-
Notifications
You must be signed in to change notification settings - Fork 1
Benefits of using OS secure storage
If you don't know how 2FA works, read How does 2FA works under the hood? first!
There are different places where you want to store you 2FA secret. It's usual to have an authenticator application on your phone (there are plenty Android and iOS applications) but why not on your computer as well? (Why would you do that? Have you ever lost your phone? If yes you know the pain of recovering 2FA access, if not please either backup your 2FA secrets or ensure you have backup codes securely stored).
Attacks on computer filesystems are not particularly unusual (es Ransomware) compared to attacks on OS secure storage. By using the OS provided secure storage is possible to leverage the built-in security measures of the system, for example the secure storage is per-user (a concern for shared computers) and can be locked/unlocked at need. A plain text file does not provide these guarantees and does not have security teams behind it.
As with all with security, just putting secrets in the secret storage is not enough to guarantee 100% security (as nothing can) but it's for sure better than a plain text file. When I started my search for a CLI authenticator, I didn't find any that was storing password in a more secure way than a plain text, so I built mine.
- By default the default secure storage is unlocked with the user login password and at login. Entering you desktop session is enough to unlock it. This makes its content vulnerable, but is possible to protect against this case by selecting a different secure storage name.
- To be able to create OTPs the authenticator has to load the secret in memory. Is possible for other processes to read other processes memory and extract the secret.
2amireduce the risk by loading secrets only when needed for OTP generation, and not upfront, but do not try to hide it from memory entirely. (Contributions welcome! :)