justin-stephenson
commented
2 years ago Hello,
...
I would like to petition for having tokens that can not leave the device or can be configured not to leave the device.
Hello, locked keychain items are protected with biometrics userPresence flag. This enforces device only access, locked tokens will not be included in encrypted backups. You should be able to easily confirm this behavior by testing, if you have any suggestions to improve documentation then feel free to submit a PR. Thank you.
Hello,
thanks alot for FreeOTP!
I have found an the following inconsistency: The user is informed, that when creating a locked token as follows "WARNING: Locked tokens are not included in backups for security reason" , while parts of the code indicate the oposite:
Code informing the user that locked tokens are not backed up:
https://github.com/freeotp/freeotp-ios/blob/5a1696ef1eaf5e0c1f739b6d0e75f136ba6671d6/FreeOTP/Base.lproj/Main.storyboard#L401
while this part of the code intends to exactly do the opposite. (this was introduced in PR #129 "Enable encrypted keystore backup ")
https://github.com/freeotp/freeotp-ios/blob/5a1696ef1eaf5e0c1f739b6d0e75f136ba6671d6/FreeOTP/KeychainStore.swift#L55
Before PR #129 The code did what was displayeds to the user:
https://github.com/freeotp/freeotp-ios/blob/b053bfbf8dc31b951e2480c2eddf81116eff45a6/FreeOTP/KeychainStore.swift#L55
I would like to petition for having tokens that can not leave the device or can be configured not to leave the device. Reason: With Two Factor Authentication there should be the factors "Knowledge" (Password) and Ownership (Token) involved. When the token can be backed up (encrypted with an other password) and be restored to multiple devices the "Two Factor" is circumvented. If following this idea the Change in line 55 in file FreeOTP/KeychainStore.swift from PR #129 should be reverted.
Kind regards, Manon