> if you want to check a pin server side without trivial access to the PIN from the server you can do it à la signal using secure enclaves However it's still not enabled by default on most systems and Bitwarden recognizes that since they give you a big modal warning that your encryption key will be stored in plain, if you set the lock option to "Never": > Protecting from an attacker with your laptop locked should be done at the OS level with FDE and secure boot.ĭefinitely, FDE and secure boot would mitigate the attack (if your computer is off). If I throw away my computer, or you steal it in its powered off state, a keylogger won't help you since I won't be entering my password again. > Protecting from a real attacker with access to your unlocked computer is a bit hopeless (as someone mentioned, they probably can install some key logger and steal the master password and everything else later). Bitwarden chose an insecure one and to not warn about its risk in the clients (unlike some other features, where you get a big modal warning when enabling them see the end of this comment). what you mentioned about Signal and other comments about e.g. This is entirely non-obvious: there's several ways to implement a PIN unlock in a secure way (see e.g. It feels like reporting "I can walk over the lawn fence". In general if your device is compromised it’s game over anyway. That said, just because they can’t steal your Yubikey’s private key, doesn’t mean they can’t take the bearer token from your computer. Done this way, your computer never needs to know the private key, but you can still prove you physically own it, which is what the server is trying to verify. When the FIDO challenge/response happens, you relay the server’s challenge to the Yubikeu, it does the private key operation with the onboard chip, and sends back the response for you to relay back to the server. The way (most) hardware tokens work, including the Yubikey, the private key is generated on the key and it never leaves the key. > And why wouldn't some other malware won't be able to read whatever data hardware token inputs? I'm myself yubikey user and would like to know in what ways it is more secure than TOTP, even in the scenario when my workstation gets compromised. It takes more effort because it has to be done in real time, but 30-ish seconds is pretty doable. Since it’s time based with a 30 second window, you don’t need to know the secret, you just need to be able to repeat the code as it is typed. How? I mean how can keylogger get the secret from which TOTPs are being generated?
0 kommentar(er)
