Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
knorker a day ago

Without presence test (e.g. yubikeys touch) it's certainly not perfect. But it does close some real world attacks. Like the key can only be used while your laptop is on. (assuming laptop, here).

And keys cannot be stolen from backups.

Or stolen without your knowledge when you left your laptop unguarded for 5min.

Not every attacker has persistent undetected access. If the key can be copied then there's no opportunity for the original machine's tripwires to be triggered by its use. Every second malware runs is a risk of it being detected. Not so, or not in the same way, with a copied key.

spwa4 a day ago | parent [-]

I guess you could implement that on android.

lxgr a day ago | parent | next [-]

Android actually supports secure transaction confirmation on Pixel devices using a secure second OS that can temporarily take control of the screen and volume button as secure input and output! https://android-developers.googleblog.com/2018/10/android-pr...

This is really cool and goes beyond the usual steps of securing the key, but handling "what you see is what you sign" and key usage user confirmation at the OS level, which can be compromised much more easily (both input and output).

tadfisher 18 hours ago | parent [-]

Protected Confirmation was deprecated a while back, unfortunately: https://android.googlesource.com/platform//system/security/+...

Quote: "Android Protected Confirmation is deprecated due to the high support/maintenance cost for Android device makers and low adoption rate among app developers. APC requires Android device makers to have a substantial amount of device-specific UI code running in the trusted execution environment. That has proven to be expensive to maintain and non-scalable, as there cannot be a single implementations device makers can share or use as a reference. Additionally, app developers have not adopted this feature, as the Android platform offers other mechanisms for authentication a user's intent. These mechanisms, such as authentication-bound Keystore keys, are less secure than Trusted UI, but are more wide-spread. While we explore alternatives to APC that are viable to the device makers ecosystem, we sunset the APC API."

lxgr 18 hours ago | parent [-]

Oh damn, I missed that, thank you. I could see how it was a very expensive thing to maintain for an effectively Pixel-only feature.

Still, I think this was one of the most ambitious and user-beneficial implementations of trusted computing I've seen so far, in that it theoretically safely allows a completely rooted/user-owned device to still participate in things like online banking or e-government transaction authorization. I hope it'll return in some form.

palata 16 hours ago | parent | prev | next [-]

Well on Android there is the Keystore that can access the secure element (if present on the device). And it can be secured with biometrics or PIN.

knorker 7 hours ago | parent | prev [-]

Yes. But that'd just be a TPM on a computer, in hand held form.

A laptop and a phone are both general purpose computers with "TPM chips", so "you could implement that on android" is as true as "you could implement that on a white computer".

There was something about Macs. It took them a while to get a TPM. But I think now they do, so macs can do it too.

spwa4 5 hours ago | parent [-]

It could require you to confirm with a fingerprint though. So it's an actual second (or third) factor.

knorker 4 hours ago | parent [-]

Ah, I guess by "that" you meant the touch part, not the uncopiable part.

There are many ways to implement this. I think some Chromebooks have FIDO gated on a physical button.

If you have an unlocked device with keys usable requiring a mere touch, I'm not sure fingerprint adds much value. A button would be enough.

Actually checking with fingerprint only addresses an extremely narrow attack where someone who wants to attack you steals your device (so already physical access, meaning not DPRK hackers) while it's unlocked, and only getting a window of opportunity until you've called your security department to lock your account. … and yet this attacker would NOT be willing to use force against your person, to make you use your fingerprint.

Sure, if that's a threat model that's worth your time, use fingerprint too.

Keep in mind that already going from software only (and arguably this includes OTP app on your phone) already means effectively going to zero. Google moved to security keys and says “We have had no reported or confirmed account takeovers since implementing security keys at Google” — https://krebsonsecurity.com/2018/07/google-security-keys-neu...

So there are extreme diminishing returns after just security key with touch.

An app solution even gets a callout in that article as being not as good.