undefined | Better HN

0 pointssuperuser210y ago0 comments

>single, strong password for your "vault"

This is pretty much the nature of password managers. That password is only ever entered locally. If an attacker can grab local keystrokes, it's game over anyway.

>they don't offer (at least) 2-factor key for the vault

Neither TOTP nor any kind of push/SMS token can be used to secure data at rest. These are mechanisms to authenticate to a server. You could have "2 factor" for data at rest by storing part of the key separately, but there'd be nothing dynamic about it; copying the key material once would be sufficient to use it forever.

LastPass offers 2-factor to authenticate to the LastPass website, but your vault is cached encrypted on the client side, and such a cached copy can be opened using only the master password. (IIRC there is an option to disable this, which works by erasing the cached copy at the end of a session. Hardly bulletproof, and precludes having any sort of backup resilient to the failure of LastPass itself).

0 comments

2 comments · 1 top-level

watersb10y ago· 1 in thread

Thanks. I must think more about this.

I can understand that TOTP cannot be used for encryption.

But the app is asking for authentication. Zero-knowledge proof game might apply. Of course the local app must have the decrypted key in memory.

I wish we could defend against the Evil Maid...

superuser2OP10y ago

One defends against the Evil Maid with physical security techniques. And by doing your own cleaning :).

The app is not asking for authentication, it's asking for encryption. Else an attacker could bypass the app's logic and read its data directly.

j / k navigate · click thread line to collapse