You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Option (4) would essentially introduce a mode that would allow the user to show their recovery seed at any time, protected by just the device PIN.
Product-wise, this is a significant departure from the previous approach, and there are some notable security drawbacks, namely, it's no longer possible to audit when the seed was viewed.
(Regardless of chosen protection mechanism, there is always an attack of "steal Trezor, grab seed, buy a new Trezor, recover the old seed into it, give it back to victim".)
OTOH, there are legitimate usecases, and such feature could be beneficial esp. for advanced users.
There is the option of implementing this "show seed anytime" mode hidden behind safety-checks, such that:
user lowers safety checks
user enables "show seed anytime" by running through dry-run recovery (more precisely, "unlock backup" flow from Implement repeated backup #3640)
safety checks are re-enabled
Trezor stays in "show seed anytime" mode
We might also want to only allow this mode if PIN is set, and protect the call by force-prompting for PIN.
The text was updated successfully, but these errors were encountered:
Follow-up to #3640
Option (4) would essentially introduce a mode that would allow the user to show their recovery seed at any time, protected by just the device PIN.
Product-wise, this is a significant departure from the previous approach, and there are some notable security drawbacks, namely, it's no longer possible to audit when the seed was viewed.
(Regardless of chosen protection mechanism, there is always an attack of "steal Trezor, grab seed, buy a new Trezor, recover the old seed into it, give it back to victim".)
OTOH, there are legitimate usecases, and such feature could be beneficial esp. for advanced users.
There is the option of implementing this "show seed anytime" mode hidden behind safety-checks, such that:
We might also want to only allow this mode if PIN is set, and protect the call by force-prompting for PIN.
The text was updated successfully, but these errors were encountered: