What makes CosyncJWT secure?
The answer to that question is RSA public/private key encryption. The RSA standard is sufficiently secure so as not to be cracked through a simple brute force method - it is also the basis for cryptographic signatures with blockchain and all crypto-currencies. Asymmetric RSA encryption is based on a simple concept; if a message is encrypted (or signed) with a private key, that message can only be decrypted with a single public key - in the matching key pair. In the JWT standard, the payload is in fact not encrypted; the only encrypted piece is the signature which is produced by running an RS256 encryption hash using a private key on the header and the payload of the JWT token. The signature provides proof to the MongoDB Realm instance that the JWT token originated from the CosyncJWT system, and not some malicious third party.
JSON Web Tokens (or JWT) is the secure mechanism through which the CosyncJWT service provides identity management to a MongoDB Realm application. The CosyncJWT service stores a user’s handle and password in an encrypted database. When an application needs to validate the credentials of a user, it defers this task to CosyncJWT. In a first pass, the user’s handle and password are validated against the user’s credentials that are stored in the database. In a second pass, the CosyncJWT service can also confirm the user’s identity through Google’s two-factor authentication service, or by sending the user a code to his/her verified phone number. Once a user’s credentials have been verified, the CosyncJWT signs a JWT token with the application’s secret private key that is kept confidential.
Since the CosyncJWT system stores the secret private key, a MongoDB Realm application instance that is configured with the corresponding public key is guaranteed that only the CosyncJWT system could sign the authenticating JWT tokens on behalf of the application users. In order to produce counterfeit tokens, a malicious system would have to gain access to the private key, which is stored in an encrypted form on the CosyncJWT database.