Upon account creation, the server collects minimal identifying information such as first name, last name, username, Date of Birth, and email address. This minimal identifying information is needed to create a record of informed consent, tied to a person's identity. Mobile or web clients do not communicate directly with Stormpath, but instead with the Bridge API backed by the Bridge server running on Heroku. In our current implementation, the Bridge server acts as a proxy to Stormpath for management of user account data. Thus, although we have identified no concerns with hosting user account information in Stormpath, our architecture is such that, if needed, we can move to a different service, or even to an in-house implementation.
The server stores of this identifiable account information in a back-end database distinct from the one that stores the study data. Currently, the Bridge server uses a commercial authentication system provided by Stormpath to store and manage such user account data. Stormpath is one of the leading providers of user management and authentication services, with experience in securing user accounts using start-of-the art security technologies and practices (see Stormpath's Security and Availability documentation for a description of their system). Using a third-party service specializing in user management and authentication allows us to achieve solid security around users’ personal account data and ensure a clean separation between personal account data and the de-identified study data that can be used for research. This way, in the rare event that either database is compromised, the connection between a person and her/his health data will remain protected.
Additional security is provided because the Bridge server separately encrypts / decrypts most user data as it is stored / retrieved from Stormpath. For example, phone number is encrypted by Bridge and is stored encrypted in Stormpath. The exception to this is user email which is managed securely by Stormpath, but not separately encrypted by the Bridge server. This allows Stormpath to take on some aspects of user account management such as email validation and password resets.
When the Bridge server makes calls to Stormpath, we supply an API key provided by Stormpath so they can authenticate call coming to our instance. The Bridge server uses standard HTTPS to communicate with Stormpath, thus we use standard certificate authorities to authenticate Stormpath to ourselves. At the time of this being written, the Stormpath certificate is issued by DigiCert High Assurance EV CA-1. The connection uses TLS 1.2. It is encrypted using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.