What happens if I lose my device?

[homakov]

Email and password are enough to create the same profile, there's nothing important on device, no backups needed.

[aredridel]

Oh interesting! What if your password is compromised?

[homakov]

Then you can try to change your profile1->profile2 on all services before the attacker does. It's not different from an email-based scheme.

[aredridel]

Gotta track down everywhere you used a profile? Eeek.

At least with email you can change the email password and regain control en masse.

[homakov]

The change is automatic in next version.

[b3nsn0w]

Okay, let's say I have been mugged, the attacker took my phone with the derived key on it and the list of services I've used. How am I supposed to lock him out?

[homakov]

So full disk encryption and passcode are prerequisite for secure usage of devices these days. That's user's responsibility.

If the phone is unlocked, there will be a page where in one click you would change profile for all services you used (under development).

[b3nsn0w]

I don't have the phone, the attacker took it. I suppose if I regenerate the profile on another device I don't get the list back.

Also, I'd assume anyone pointing a knife at me and taking a phone these days is smart enough to stab me if I don't give him the passcode too.

So full disk encryption and passcode are prerequisite for secure usage of devices these days. That's user's responsibility.

If that's the mentality behind this protocol it only works for people who are going to stay secured anyway. Lots of people don't use passcodes because they feel it inconvenient and "they are not freaks" (as a freak, I can't understand this one), and full disk encryption is really rare among non-geeks if there isn't an external entity (IT department, phone manufacturer, etc.) managing it for them.

[homakov]

if I regenerate the profile on another device I don't get the list back.

The list of websites you used? In the future you will, but for now, we will just use top 1K websites.

Lots of people don't use passcodes because they feel it inconvenient

There's a very good trend where all vendors make it almost necessary by default. iOS always turns it on after every update on my iPad, even if it's just a testing device. Android is moving in that direction too.

You're asking philosophical questions that aren't specific to this protocol. What if they take credit card and ask for pin code? Or take your bitcoin wallet and ask for the passphrase? If you're good at bluff , try to share a fake identity. Or log out when passing border ( an equivalent of Travel Mode on 1password).

[b3nsn0w]

The list of websites you used? In the future you will, but for now, we will just use top 1K websites.

That's very interesting and if it works, it could very well solve the issue. I'd like to see how, especially if it's keeping up the decentralization and scalability, but next version I guess, got it.

And for the rest, I was not trying to ask philosophical questions. I thought I was seeing a weakness in the protocol and my intent was to figure out its extent. At least currently, SecureLogin is only as secure as the device that holds it. This issue is about that device getting lost, that's what I'd like to explore here.

For example, I use LastPass on my phone, which is about as secure for me as SecureLogin would be. But if someone takes my phone and passcode, they still can't take my LastPass vault, it needs my fingerprint, and if that changes in the phone, my (very long) master password needs to be reentered. Same with the mobile bank client, it needs a separate PIN code.

The point is, a lost phone is not only a problem because of the lost profile but it can also become a leak, and just like a service provider cannot depend on the user to use a password manager, SecureLogin also cannot depend on them to protect the app with foolproof security. This may be a whole separate issue (in fact, I think I should open one with additional details) but the part concerning this one is that your phone, laptop, or whatever else is out in the wild with information that could compromise your account. This is a very important aspect of "what happens if I lose my device".

[homakov]

But if someone takes my phone and passcode, they still can't take my LastPass vault, it needs my fingerprint, and if that changes in the phone, my (very long) master password needs to be reentered. Same with the mobile bank client, it needs a separate PIN code.

This extra PIN is not better security, it's just more. There could 2, 3 or 10 passwords, but if we take a threat model of attacker with allegedly weapon, they can get all of them. And the fingerprint.

SecureLogin also cannot depend on them to protect the app with foolproof security

Absolutely, need to find a way to programmatically test if the user has encryption & passcode on. If no, we can figure out our own then.

[homakov]

@aredridel @DeeSnow97 hey, new pw change mechanism is implemented - what do you think? https://github.com/sakurity/securelogin/wiki/How-password-is-changed

Now it's practically instant and obvious to the user! Closing this one as "pw change" was the real issue.

[download13]

I was reading through the "Password changing" faq entry, and it looks like every service must explicitly support profile migration in order for it to work. Is this the case?

[homakov]

Yes, /securelogin functionality is part of protocol and every service must support it to be compatible.