undefined | Better HN

0 pointsratg133y ago0 comments

>I think what we need is one master key that can be backed up in a offsite location (e.g. safe deposit box, lawyer, parents, trusted friends), and then have all subsequent secrets generated from it, or encrypted with it and stored somewhere publicly accessible.

This is a very good point. Essentially what you are describing here is a certificate authority.

The Yubikey, in this scenario, just acting as an 'offline CA'

It's a very good idea, but requires software being built to accept an authentication hierarchy.

0 comments

BoppreH3y ago

A lot simpler than a certificate authority, actually. There's no need for hierarchy, x509, or anything of the sort.

Take SQRL[1] for example. It's a login system where you scan a QR code with your phone, then your phone derives a private key based on the domain and a master key, and use that to sign a challenge. Every other device (including offline backups) will generate the same private key, and hence give access to the same account.

[1] https://www.grc.com/sqrl/sqrl.htm

j / k navigate · click thread line to collapse