FIDO/U2F: Open and unlock stronghold with security key

Question

FIDO/U2F: Open and unlock stronghold with security key

Closed this issue 3 years ago · 2 comments

Description

Use a security key (e.g. Yubikey) to unlock the vault using libfido2 (Rust bindings: https://github.com/PvdBerg1998/libfido2)

Motivation

Strong protection by using a physical security key.

Requirements

Open stronghold using FIDO
Unlock stronghold using FIDO

Open questions (optional)

How can the two step open - unlock be archived with a key?

One could leverage the residential FIDO feature, where a public handle is stored on the key (protected by an extra PIN).
Unlocking would require extra presence and touch of the key.

Are you planning to do it yourself in a pull request?

No. Time.

Answer 1 · 2021-09-07T17:30:33.000Z

These FIDO systems use a challenge / response approach, whereas Stronghold uses box encryption (aka a password - potentially stored in a keychain) to decrypt/encrypt the snapshot. We recommend using a yubikey / FIDO at layer 2, which would then be implemented at the consumer layer (wallet.rs / firefly etc.) to verify presence.

See this example for insight into what I mean:
https://github.com/Yubico/libfido2/blob/master/examples/assert.c

Answer 2 · 2021-10-06T07:53:46.000Z

closing this issue.