The idea is to use public/private key cryptography to store encrypted data that only a user with biometric login can access it.
I 'm successfully using WebAuthn and this library to login and I store the credential ID and a public key. Now, as I read, I can't use this to encrypt data because I can't have the WebAuthn API decrypt it, its only used for authentication.
The question is, can I protect local browser storage with WebAuthn? If so, I could use window.crypto.subtle.generateKey to generate a RSA key, store the private locally and protect it with WebAuthn, then reuse it when necessary.
Best,
The closest thing would be to use the PRF extension that's in the draft of WebAuthn level three. However, it is not yet supported in any browser nor by any platform authenticator I'm afraid. (Although many FIDO2 security keys support the underlying hmac-secret extension to CTAP2.)
Related
I would like to use WebAuthn to securely store and retrieve some senstive information on mobile Safari.
I mention Safari specifically because it is my main target browser and the storage and retrieval of password credentials is unsupported there. Ideally, I would like to use the device biometric sensors on iOS and as I understand it, it's only possible using WebAuthn and a public key credential.
I don't want to have to create a server based service that has to store this sensitive information and to evaluate credential signatures. I would like to implement entirely on the client side.
Is there any straightforward or workaround solution to achieve this?
A passkey is a credential used for phishing-resistant authentication. It is not designed to store arbitrary information nor is WebAuthn designed to store or retrieve arbitrary information.
I am building a React.JS application that is supposed to encrypt and decrypt data.
I'm using the subtlecrypto api to create RSA key pairs. I want to store them, preferably in the browser, in a way the user can re-use them when he returns to the site.
I absolutely do NOT want to store them in any kind of server or online storage, because that would defeat the purpose of the whole exercise.
Is there a dedicated facility to store secrets like that? If not, what is the most secure option available?
im have designed a complete mobile app.
The user has to login with their credientails in order to access the app. However, I am unsure where to store the credentials once he/she signs in. I will be reusing the username throughout different screens in the app. Where can I store them and how can i access them? is there such thing as a global variable for instance?
Also, say a user logged in the first time. I want the user to be able to shut down the app. Once the user comes back, he/she should not be asked to reenter their credentials. How can that be done?
Thanks
Luckily, all these infos are available on the official React Native docs.
https://reactnative.dev/docs/security#storing-sensitive-info
For persisted user data, choose the right type of storage based on its sensitivity. As your app is used, you’ll often find the need to save data on the device, whether to support your app being used offline, cut down on network requests or save your user’s access token between sessions so they wouldn’t have to re-authenticate each time they use the app.
The usual way to achieve that is by using the secure storage of each platform.
iOS - Keychain Services
Keychain Services allows you to securely store small chunks of sensitive info for the user. This is an ideal place to store certificates, tokens, passwords, and any other sensitive information that doesn’t belong in Async Storage.
Android - Secure Shared Preferences
Shared Preferences is the Android equivalent for a persistent key-value data store. Data in Shared Preferences is not encrypted by default, but Encrypted Shared Preferences wraps the Shared Preferences class for Android, and automatically encrypts keys and values.
Android - Keystore
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device.
In order to use iOS Keychain services or Android Secure Shared Preferences, you can either write a bridge yourself or use a library which wraps them for you and provides a unified API at your own risk. Some libraries to consider:
expo-secure-store
react-native-keychain
react-native-sensitive-info - secure for iOS, but uses Android Shared
Preferences for Android (which is not secure by default). There is
however a branch that uses Android Keystore.
redux-persist-sensitive-storage - wraps react-native-sensitive-info
for Redux.
More on that here: https://reactnative.dev/docs/security#secure-storage
I'd like to develop an firefox add-on that will require access to the Amazon Product Advertising API. This is granted by using private access tokens after signing up for it.
Now I was wondering if there is a way of keeping the access information private while still open-sourcing the add-on itself? I haven't found any information regarding this issue on the firefox developer hub.
You need to get the calls forwarded from your backend using the hidden keys. Check nginx config for request forwarding.
I want to create a client-side (server-less) application using the AWS SDK for JavaScript in the Browser. All intended users of the tool have individual IAM users and access to the AWS Web Console.
I want all API calls to be executed in the context of individual IAM users, so they are subject to each user's individual permissions, and so that I can see who did what in CloudTrail.
Since no kind of browser local storage should be trusted with persistent credentials, I cannot simply let the user enter his secret access key once and keep it.
However I guess I could request the user's access key id and secret access key on the beginning of each session, then call STS GetSessionToken with it, and only store the resulting temporary security credentials in the session storage and use that for all following SDK usage.
Of course it would be much nicer for users to be able to log in with their IAM user and password instead of their long and cryptic access key (think of mobile devices...).
Is there any kind of federated login option for IAM users (redirecting them to the AWS IAM login page), or a way to call the STS API with username and password?
Ideally, what you want is login via IAM user/password combination. As far as I am aware (and also see this) there is no standard way of doing this.
In one of my projects, I've simulated online login using HTTP client. If you can get the session token with that, that could work for you. But it does not support MFA, and is relying on the internals of the AWS authentication implementation which might change without warnings.