You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Such as Dropbox, Google Drive, etc..
These can work like an additional device and also store a share. This way you can still use this password manager, even if you don't have any of your devices on you.
Problems:
Dropbox access tokens don't expire. This means that if a device that is logged into Dropbox gets stolen, the thief gets 2 tokens.
Facebook seems to do it right, but it's not clear if the Facebook Api could be used for this application..
OneDrive might work, as they provide a logout api. They also have a prompt=login option. However, since the app folder isn't hidden from the user, a clever thief can still get to the secret token if the user is logged in.
Github secret gist Api might work, as they also allow http basic auth. However, this doesn't completely solve the problem, as a user might still be logged into Github, so a thief could go to gist.github.com and get an additional token. This would only work if the user creates a different account than their normal account and makes sure they are never logged into this account...
Conclusion
The Google Drive Api seems to be the only one that fulfills all requirements:
Prompt for password even if the user is already logged into Google.
Revoke access by user request.
Prevent access to application files outside of the app.
The last requirement isn't necessary, if we can forcefully log out a user.
For this reason both OneDrive and Github might work too.
Alternative
Instead of relying on the security of Dropbox and similar, we could instead handle it ourself.
This way all the above options become reasonable, but they would only be used as an additional storage to sync our data, not to actually store any additional shares.
For this to work, we would have to allow the user to create new shares and encrypt them using a password that has to be remembered.
This of course requires some competence of users, as they have to choose a strong password for these additional shares!
The text was updated successfully, but these errors were encountered:
Such as Dropbox, Google Drive, etc..
These can work like an additional device and also store a share. This way you can still use this password manager, even if you don't have any of your devices on you.
Problems:
prompt=loginoption. However, since the app folder isn't hidden from the user, a clever thief can still get to the secret token if the user is logged in.Conclusion
The Google Drive Api seems to be the only one that fulfills all requirements:
The last requirement isn't necessary, if we can forcefully log out a user.
For this reason both OneDrive and Github might work too.
Alternative
Instead of relying on the security of Dropbox and similar, we could instead handle it ourself.
This way all the above options become reasonable, but they would only be used as an additional storage to sync our data, not to actually store any additional shares.
For this to work, we would have to allow the user to create new shares and encrypt them using a password that has to be remembered.
This of course requires some competence of users, as they have to choose a strong password for these additional shares!
The text was updated successfully, but these errors were encountered: