fmeum / WearAuthn

Use your Wear OS watch as a FIDO2 security key via Bluetooth and NFC.
https://play.google.com/store/apps/details?id=me.henneke.wearauthn.authenticator
MIT License
195 stars 8 forks source link

Enhancement Idea : Credential Storage backup in device #11

Closed mdowais closed 4 years ago

mdowais commented 4 years ago

(Created a new issue, to track this separately)

Dont u think, a backup of the Credentials Storage be present in Device aswell?

Something like uploading encrypted application data in Google Account (Not Visible to user), whilst the user sets the password while u salt it.

fmeum commented 4 years ago

This is impossible by design. All cryptographic data is kept in the Android Keystore and cannot be extracted from it, not even by system apps.

What would you want to use this backup funtionality for? Almost all sites that support WebAuthn should allow you to register more than one security key and it is always a good idea to do so.

mdowais commented 4 years ago

I accept that it is always a good thing to have more than one 2Facto, and i get it about keychain.

But, come to think of it. WearAuthn is a physical key, which by definition should result in losing access when lost or broken.

But still, this being a digital key. I guess, there could be an option to backup, like when the user launches WearAuthn for the first time, it allows to create an asymmetric keys, in which the user could save thier private key (maybe like a seed phrase of bitcoin), and the app stores the public key for encryption of backup data.

And the encrypted backup data is generated (altered:appended) when a new registration takes place right before saving to the keystore.

The mobile app, picks changes in encrypted backup data when available, pushes it to the cloud.

Do you think this could be ok, coz i don't know if there is any fido2 restriction/rule or something..

fmeum commented 4 years ago

I fully agree that watches can be lost and backups are important. But since FIDO devices are physical devices for a reason, the way backups are made should not compromise their security guarantees.

For example, in order to make a Keystore key backupable, it would need to be generated outside of the keystore, which would then prevent certain hardware protections from applying to it. While there are no explicit FIDO rules against this (a FIDO authenticator could take the form of a Python script on your computer after all), it's certainly against its spirit to allow key material to be exported from the authenticator.

Since most websites with WebAuthn support allow you to register multiple devices and all of them have a fallback option of TOTP or a paper password (which is basically what you are proposing for WearAuthn as well, just not linked to WearAuthn's keys). These have the advantage that they do not weaken WearAuthn's security properties and can also be regenerated independently in case they should get lost.

There is also ongoing work on a secure backup concept for WebAuthn credentials. In case you are interested, you can follow the discussion over here: https://github.com/Yubico/webauthn-recovery-extension.

I will close this for now and label it wontfix for the reasons I gave above, but will think about implementing backup-related features once there is official WebAuthn guidance on them.