Skip to content
This repository has been archived by the owner on Nov 10, 2022. It is now read-only.

Encrypt hdMasterSecret with TouchID/FaceID #43

Closed
DanGould opened this issue Jun 21, 2020 · 1 comment
Closed

Encrypt hdMasterSecret with TouchID/FaceID #43

DanGould opened this issue Jun 21, 2020 · 1 comment

Comments

@DanGould
Copy link
Member

DO NOT USE LOCALSTORAGE

keep in mind OWASP M4 & M6

https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication
https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization
@DanGould
Copy link
Member Author

Now the hdMaster secret is encrypted with an intermediate key derived from the password.

That both lets the user change the password and can be safely stored with TouchID/FaceID instead of the actual hdMaster secret. The caveat is that the hdMasterSecret is derived from the original 12 words & password as passcode

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DanGould