pwsafe VS webauthn-recovery-extension

Maybe I'm old school, but I don't want a local appliance of sorts or external app host to my passwords. I use https://pwsafe.org/ install the app on whatever device I want. Keep the database file in G Drive so it will always sync or can manually download if needed without installing G Drive. The latter I've not had to do though.

It's an Android port of http://pwsafe.org. PwSafe works on iOS, MacOS, Windows and Linux.

I'd put them all in a disk-on-key install of Password Safe (https://pwsafe.org).

passwordsafe https://pwsafe.org/

My father literally writes cryptography protocols. He's the guy with unique, 32 character alpha-numeric passwords for everything, to the point he has to look them up any time a service updates and loses the login information. He uses a password safe. Literally, it's called Password Safe. It's open-source, looks like it was written in 1995, and perfect. Just don't forget the password to the safe, because you're not hacking your way in.

Personally I use PasswordSafe4 and I backup my password files on my phone and I email myself the file every so often.

For local storage, password safe (https://pwsafe.org/) is good and was designed by Bruce Schneier.

> I have to admit I don’t really see the point of making this be part of a secure token. The “username” store (actual username, tuple of (username, FIDO blob) or whatever) doesn’t seem terribly sensitive from a local attack perspective, but it is fairly sensitive from a privacy perspective. Wouldn’t it work better to have this be stored by a browser, per container, etc?

An agent that registers non-discoverable credentials as discoverable ones via local storage is an option, although not one that browsers have yet chosen to support.

This however locks you onto a browser (if it doesn't have a cloud sync fabric) or into a particular ecosystem (if that browser has a sync fabric). Authenticators support discoverability because a limitation of only being able to authenticate in a single browser is significant.

Since authenticators tend to either support both discoverability and user verification, or neither discoverability nor user verification, I suspect there won't be business drivers to support such user agent storage/functionality.

Note that the CredProtect extension protects discoverability of a resident credential without user verification, and Chrome requests this extension on sites' behalf by default. This protects against scenarios where a third party who gets physical access to your authenticator (thief, partner, law enforcement, border control) can introspect the websites you have accounts at without your participation.

> Also, how is enrollment of an attested-but-not-present token or a multisig group of tokens or anything that enables off site storage of a token not part of the spec? It even seems like a company like Yubico could hack up a pair of tokens that separate enrollment and authentication without a spec change. Of course, discoverable credentials are a bit of a step backwards in this regard.

There was a serious proposal: https://github.com/Yubico/webauthn-recovery-extension

The challenge is that support for such things (new multisig algorithms, this recovery extension) require active relying party participation, and many would just choose not to take on the extra effort.

So instead we have multi-device credentials, where there is a sync fabric behind the scenes. Nothing would preclude hardware credentials from participating in such a thing, although they would obviously need either radios or software assistance to do so.

To capture the change in physical hardware, a new extension (devicePubKey) is being proposed under Web Authentication. This would have the benefit over the previous recoverability proposal in that sites opt-in to extra responsibility as needed for their business logic, compared to usability being restricted unless sites do extra work.

Yubico is working on this with their Webauthn Recovery Draft

I think OP might be referring to the proposed recovery extension for WebAuthn, which is not the same thing as extracting secrets or replicating a YubiKey.