search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.83k stars 1.44k forks source link

Single Factor FIDO2 Authentication #6801

Closed Iiridayn closed 3 years ago

Iiridayn commented 3 years ago

Summary

"Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication" (https://trust.cispa.saarland/publication/lyastani-20-sp/lyastani-20-sp.pdf) shows that users would be willing to replace their passwords with a "Something you have" FIDO2 authenticator, such as a Yubikey. I would appreciate the convenience of unlocking my password database simply by having a USB device on my keyring instead of retyping (and typoing) my 8 word diceware passphrase. I am uncomfortable with the idea of leaving encryption keys able to unlock my database on various devices, though I recognize some common device compromise vectors able to acquire such a key may also access my password or unlocked database itself.

KeePassXC already supports Yubikeys as a second factor of authentication; would it not be simple then to support them as an alternate single factor of authentication, no weaker than a 100-bit passphrase?

To be clear - I would like to be able to choose at the time I unlock my database which authentication credential I would like to use - single factor passphrase or single factor Yubikey. I don't want to have to use both together, but would like each to have equivalent security.

Context

I care a lot about both security and convenience/usability. I use KeePassXC on 3 x86_64 devices and 2 android devices, syncing my database via Syncthing. I have a strong passphrase which is somewhat bothersome to retype - when I read that paper, KeePassXC immediately came to mind.

droidmonkey commented 3 years ago

FIDO2 is covered by #3560. We won't ever support multiple valid credential combos, that is not part of the kdbx standard.

Iiridayn commented 3 years ago

I do not agree that this is a duplicate of the linked issue. Multiple valid credential combos is indeed what I am requesting. As the project won't ever support it, this should instead be closed as wontfix.

Iiridayn commented 2 years ago

Reading https://keepass.info/help/kb/kdbx_4.html, it looks like the password derived key could be encrypted and stored in the outer header, as plugin data. This would then be compatible with other users of the kdbx4 file; they just wouldn't support the alternate authentication methods.