search

freeotp / freeotp-ios

Apache License 2.0
676 stars 168 forks source link

Face ID Protected Tokens #299

Open kaladendra opened 1 year ago

kaladendra commented 1 year ago
  1. I bought a new iPhone.
  2. I backed up my old iPhone to iCloud, checking to make sure FreeOTP was included in the backup.
  3. I erased my old iPhone.
  4. I restored my account on the new iPhone
  5. However, free OTP did not restore for whatever reason; no tokens are available to generate codes.
  6. I successfully restored an old backup on my old iPhone and FreeOTP opens with all tokens.
  7. But, the Face ID protected tokens won't open. Presumably because my old Face ID was wiped when the phone was wiped. My new face does not unlock the tokens.
  8. Is there any way to get the Face ID tokens to open now?
  9. If not, I would caution against using Face ID protected tokens on FreeOTP if you ever plan to upgrade your iPhone.
  10. Thanks in advance for any help.
justin-stephenson commented 1 year ago

Please note that tokens secured with biometrics data will not be included in Apple iOS backups, by design. See https://github.com/freeotp/freeotp-ios/issues/243#issuecomment-940372097

We added a warning about this to the scan token wizard when enabling "locked" tokens, sorry if it was not more obvious.

After the tokens are restored, the token metadata exists but the actual token secret is gone. Unfortunately there is no way to recover that token from the authenticator side at this point.

kaladendra commented 1 year ago

Hi Justin,

Thanks for your reply, that’s what I’d surmised. I feel that this biometric feature, while clever, is a big risk to users of the app, especially anyone with a token for a financial application. Warnings are not effective against memory atrophy. I presume the idea is that users must remember to remove the biometric lock prior to resetting an iPhone, but it’s very likely that this will be overlooked. The only way to make it practical would be to warn users during the resetting process, which I imagine Apple would not enable for a third party developer.

Cheers,

Andrew

On Feb 27, 2023, at 9:15 AM, Justin Stephenson @.***> wrote:



Please note that tokens secured with biometrics data will not be included in Apple iOS backups, by design. See #243 (comment) https://github.com/freeotp/freeotp-ios/issues/243#issuecomment-940372097 We added a warning about this to the scan token wizard when enabling "locked" tokens, sorry if it was not more obvious.

After the tokens are restored, the token metadata exists but the actual token secret is gone. Unfortunately there is no way to recover that token from the authenticator side at this point.

— Reply to this email directly, view it on GitHub https://github.com/freeotp/freeotp-ios/issues/299#issuecomment-1446398226, or unsubscribe https://github.com/notifications/unsubscribe-auth/A6EQNMW4WZZJTMMWSV57MTLWZSZJFANCNFSM6AAAAAAVIVMKWU. You are receiving this because you authored the thread.

justin-stephenson commented 1 year ago

Fair points, thanks for your input. I am open to ideas on how we can improve this on the FreeOTP side. Technically speaking we cannot workaround this biometrics security feature, so perhaps there is a better way to inform users about this potential issue.

kaladendra commented 1 year ago

Could recovery codes be incorporated such that if the original biometrics are not accessible by the app, users can turn off the biometric lock on affected tokens by inputing a recover code?

In my example I was not able to generate a 2FA code to log into a cryptocurrency exchange. Luckily I’d recently moved my assets to a cold wallet, but if not I would be chatting with customer support trying to turn off 2FA through other methods of verification, and its possible they may have told me that there was nothing that could be done to turn it off.

So I feel that the advantages of the Face ID protected tokens simply don’t outweigh the risks. Most users will think that its a neat feature like I did, even having read the warning, but its unnecessary as you will have already unlocked your phone to access the app. Anyone who has their phone stolen will lose access to those tokens; the warning is irrelevant in that situation. So a solution is really needed if the functionality is not removed.

Thanks,

Andrew

On Feb 27, 2023, at 4:25 PM, Justin Stephenson @.***> wrote:

Fair points, thanks for your input. I am open to ideas on how we can improve this on the FreeOTP side. Technically speaking we cannot workaround this biometrics security feature, so perhaps there is a better way to inform users about this potential issue.

