sqleet
webauthn-recovery-extension
sqleet | webauthn-recovery-extension | |
---|---|---|
1 | 9 | |
372 | 55 | |
- | - | |
1.4 | 4.1 | |
about 1 year ago | 5 months ago | |
C | Python | |
The Unlicense | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sqleet
-
Database Encryption
The https://github.com/resilar/sqleet encryption extension is free / open source.
webauthn-recovery-extension
-
A Yubico FAQ about passkeys
> I have to admit I don’t really see the point of making this be part of a secure token. The “username” store (actual username, tuple of (username, FIDO blob) or whatever) doesn’t seem terribly sensitive from a local attack perspective, but it is fairly sensitive from a privacy perspective. Wouldn’t it work better to have this be stored by a browser, per container, etc?
An agent that registers non-discoverable credentials as discoverable ones via local storage is an option, although not one that browsers have yet chosen to support.
This however locks you onto a browser (if it doesn't have a cloud sync fabric) or into a particular ecosystem (if that browser has a sync fabric). Authenticators support discoverability because a limitation of only being able to authenticate in a single browser is significant.
Since authenticators tend to either support both discoverability and user verification, or neither discoverability nor user verification, I suspect there won't be business drivers to support such user agent storage/functionality.
Note that the CredProtect extension protects discoverability of a resident credential without user verification, and Chrome requests this extension on sites' behalf by default. This protects against scenarios where a third party who gets physical access to your authenticator (thief, partner, law enforcement, border control) can introspect the websites you have accounts at without your participation.
> Also, how is enrollment of an attested-but-not-present token or a multisig group of tokens or anything that enables off site storage of a token not part of the spec? It even seems like a company like Yubico could hack up a pair of tokens that separate enrollment and authentication without a spec change. Of course, discoverable credentials are a bit of a step backwards in this regard.
There was a serious proposal: https://github.com/Yubico/webauthn-recovery-extension
The challenge is that support for such things (new multisig algorithms, this recovery extension) require active relying party participation, and many would just choose not to take on the extra effort.
So instead we have multi-device credentials, where there is a sync fabric behind the scenes. Nothing would preclude hardware credentials from participating in such a thing, although they would obviously need either radios or software assistance to do so.
To capture the change in physical hardware, a new extension (devicePubKey) is being proposed under Web Authentication. This would have the benefit over the previous recoverability proposal in that sites opt-in to extra responsibility as needed for their business logic, compared to usability being restricted unless sites do extra work.
-
[Off-topic] Questions about Android as a security key.
Yubico is working on this with their Webauthn Recovery Draft
- iOS 16 Available September 12th
- Database Encryption
- Asynchronous delegated key generation without shared secrets
-
Yubikey backup
I think OP might be referring to the proposed recovery extension for WebAuthn, which is not the same thing as extracting secrets or replicating a YubiKey.
What are some alternatives?
go-sqlite-lite - SQLite driver for the Go programming language
keepassxc - KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
SQLite3MultipleCiphers - SQLite3 encryption extension with support for multiple ciphers
pwsafe - PasswordSafe - popular secure and convenient password manager
oatpp-sqlite - SQLite adapter for oatpp ORM.
caniuse - Raw browser/feature support data from caniuse.com
react-native-quick-sqlite - Fast SQLite for react-native.
usqlite - μSQLite library module for MicroPython
sqlite-stored-procedures - Stored Procedures for SQLite
sqlite-wlx - Lister (Total Commander) plugin to view SQLite3 files
sqlite-gui - Lightweight SQLite editor for Windows