Chaincase-iOS-Beta icon indicating copy to clipboard operation
Chaincase-iOS-Beta copied to clipboard
verified publisher icon chaincase-app

Encrypt hdMasterSecret with TouchID/FaceID

Open DanGould opened this issue 5 years ago • 1 comments

DO NOT USE LOCALSTORAGE

keep in mind OWASP M4 & M6

https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization

DanGould avatar Jun 21 '20 22:06 DanGould

Now the hdMaster secret is encrypted with an intermediate key derived from the password.

That both lets the user change the password and can be safely stored with TouchID/FaceID instead of the actual hdMaster secret. The caveat is that the hdMasterSecret is derived from the original 12 words & password as passcode

DanGould avatar Aug 23 '21 16:08 DanGould