This is my first time posting something to HN, so please be kind.
I wanted to show what I’ve been working on for the last 6 months:
NoKey, a password manager without a master password. Instead, you can unlock your passwords by confirming from another device. E.g. if you need a password on your PC, you only have to confirm this on your phone. No need to remember any passwords!
The vast majority of the code is written in Elm and it’s fully open source.
There is a browser extension for Chrome and Firefox and an Android app. The application is only useful with at least two devices, so to really test it out, you’ll have to install it on two devices. There is no iOS version and the web app doesn’t work on Safari either (it's missing some stuff from the Web Crypto API), sorry!
Any feedback or questions are greatly appreciated!
Also, the Android app requires no device permissions, haven't seen that in a while.
That's not true, it just uses the new way to ask for permissions. E.g. when you want to scan a QR code it requires the camera permission. But it only asks at that moment, not upfront as older android apps used to do
So don't do it.
In terms of technology it's of course completely different.
That's why it's a very good idea to pair as many devices as you can, e.g. an old phone, your work PC, etc.
This way you're pretty save from any loss.
In general, if you save your passwords with security level N (meaning you need N devices to unlock), if you lose all but N-1 devices, you lose access. You can also add a "key box", which gives you one more "device", but requires you to remember a password.
Doesn't this increase your attack surface greatly though? The more devices you have this on, the greater chances that one or more of them could be compromised and used to access your passwords. Since there's no master key, one has to only compromise the OS to get at everything. Given that so many devices do not receive regular security updates, this seems like it would be a concern..
