sparrowwallet
Add optional YubiKey HMAC challenge-response as 2FA for wallet encryption
Support combining password + YubiKey HMAC-SHA1 challenge-response for wallet encryption key derivation.
- Optional second factor alongside existing password
- Uses YubiKey's offline HMAC challenge-response (slot 2)
- Final key = derive(password) + HMAC(challenge)
Similar to KeePassXC and LUKS yubikey-full-disk-encryption implementations.
References:
- https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html
- https://github.com/keepassxreboot/keepassxc (KeePassXC implementation)
- https://github.com/agherzan/yubikey-full-disk-encryption (LUKS implementation)
@craigraw thoughts? I'd like to see this implemented, happy to work on a PR if it's something you'd consider adding into Sparrow.
Note: this is related to #1561.
I'd like to understand what UI flow is necessary to set this up and, once setup, manage password entry.
@craigraw what I envision is an optional 2FA feature that prompts for a YubiKey (or in a separate issue 2FA generated code) after the password is entered, acting as an additional layer of security for the wallet.
Understood. But what does the setup for this look like - it is just another checkbox on the password confirmation dialog? And would this be Yubikey specific, or would the challenge-response framework be generalizable to other devices?
@craigraw For setup: Checkbox on password dialog, then touch YubiKey to register.
For unlock: Password first, then touch YubiKey if configured. Challenge = wallet salt.
I'm thinking we should have a simple, generalized interface that other HMAC devices could implement later, and use YubiKey as a starting point.