby browser extension, the Cerby browser extension will automatically direct the user to the appropriate login page of the account. Once on the login page, the Cerby browser extension will auto-insert the following information into the login form without the user needing to see any of the inserted data:

    • Account Username

    • Account Data

    • Account Two Factor Auth Code (from SMS or TOTP)

      • NOTE: If the 2FA Autofill feature is disabled for the account, the Cerby browser extension will issue a step-up identity challenge to the user’s Cerby mobile app when detecting a 2FA field for the associated account. After the user accepts the identity challenge, the Cerby extension will autofill the 2FA code and complete the login process.

  • In-page insertion of passwords: When visiting the login page of an account directly, the Cerby logo will appear within the login and 2FA fields, enabling the user to select from a set of accounts belonging to the DNS-checked application domain. After selecting the account, Cerby will autofill the following data:

    • Account Username

    • Account Data

    • Account Two Factor Auth Code (from SMS or TOTP)

  • Credential validation: When adding an account to the Cerby web app for the first time, Cerby will require that you validate the credentials provided. The browser extension is responsible for executing this action within the user’s browser. This is necessary for ensuring downstream operations like Two-Factor Authentication setup and Password Rotation leverage actual login data.

  • Managing In-App Access: For certain accounts (e.g., Instagram and Twitter), the browser extension can also block access to certain pages within the application experience. For example, if a user receives “Collaborator” access to a shared Twitter account, the user will not be able to access the “Settings & Privacy” page within the logged-in application experience.

Supported Environments:

The Cerby browser extensions are currently supported across the latest two versions of each of the following browsers on any supported Operating System:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Apple Safari

Authentication:

The Cerby browser extension currently shares a JSON Web Token with the Cerby web app. This means that if you log out of the Cerby web app, it will also terminate the session within the Cerby browser extension. Cerby sessions are typically established after a valid authentication sequence through a customer’s configured Identity Provider (e.g., Okta or Azure AD).

Permissions Used:

The Cerby browser extensions (CBE) requests as few permissions as possible to conduct the Key Operations referenced above. The specific permissions and how they are used are detailed below:

  • storage - The storage permission enables the CBE to store information pertaining to the last selected account within the extension UI. This enables users to not have to navigate to the same account multiple times within a single login attempt.

  • https://*/ - The all hosts permission enables the CBE to validate that credential insertion occurs only on domains which the user has designated as valid. Valid host or domain information is defined by the user within the Cerby web app.

  • cookies - The cookies permission enables the CBE to detect whether a user already has a valid session for the account the user is attempting to leverage. This enables the Cerby browser extension to power a more streamlined login user experience for each account, avoiding the login form if a valid session cookie is detected.

  • tabs - The tabs permission enables the CBE to open new tabs to execute login and credential validation flows for accounts it manages on the behalf of its users.

  • webNavigation - The webNavigation permission enables the CBE to detect whether a login attempt was successful or failed.

  • contextMenus - The contextMenus permission enables the CBE to be activated from within the context menu of a right click operation for any login fields which the CBE does not auto detect.

  • webRequest - The webRequest permission enables the CBE to monitor the success or failure of certain account provisioning or deprovisioning API calls between the CBE, the Cerby Web App, and the third party application’s web services.

Did this answer your question?