search

beemdevelopment / Aegis

A free, secure and open source app for Android to manage your 2-step verification tokens.
https://getaegis.app
GNU General Public License v3.0
8.54k stars 365 forks source link

Mnemonic Phrase for Backups #692

Open indolering opened 3 years ago

indolering commented 3 years ago

TL;DR: The best trade-off between security and usability for off-device backups is a setup workflow/wizard that instructs the user to write down or print off the encryption key. This is what many online services do when activating 2FA and how most cryptocurrency wallets operate.

TOTP apps, password managers, and crypto-currency wallets are all domain-specific secrets managers. The security model is fundamentally identical, their value comes in isolating failure: Aegis on your phone hedges against a XSS attack against your password manager's browser extension.

TOTP managers tie a device to an account, protected by the pin/pattern/biometrics of the phone. The average pin/pattern has ~14 bits of entropy and can only be meaningfully protected by hardware which limits brute force attempts. A strong KDF will deter casual attackers and are necessary because hardware security modules are usually buggy propriety blobs which are regularly tricked into going over their limit.

For most users, off-device transfer of TOTP secrets (via device syncing, cloud backups, and vault exports) represent a violation of the isolation between secret managers. A separate password for backups would only bump the entropy level to ~30 bits; any "good passwords" higher than that are prone to being forgotten or fat fingered.

A better solution is to just store an offline copy of the full secret, possibly with mnemonic and QR encodings.

alexbakker commented 3 years ago

In summary, you'd like the encryption key for backups to be separate (see: #121) and have Aegis offer the user to generate a mnemonic phrase for them. Is that correct?

indolering commented 3 years ago

In summary, you'd like the encryption key for backups to be separate (see: #121)

Sorta. My advice as a UX engineer would be remove the ability to set a password on backups that aren't backed by a HSM that can limit brute force attempts, as it's error prone and grossly insecure. If you must encrypt the private key with a password, bury that shit in some advanced settings. I have forgotten/fat fingered encryption passwords and personally know multiple people who lost large sums of money.

and have Aegis offer the user to generate a mnemonic phrase for them. Is that correct?

Mnemonic encodings are fine, but the most popular implementation (BIP39) is problematic. A QR code is less error prone, but make sure the paper backup includes the raw digits as well.

Have you investigated reusing code from an existing cryptocurrency wallet?

alexbakker commented 3 years ago

I'm fine with offering users the option to generate a secure backup passphrase for them, but removing the ability to set a custom password is not an option. I'm afraid users would just do away with encryption altogether and manually create plain text backups instead as a result of that.

Have you investigated reusing code from an existing cryptocurrency wallet?

What, specifically, would you suggest we reuse from the code of a cryptocurrency wallet? The BIP39 implementation?

indolering commented 3 years ago

I'm afraid users would just do away with encryption altogether and manually create plain text backups instead as a result of that.

And whyyyyyy would you let them do that?

99% of users will just rely on Google's backup service, which actually can resist brute force attacks. People rolling their own DiY backup system can't be trusted not to screw it up; forcing them to pass the encryption key through meat space is a good thing. If they are syncing between devices, they can just scan a QR code.

I wanted to get a PhD on this topic at one point, so just trust me when I say that relying on password based encryption is a bad idea. NN-based password cracking is very good at draining entropy from passwords, especially when combined with the huuuuuge password data leaks out there.

The problem with "good" passwords is that people forget them or screw them up during input. People at early crypto-currency meetings (myself included) did this all the time. I've tried to devise algorithms so that my paper password backups aren't trivially easy to decode, and I inexplicably will make the same systematic mistakes during conversion. After setting up a new offline machine, I literally walk away for a week before I do any serious work on it.

What, specifically, would you suggest we reuse from the code of a cryptocurrency wallet? The BIP39 implementation?

Yeah, but now that I think about it BitWarden's code base would be a better starting point for a 2FA app. It has ports to everything and has received a code audit....

FATHIMATHSAMAA commented 3 years ago

Lost my XRP phrase

indolering commented 3 years ago

Lost my XRP phrase

I have also lost backup keys, mainly because I setup an overly complicated systems to protect them. This proposal still allows for backups to Google's HSM protected backup service, which uses the phone's pin (and maybe the user's Google password?) to protect the data.

FATHIMATHSAMAA commented 3 years ago

I want trust wallet lost recovery phrase

On Fri, May 14, 2021, 23:22 Zach Lym @.***> wrote:

Lost my XRP phrase

I have also lost backup keys, mainly because I set up over complicated systems to protect them. This proposal still allows for backups to Google's HSM protected backup service, which uses the phone's pin (and maybe the user's Google password?) to protect the data.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/beemdevelopment/Aegis/issues/692#issuecomment-841420928, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUBHRP2J44WYHEOKRWBV3PTTNVS6HANCNFSM4YJRSUQQ .

