Use cases / Critical credentials
Protect your credentials
Root accounts, cloud credentials, TOTP secrets — if only one person holds them, you are one incident away from losing access.
The problem
Single points of failure in every organization
Bus factor
AWS root account, domain registrar, GitHub organization owner — critical credentials often live in one person’s head or password manager. If that person is unavailable, operations stop.
Shared credentials are insecure
Credentials in a shared Google Doc, Slack channel or team password manager create exposure. Any compromised team member puts everything at risk.
No recovery plan
Investors, boards and compliance auditors increasingly ask about credential recovery. Most organizations have no answer beyond “we trust the person who set everything up.”
Open source maintainer risk
Single-maintainer projects often have no succession plan for signing keys, deployment credentials or package registry access. The project dies with the maintainer.
The solution
From daily threats to the unthinkable
Protect against daily threats
Store critical credentials in an encrypted QR code backup called a block — replace shared Google Doc, Slack channel or team password manager with an offline backup.
Learn more →Plan for the unthinkable
Split credentials into a set of blocks called a blockset — distribute blocks among board members, executives and trusted colleagues, establishing governance that survives the unthinkable.
Learn more →Protect against daily threats
Create block
Enter critical credentials and TOTP secrets, choose a strong passphrase and create a block. Print block on paper or save as a file.
Store blocks safely
Keep block in company vault, HSM or other secure facility alongside other critical files. Passphrase can live in organization password manager. Storing block and passphrase separately creates two-factor recovery.
To restore, scan block, enter passphrase and view credentials.
Plan for the unthinkable
Create blockset
Create a 2-of-3 or 3-of-5 blockset containing critical credentials. All blocks share the same passphrase.
Distribute blocks and passphrase
Share passphrase with all parties and distribute blocks to company vault, outside counsel and board members.
Establish governance
Recovery requires cooperation — the threshold you chose determines how many blocks must be recovered. Document the scheme in your incident response plan.
Open source succession
For single-maintainer projects, the same approach allows designated contributors to recover signing keys, deployment credentials, repository access and package manager accounts.
When the time comes, board members or designated people gather required number of blocks, enter passphrase and view credentials.
What Superbacked does not protect against
No solution protects against everything — being honest about that is part of earning your trust.
Passphrase reuse
Superbacked enforces strong passphrases but cannot prevent reuse. If passphrase is reused from a breached service, brute-force protection is bypassed. Consider using built-in passphrase generator.
Lost passphrase
If you lose passphrase, block or blockset becomes permanently unrecoverable. Store passphrase in your password manager or another secure location.
Operational security
If someone gains access to both block and passphrase — for example, through unlocked password manager — secret is compromised. Lock devices when away.
Compromised machine
If malware is running on computer when you create a block or blockset, secret could be captured before encryption. For high-stakes secrets, use Superbacked OS.
Credentials already compromised
Superbacked protects credentials at rest but does not protect against credentials that were already compromised before being stored. Consider rotating credentials before creating backups if breach is suspected.
Custodian collusion
If enough custodians collude to meet threshold, they can recover secret without authorization. Choose custodians carefully and set thresholds that reflect your trust model.
For high-stakes secrets, use Superbacked OS — a hardened operating system that runs offline and persists nothing to disk.
Explore other use cases: signing keys, digital assets and personal backups.
Copyright (c) Superbacked, Inc.