— Reply to this email directly, view it on GitHub https://github.com/freeotp/freeotp-ios/issues/299#issuecomment-1447114233, or unsubscribe https://github.com/notifications/unsubscribe-auth/A6EQNMUSH7HGK4CK6YYAVULWZULULANCNFSM6AAAAAAVIVMKWU. You are receiving this because you authored the thread.

justin-stephenson commented 1 year ago

Could recovery codes be incorporated such that if the original biometrics are not accessible by the app, users can turn off the biometric lock on affected tokens by inputing a recover code?

Currently when a token is added with biometrics lock, the token secret is stored in the keystore with biometrics restricted access[1]. I don't know if it's possible to modify this access control restriction setting for existing keychain entries. This would need to be investigated. If technically possible, I would be in favor of this approach - i.e. giving more power to users to remove biometrics after the token is added.

[1] https://developer.apple.com/documentation/security/keychain_services/keychain_items/restricting_keychain_item_accessibility

In my example I was not able to generate a 2FA code to log into a cryptocurrency exchange. Luckily I’d recently moved my assets to a cold wallet, but if not I would be chatting with customer support trying to turn off 2FA through other methods of verification, and its possible they may have told me that there was nothing that could be done to turn it off.

So I feel that the advantages of the Face ID protected tokens simply don’t outweigh the risks. Most users will think that its a neat feature like I did, even having read the warning, but its unnecessary as you will have already unlocked your phone to access the app. Anyone who has their phone stolen will lose access to those tokens; the warning is irrelevant in that situation. So a solution is really needed if the functionality is not removed. Thanks, Andrew

I understand your experience but some users may not rely on backup and restore features, and place more value in the biometrics locked tokens. I prefer to leave this for users to decide and not remove all functionality for locking support.

Thank you.

kaladendra commented 1 year ago

Hi Justin,

I understand, thanks for the replies. Just to clarify my last comment below about stolen iPhones, it was referring to the fact that the user would be forced to restore onto a new phone and therefore the biometrics would not be present. That’s different than voluntarily resetting a phone or buying a new one and restoring to it.

With that in mind, I would make it very clear in the warning that if an iPhone is lost, stolen, bricked, reset or restored, the biometrics will not migrate to a new phone and therefore the biometric tokens will not be accessible.

Regards,

Andrew

On Feb 28, 2023, at 8:50 AM, Justin Stephenson @.***> wrote:

Could recovery codes be incorporated such that if the original biometrics are not accessible by the app, users can turn off the biometric lock on affected tokens by inputing a recover code?

Currently when a token is added with biometrics lock, the token secret is stored in the keystore with biometrics restricted access[1]. I don't know if it's possible to modify this access control restriction setting for existing keychain entries. This would need to be investigated. If technically possible, I would be in favor of this approach - i.e. giving more power to users to remove biometrics after the token is added.

[1] https://developer.apple.com/documentation/security/keychain_services/keychain_items/restricting_keychain_item_accessibility

In my example I was not able to generate a 2FA code to log into a cryptocurrency exchange. Luckily I’d recently moved my assets to a cold wallet, but if not I would be chatting with customer support trying to turn off 2FA through other methods of verification, and its possible they may have told me that there was nothing that could be done to turn it off.

So I feel that the advantages of the Face ID protected tokens simply don’t outweigh the risks. Most users will think that its a neat feature like I did, even having read the warning, but its unnecessary as you will have already unlocked your phone to access the app. Anyone who has their phone stolen will lose access to those tokens; the warning is irrelevant in that situation. So a solution is really needed if the functionality is not removed. Thanks, Andrew

I understand your experience but some users may not rely on backup and restore features, and place more value in the biometrics locked tokens. I prefer to leave this for users to decide and not remove all functionality for locking support.

Thank you.

— Reply to this email directly, view it on GitHub https://github.com/freeotp/freeotp-ios/issues/299#issuecomment-1448212139, or unsubscribe https://github.com/notifications/unsubscribe-auth/A6EQNMS53ELESPHI6YBGYUDWZX7A3ANCNFSM6AAAAAAVIVMKWU. You are receiving this because you authored the thread.

Caian commented 1 year ago

Hi, I would like to suggest an app-wide biometric lock, like bitwarden and authy do, so users can protect the access to all tokens and still maintain the backup functionality. Biometric protection for individual tokens would add another layer of security, with the obvious cost of losing backup functionality.