NumbGnat commented 3 years ago

Reading this discussion, has me intrigued. Although I comprehend most of what is discussed here, it seems @indolering has far more security related experience than I do.

I find myself wondering about my own choice for backup security. I use a randomly generated string (32-64 characters) from an offline password manager, for my backup password. I don't have many concerns about forgetting the password that way. Is this complex enough?

I do understand both sides of the password issue though. @alexbakker is correct, that if it's too difficult, users will just choose another backup method. I think @indolering concerns are worth discussing, in order to help guide Aegis users to use the best practices, if at all possible.

Perhaps the app should automatically provide a mnemonic phrase, but allow the user to edit the value, if they so choose. Many users are likely to use the default provided, so you'd be helping them be more secure, with the power of suggestion and also giving them an idea of what their passcode should be like, if they choose to edit it manually.

FATHIMATHSAMAA commented 3 years ago

I want lost 12 word phrase recover pls help me

On Thu, May 27, 2021, 23:21 Todd Powers @.***> wrote:

Reading this discussion, has me intrigued. Although I comprehend most of what is discussed here, it seems @indolering https://github.com/indolering has far more security related experience than I do.

I find myself wondering about my own choice for backup security. I use a randomly generated string (32-64 characters) from an offline password manager, for my backup password. I don't have many concerns about forgetting the password that way. Is this complex enough?

I do understand both sides of the password issue though. @alexbakker https://github.com/alexbakker is correct, that if it's too difficult, users will just choose another backup method. I think @indolering https://github.com/indolering concerns are worth discussing, in order to help guide Aegis users to use the best practices, if at all possible.

Perhaps the app should automatically provide a mnemonic phrase, but allow the user to edit the value, if they so choose. Many users are likely to use the default provided, so you'd be helping them be more secure, with the power of suggestion and also giving them an idea of what their passcode should be like, if they choose to edit it manually.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/beemdevelopment/Aegis/issues/692#issuecomment-849843788, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUBHRPYYQJTIII5MXEHAXKTTP2ESPANCNFSM4YJRSUQQ .

alexbakker commented 3 years ago

@FATHIMATHSAMAA Please stop asking. You're in the wrong place.

indolering commented 2 years ago

Perhaps the app should automatically provide a mnemonic phrase, but allow the user to edit the value, if they so choose. Many users are likely to use the default provided, so you'd be helping them be more secure, with the power of suggestion and also giving them an idea of what their passcode should be like, if they choose to edit it manually.

Mnemonic phrase backups have redundancy, so that you can screw up a bit when transcribing the code but still recover the password. Specific words are chosen so that (among other things) spelling correction can be applied. They also generally employ an error recovery scheme, so that even if you totally screw up 3 of the words you can still recover the encryption key.

Allowing a user to edit them would break the algorithm that transforms the input from those words into the encryption key.

FATHIMATHSAMAA commented 2 years ago

I want recover my 12 word phrases pls

On Fri, Sep 17, 2021, 14:22 Zach Lym @.***> wrote:

Perhaps the app should automatically provide a mnemonic phrase, but allow the user to edit the value, if they so choose. Many users are likely to use the default provided, so you'd be helping them be more secure, with the power of suggestion and also giving them an idea of what their passcode should be like, if they choose to edit it manually.

Mnemonic phrase backups have redundancy, so that you can screw up a bit when transcribing the code but still recover the password. Specific words are chosen so that (among other things) spelling correction can be applied. They also generally employ an error recovery scheme, so that even if you totally screw up 3 of the words you can still recover the encryption key.

Allowing a user to edit them would break the algorithm that transforms the input from those words into the encryption key.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/beemdevelopment/Aegis/issues/692#issuecomment-921646825, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUBHRP4E5BRPOJZRA3TFL4TUCMCHFANCNFSM4YJRSUQQ .

unknow883 commented 1 year ago

Just to pile on here as a lay user..... I think somehow the backup should be encrypted more robustly & with more effort to un-encrypt than to view codes in daily usage.... so perhaps once a longer-stronger password is input into the phone it can save a session for some length of time or until some event (device off) and in the meantime be unlocked with a shorter pin code. Alternately maybe with biometrics plus a short pin code. I am sensitive to someone trying to get my fingerprints when I am not conscious of it but maybe thats paranoia. Authy seems to achieve this by having a long backup/restore password but a simple pin to protect viewing the codes. I think Signal works much the same way.