-
Notifications
You must be signed in to change notification settings - Fork 538
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide option to lock saved credentials with PIN/biometrics #3444
Comments
Our initial implementation so far fell out of date with the issue and we identified some blind spots so to rewrite the issue I'm gathering more information. We need to decide on multiple points:
We should write down scenarios with what we want to protect and from whom. Additional info:
Login & biometric authenticationGoals:
Non-goals:
ContextSystem mechanismsMost operating systems provide two security mechanism related to our goals: Keychain and Biometrics. Keychain allows apps to store credentials using high-security mechanism (like special hardware) and system promises to Biometrics allow app to authenticate the user more easily. This allows apps to ask for authentication more often as iOS and Android both allow tying credentials stored in Keychain to the Biometrics. Both allow using them separately. Since Android 4.4, the contents of the user’s data partition are encrypted by default. iOS encrypts disk for a long time Android Keystore keeps key completely outside of OS ref1
iOS devices also include specialized hardware: ref2. It is possible to create biometric-protected entries as well: It is important to note that all biometric-protected entries are removed on both iOS and Android when biometric data TutanotaWhen the user selects to "store password" on the login screen we create a "persistent session". Session data contains When choosing implementation we would like to first protect Extraction methodsDepending on the device's and app's state and security different extraction methods might be possible. For an overview |
Pin/biometrics is available for mobile apps, for desktop client credentials are stored in keychain. |
As a user of the Tutanota mobile or desktop app i want to be able to protect my stored credentials with the PIN/fingerprint of my device. If i choose "Store credentials" from the login screen the app should display options of how to secure my stored credentials. The option should be used for all further stored credentials. The selection can later be changed in the settings.
Every time i need to access the stored credentials the app should ask for the chosen option.
Acceptance criteria:
Implementation hints
We currently use the local storage of the web view to store the credentials. It is the same mechanism that is used for the web browser. We want to change the storage location to the secure storage of the device which is already used to store the device keys that are used to decrypt calendar event reminder notifications.
With this issue we will not automatically lock the application. We will protect how the saved credentials are stored on the device by encrypting them with a device key. The device key should be stored in the secure storage of the device. We will not have direct access to that key but instead we need to ask the system to decrypt the credentials.
When setting up the this for the first time the user should have the following options:
Every time user needs to access the credentials we will ask for authentication.This is the case when:
Together with @charlag @rosso-ptg @bedhub we discussed if it is acceptable to ask for authentication again upon delete or logout because it might be ask too often. We decided that it is acceptable for now.
We will do biometrics/pin protection for mobile apps only. For desktop clients we will store the key to decrypt credentials in the keychain of the system. Which usually will be unlocked when user logs in.
We decided that we will use intermediate key in encryption chain which can do multiple operations. This will allow us to do multiple operations on multiple credentials. Keeping it in memory for a short time has almost no effect on security but improves user experience a lot.
When selecting authentication method user should see a dialog with following text:
The dialog should have three vertical options. It should have a skip button to default to automatic authentication. Option in settings should also open the same dialog.
--
The text was updated successfully, but these errors were encountered: