Trusted sessions and devices

Every time you access the Cerby platform, you are connecting from a device: the Cerby web app, browser extension, or mobile app. Trusted sessions and devices are the mechanism Cerby uses to verify that those connections come from authorized endpoints before granting access to your accounts, secrets, and vaults.

Think of a trusted session as a handshake between you and Cerby. When you set up a trusted session on a device, Cerby registers that device as a known and authorized access point for your account. From that moment, interactions with the Cerby platform originating from that device are treated as verified.

Why trusted sessions matter

Trusted sessions add a meaningful layer of security on top of your login credentials. Even if someone obtains your password, they cannot access your Cerby workspace from an unregistered device. Each device must be explicitly verified before it can be used.

For users working with local vaults, trusted sessions are especially critical. Local vaults store encryption keys on the device itself, meaning the trusted session is not just an access gate, it is also the holder of the cryptographic keys needed to decrypt your data. Without a trusted session on that device, the vault content is inaccessible, even to Cerby.

How trusted sessions work

Any of the three Cerby client apps can be registered as a trusted device:

• The Cerby web app (each browser is treated as a separate device)

• The Cerby browser extension (each browser installation is treated as a separate device)

• The Cerby mobile app

When you log in to Cerby for the first time on a new device, you are automatically prompted to set up a trusted session. The verification process confirms your identity using a code sent to your email, or by approving the session from a device you have already registered.

Users can register up to 20 trusted devices. When that limit is reached, an existing device must be disabled before a new one can be added.

What happens when a user leaves

Trusted sessions are tied to individual user accounts. When a user is deprovisioned from a workspace, all of their registered trusted sessions and devices are automatically disabled. This ensures that former employees cannot retain access through previously trusted endpoints, even if they still have their physical device.

Workspace Admins can view and manage trusted sessions for all users in the workspace from the Cerby web app. For more information, see the Trusted sessions and devices section.