Add OTP or U2F (fido) for better security
BirdInFire opened this issue · 1 comments
I would like it to be possible to add the possibility to activate U2F or OTP, in order to request a verification when connecting.
This method would allow us to protect our bookmarks in a more efficient way without endangering the anonymity of the user.
@Aelisya thanks for the suggestion, however in the case of xBrowserSync MFA/2FA adds no extra security - I'll explain why.
Users in xBrowserSync are completely anonymous, i.e. there is no information that ties the data stored by the service (in the database on the server) to the real person that is the user. Because of this anonymity, when you log in to xBrowserSync, your login credentials are not to "identify" you like traditional service log ins, but to decrypt your sync data stored by the service and retrieved using the random sync ID generated for you when you first synced.
This is a superior approach to traditional services because it does not need to verify you are who you say you are, the system doesn't care who you are. The important thing is that you have the decryption key (i.e. your password) in order to decrypt the encrypted sync data.
Because of this, anyone can request/view your encrypted data, for example if they know your sync ID or even the service administrator (or a hacker) viewing the database on the server directly. However, they cannot possibly decrypt your data without your password, and none of the plain text data on the server reveals anything about you, this is an exampe of what they'll see:
{
"_id":Binary('cBFyJ5fnTRmhbym2N1+U3w=='),
"bookmarks":"DWCx6wR9ggPqPRrhU4O4oLN5P09oULX4Xt+ckxswtFNds...",
"lastAccessed":"2016-07-06T12:43:16.866Z"
"lastUpdated":"2016-07-06T12:43:16.866Z",
"version":"1.0.0"
}
I hope that explains adequately why you don't need MFA and therfore why xBrowserSync is possibly the most secure system you use! 😄