Oddbean new post about login | logout If somebody can securely find one of these with a fingerprint reader for authentication before transferring the private key, I have an order of 500 devices waiting for you. https://image.nostr.build/f79d852670e1c640ab0d19eb1cc052aeec473f1c99574088494b414e7ef40903.jpg
I'm not sure if you could find one with a fingerprint reader. But it some should have a touch or button to confirm
These devices will be given to trusted friends, so we need a way to authenticate the user before revealing the key.
Why reveal the key instead of doing the signing on the device itself? I don't think it takes much more than an esp32 to handle signing
They just need this to load to the phone. It's hard to imagine a homes person walking around with a phone AND a singing key connected at all times. The phone is enough. They just need a way to recover when the phone is inevitably stolen.
Homes -> homeless
could your idea work with yubikey?
Maybe with some custom software for a yubikey, and it's a done deal. https://www.yubico.com/products/yubikey-bio-series/
Other than the price, it ticks all the boxes. 100 bucks is prohibitive, especially if you need multiple backups.
desktop only, though :(
Yeah. The Yubico devices with NFC tags (that work on mobile) lack biometrics.
Is PIN entry not an option? Couple of buttons could be cheaper than biometrics.
No one will remember them :(
Yeah, it does lots of fancy stuff. The biometric ability seems to have a floor price of $20, at least based on a quick amazon search: https://www.amazon.co.uk/usb-fingerprint-reader/s?k=usb+fingerprint+readerhttps://www.amazon.co.uk/usb-fingerprint-reader/s?k=usb+fingerprint+reader If building / using a thing like this one might consider having backup in some sort of other kind of device that don't require the biometric, just for cheaper backups.
This seems legit: https://www.lexar.com/product/lexar-jumpdrive-fingerprint-f35-usb-3-0-flash-drive/
ah, look! yes, and in a reasonable price range as well. This is doable! Open-sourceing a solution that would work on any USB is how to do it; and then recommend some different hardware like this Lexar you found https://www.amazon.com/s?k=Lexar%C2%AE+JumpDrive%C2%AE+Fingerprint+F35&crid=2U33Y06K18J77&sprefix=lexar+jumpdrive+fingerprint+f35+%2Caps%2C464&ref=nb_sb_noss_2
I may get one to play with. Needs Windows for setup, though. 😢
What does the display need to show?
Oh I meant the USB drive. The phone doesn't need to show anything other than "Restore?"
In my use case, yes. The idea is to just have a secured backup for the private key.
I keep thinking about this. You said the restoration device would be left with trusted friend(s). So let the friend do the verification. Two keys needed to restore the account. Perhaps two TOTP codes, generated by two yubikeys. The friend won't give their TOTP out if it's not the owner of the account. TOTP lets them verify the person remotely if needed. The account owner goes for their stashed key, friend gives it to them, owner TOTP goes in, friend TOTP goes in, account restored. Tie all these various codes to the account during initial setup.
We can't let a friend have any roles on the recovery process because that creates legal liability on the friend to keep the information (which is medical) secure. In the US, if a friend has access, the friend must be HIPAA trained and compliant. So, instead, what we want is to use the friend's physical security to host encrypted information that only the owner of the account can decrypt.
Ah I see. I didn't realize it was that formal. Dang, biometrics is the way, then. Back to square one.
I just got one of these Lexar F35 drives. It was about 30 bucks. It might do what you need. Some things: - It does require Windows to set up, unless someone smarter than me can make it work in Wine. The app seems simple. - Fingerprint programming is easy and fast. - Users get assigned roles as admin or "other users." Admin can add and remove users. All get access to secured partition. - The app lets you choose the size of the secured partition. I got a 64GB drive and it will partition all of it secure if you want. - It unlocks the secure partition on Windows and Linux. - I could NOT get it to unlock secured on Android phone (Pixel 8). Tried external powered hub, also. - I abused it a little by yanking it during write, startup, etc. and it didn't lose anything. If you want me to try anything else, let me know.
Thank you! Is it possible to setup multiple users that don't see each other's info AND that the admin doesn't see their info as well? 🤔
I don't think so. All users who have a fingerprint enrolled can see the secure partition. Any of (I think) 10 fingerprints gets you access to the secure side. They can be 10 different people. The only elevated privilege for admin is the fingerprint add. It's very simple. I'd bet it's hackable, but that's way out of my league.
can't you make a yubi key function like that?
Probably? I never tried it.
No. Yubico does not allow custom applets.
more basic setup then?
You can buy and provision Java cards (nfc/contact) with nostr signing code. This would work well for mobile. Tap to post is good for users who need a high level of nsec protection. There is no desktop browser API for sending raw data to a smart card that I know of though. There might be ways to do it by leveraging other standards in an unintended way. Or perhaps a native companion app that exposes an API to webapps.
👀 nostr:nevent1qqs8e0gdf6k05rlmrxg4mz0jejwfdlmspqy8dmcxp6rwhcppxgk6n4qpz3mhxue69uhhyetvv9ujuerpd46hxtnfdupzq3svyhng9ld8sv44950j957j9vchdktj7cxumsep9mvvjthc2pjuqvzqqqqqqyy2d5e0
Where did you get that NSD btw?
nostr:nprofile1qqsq37tg2603tu0cqdrxs30e2n5t8p87uenf4fvfepdcvr7nllje5zgpremhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet59uq3qamnwvaz7tmwdaehgu3wd4hk6tcpz4mhxue69uhhyetvv9ujumn0wd68ytnzvuhs4hx9pe was playing with it: nostr:note1qkz797wg2dyer8ucga6rtm9wnnpnqgyc6lht2lfyn26xkhuqgcps3hh38f
ohhh. Well whatever that cost plus $20 and it could be doable, I think. A patchwork with @cypherpruk's NSD and one of these from Amazon should do it: https://www.amazon.co.uk/usb-fingerprint-reader/s?k=usb+fingerprint+reader
@Vitor Pamplona was looking into it. i'm also looking into it. if yubikey and opensource authentication keys are a viable option it would be a huge win for #nostr privacy and security for the users of the client that implements it. no more dependency on browser-based signer extensions like nos2x (chromium only) and especially alby etc nostr:nevent1qqs8e0gdf6k05rlmrxg4mz0jejwfdlmspqy8dmcxp6rwhcppxgk6n4qpp4mhxue69uhkummn9ekx7mqzyprqcf0xst760qet2tglytfay2e3wmvh9asdehpjztkceyh0s5r9cqcyqqqqqqgnppzqk
