DanGould
commented
3 years ago Now the hdMaster secret is encrypted with an intermediate key derived from the password.
That both lets the user change the password and can be safely stored with TouchID/FaceID instead of the actual hdMaster secret. The caveat is that the hdMasterSecret is derived from the original 12 words & password as passcode
DO NOT USE LOCALSTORAGE
keep in mind OWASP M4 & M6
https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization