Include more information on Keychain location
jashsayani opened this issue · 5 comments
This is an awesome utility for encouraging two-factor-auth and making it painless. In addition to my YubiKey, I am setting up my accounts to work with the Soft U2F device. However, many users might have this as their only device. So losing credentials from Keychain would mean losing access to accounts. I think the README needs some more information, specifically:
- Where in Keychain is the data stored (login / iCloud / System)?
- Is there a way to sync with iCloud keychain / backup the data?
I glanced at the code and saw the Keychain class being used with namespace "SoftU2F Security Key" but cant find my accounts (Github and G Suite) in Keychain.
Thanks for opening this. The Keychain APIs are poorly documented and I can't answer your questions authoritatively. I'll try to answer them from my understanding of how things work though.
Where in Keychain is the data stored (login / iCloud / System)?
Keychain items for Soft U2F are stored in the login keychain. This is the default location for keychain items generated by applications.
Is there a way to sync with iCloud keychain / backup the data?
I had been hoping that Soft U2F would be able to sync keys with iCloud Keychain, but it looks like this isn't possible. The docs from SecItem.h say
Only password items can currently be synchronized. Keychain syncing is not supported for certificates or cryptographic keys.
It should be possible to backup keys from Soft U2F though. Keys are generated with an ACL specifying kSecAttrAccessibleWhenUnlocked. The docs in SecItem.h say
Items with this attribute will migrate to a new device when using encrypted backups.
I haven't experimented with what this means in practice. For example, I'm not sure if copying ~/Library/Keychains/login.keychain-db is adequate for backing up the keys.
I glanced at the code and saw the Keychain class being used with namespace "SoftU2F Security Key" but cant find my accounts (Github and G Suite) in Keychain.
From what I can tell, Keychain items don't show up in Keychain.app if they are generated with an ACL.
Items with this attribute will migrate to a new device when using encrypted backups.
I haven't experimented with what this means in practice.
I think this means that you'll keep those items when you set up a Mac and use the Migration Assistant to transfer data from an encrypted Time Machine backup or another Mac.
I went to the demo here: https://demo.yubico.com/u2f?tab=login and registered. I can't seem to find a corresponding item in my login keychain. Any hints to what I should be looking for?
@exabrial I experimented with this a while ago, and it seems that keys created with an ACL never show up in Keychain.app. There is a command line flag you can use to list Soft U2F registrations though:
$ /Applications/SoftU2F.app/Contents/MacOS/SoftU2F --listI'm closing this issue, since the original question has been addressed.