FIDO/U2F: Open and unlock stronghold with security key
Closed this issue · 2 comments
Description
Use a security key (e.g. Yubikey) to unlock the vault using libfido2
(Rust bindings: https://github.com/PvdBerg1998/libfido2)
Motivation
Strong protection by using a physical security key.
Requirements
- Open stronghold using FIDO
- Unlock stronghold using FIDO
Open questions (optional)
How can the two step open - unlock be archived with a key?
One could leverage the residential FIDO feature, where a public handle is stored on the key (protected by an extra PIN).
Unlocking would require extra presence and touch of the key.
Are you planning to do it yourself in a pull request?
No. Time.
These FIDO systems use a challenge / response approach, whereas Stronghold uses box encryption (aka a password - potentially stored in a keychain) to decrypt/encrypt the snapshot. We recommend using a yubikey / FIDO at layer 2, which would then be implemented at the consumer layer (wallet.rs / firefly etc.) to verify presence.
See this example for insight into what I mean:
https://github.com/Yubico/libfido2/blob/master/examples/assert.c
closing this issue.