Fido/u2f support

[Washee]

Hi there, i would like to make a feature request: It would be nice to have support for protocols like U2F or Fido2, in order to avoid retyping fs passwords all the time. Since I have to retype the passwords, which secure the different filesystems, I choose them as long as possible, but as short as usable in order to remember them. Therefore the password is probably the weakest link in the encryption. This comes especially into way, when you have several different encrypted filesystems.

Here my request: Could you add support for U2F/Fido/.. so we just have to authenticate with a hardware token, which is then used to decrypt all our different fs passwords. This would lead to the possibility to use really long, random passwords for the filesystems themselves, which can be stored at a dedicated, secure place. (password fault, physical safe, wherever) Furthermore it would be possible, to keep as much security features active, as possible - like closing the volumes, when the app goes to background - without losing a significant portion of usability.

Keep up the good work! @hardcore-sushi thank you for developing & maintaining this project!

[hardcore-sushi]

Yes support for hardware tokens would be great, but the only library I found for this is fido2 from com.google.android.gms, which is non-free. I can't include this dependency into DroidFS. I don't know if there is any FLOSS alternative.

[Washee]

Unfortunately I don't have any experience with developing fido2. But there seem to be a few open source librarys, which implement different standards. But I cant tell if there is a usable floss one among them. Here is an overview of different implementations. And here a java based implementation based implementation, based on gplv3 license.

[hardcore-sushi]

gocryptfs relies on the HMAC secret extension of the FIDO2 protocol. It seems that hwsecurity doesn't provide an API for it.

[Washee]

I was rethinking my feature request and I am unsure if this is a legit request. Maybe it would be wiser to use a dedicated password manager which is capable of fido2 for creating and managing long, random passwords, instead of integrating such a feature into DroidFS. Since the focus of DroidFS may not be managing passwords, but providing secure data storage capability. I dont want to discourage you of considering this feature. But I would accept, if you tend not (yet) to implement this.

Unfortunately popular password managers like KeePassDX don't yet support Fido as well. It's a pity. The ball doesn't start rolling.

[hardcore-sushi]

gocryptfs allows creating volumes where the master key is encrypted using the FIDO2 hmac-secret extension. I think DroidFS should also support FIDO2 so we could open such volume with the app. Relying on third-party apps would probably break compatibility with gocryptfs.

[Washee]

Then I am glad, that I made this proposal. Nevertheless the implementation may be tricky. I probably can't help you with this. But if it comes to testing, I may can give you a helping hand. 😃

[kuhy]

I think it should be possible to use this library: https://github.com/Yubico/yubikit-android/tree/main/fido