starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:53:00 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🚀 Feature: Support for password + security key or double passkeys authentication flow #68

New Issue
Closed
opened 2025-10-07 23:51:35 +03:00 by OVERLORD · 10 comments
OVERLORD commented 2025-10-07 23:51:35 +03:00
Owner
Copy Link

Originally created by @TommyTran732 on GitHub.

Feature description

Passwordless login, while being secure, is not the most secure method available, because:

  • Physical security keys may have vulnerable firmware. If they are exploited, an attacker can just log into the user's account without additional verification. Additionally, a lot of the physical security keys do not encrypt their internal storage against the user PIN.
  • Software passkeys requires putting blind trust in a particular piece of software. For instance, users may store their Passkey in Bitwarden, but if Bitwarden ever gets compromised an attacker can also access the user's account.

A more secure way to handle authentication is to support one of these flows:

  • Password + Security Key: If the password gets compromised, an attacker still cannot login without the physical security key. If the key gets stolen and is vulnerable, it still doesn't mean much, because the attacker cannot login without the password.
  • Double Passkeys: Require 2 separate passkeys to login. In case one key gets compromised, the attacker still cannot login without the other. This can also be implemented as requiring a software passkey and a physical security key to provide similar assurances to the password + security key flow.

Pitch

My users are quite security conscious, so having to entirely trust a hardware or software implementation of passkey is quite off putting. It would be nice to have an option to opt-in to more secure authentication flows.

Originally created by @TommyTran732 on GitHub. ### Feature description Passwordless login, while being secure, is not the most secure method available, because: - Physical security keys may have vulnerable firmware. If they are exploited, an attacker can just log into the user's account without additional verification. Additionally, a lot of the physical security keys do not encrypt their internal storage against the user PIN. - Software passkeys requires putting blind trust in a particular piece of software. For instance, users may store their Passkey in Bitwarden, but if Bitwarden ever gets compromised an attacker can also access the user's account. A more secure way to handle authentication is to support one of these flows: - Password + Security Key: If the password gets compromised, an attacker still cannot login without the physical security key. If the key gets stolen and is vulnerable, it still doesn't mean much, because the attacker cannot login without the password. - Double Passkeys: Require 2 separate passkeys to login. In case one key gets compromised, the attacker still cannot login without the other. This can also be implemented as requiring a software passkey and a physical security key to provide similar assurances to the password + security key flow. ### Pitch My users are quite security conscious, so having to entirely trust a hardware or software implementation of passkey is quite off putting. It would be nice to have an option to opt-in to more secure authentication flows.
OVERLORD commented 2025-10-07 23:51:39 +03:00
Author
Owner
Copy Link

@TommyTran732 commented on GitHub:

IMHO, I don't think Pocket ID is the right solution for this level of security requirements.

@TommyTran732 commented on GitHub: > IMHO, I don't think Pocket ID is the right solution for this level of security requirements. - It did not take a state actor to clone Google Titan keys. (https://ninjalab.io/a-side-journey-to-titan/) - It did not take a state actor to find vulnerabilities in Yubikey firmware. - It did not take a state actor to defeat the potting on the Yubikey 4 series. I have 2x Yubikey 5 nano and the plastic/potting literally just melted off from normal use, and I am not the only one it happened to either. You can see the reviews here and the plastic is already cracking and about to fall off: (https://www.amazon.com/Yubico-YubiKey-Factor-Authentication-Security/dp/B07HBTBJ5S)
OVERLORD commented 2025-10-07 23:51:39 +03:00
Author
Owner
Copy Link

@TommyTran732 commented on GitHub:

While possible, they still require lots of sophisticated attackers.

A lot of them do not require any "sophisticated attackers".

Like with the Yubikey 5 Nano example, you can see that the plastic just cracks and falls off on its own.

Here are a few other examples:

And keep in mind, these do not encrypt their internal storage against the user PIN. The vast majority of keys are like that. In fact, I am only aware of 2 security keys that provides any kind of encryption: Trezor devices and the OnlyKey.

Require physical access to the security key

There is a reason why we encrypt our laptops, phones, and hard drives. We do not want people to just be able to pick up our devices and access our data. So why take the risk that someone can just pick up your security and log into all of your accounts?

The risk of compromise is always there, and it doesn't always take a state actor or someone at that level to pull this off. This is a downgrade from the traditional MFA model of "something you have and something you know", because if the key is vulnerable (which they are found to be all the times), you are down to just "something you have".

@TommyTran732 commented on GitHub: > While possible, they still require lots of sophisticated attackers. A lot of them do not require any "sophisticated attackers". Like with the Yubikey 5 Nano example, you can see that the plastic just cracks and falls off on its own. Here are a few other examples: - https://www.hexview.com/~scl/neo/ (The guy just stripped the plastic with household chemicals) - The NitroKey having no potting whatsoever. And keep in mind, these do not encrypt their internal storage against the user PIN. The vast majority of keys are like that. In fact, I am only aware of 2 security keys that provides any kind of encryption: Trezor devices and the OnlyKey. > Require physical access to the security key There is a reason why we encrypt our laptops, phones, and hard drives. We do not want people to just be able to pick up our devices and access our data. So why take the risk that someone can just pick up your security and log into all of your accounts? The risk of compromise is always there, and it doesn't always take a state actor or someone at that level to pull this off. This is a downgrade from the traditional MFA model of "something you have and something you know", because if the key is vulnerable (which they are found to be all the times), you are down to just "something you have".
OVERLORD commented 2025-10-07 23:51:39 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

What makes pocket-id unique is the passkey only behavior, so we do not plan on adding password authentication. While security concerns are valid, we have answered these concerns in previous issues about how passkeys are more secure and have a more difficult attack surface.

Ill leave here for @stonith404 to add anymore notes as well.

@kmendell commented on GitHub: What makes pocket-id unique is the passkey only behavior, so we do not plan on adding password authentication. While security concerns are valid, we have answered these concerns in previous issues about how passkeys are more secure and have a more difficult attack surface. Ill leave here for @stonith404 to add anymore notes as well.
OVERLORD commented 2025-10-07 23:51:40 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

IMHO, I don't think Pocket ID is the right solution for this level of security requirements.

If your adversaries are sophisticated enough to be able to break into Yubikeys, you are dealing with state-level actors stuff, and have different problems than what Pocket ID is designed for. It's the

Even then, it's more likely than adversaries with this level of sophistication would be able to find other flaws in Pocket ID - or even result to physical violence (relevant XKCD)

@ItalyPaleAle commented on GitHub: IMHO, I don't think Pocket ID is the right solution for this level of security requirements. If your adversaries are sophisticated enough to be able to break into Yubikeys, you are dealing with state-level actors stuff, and have different problems than what Pocket ID is designed for. It's the Even then, it's more likely than adversaries with this level of sophistication would be able to find other flaws in Pocket ID - or even result to physical violence ([relevant XKCD](https://www.xkcd.com/538/))
OVERLORD commented 2025-10-07 23:51:40 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

All of the links you share require physical access to the security key, and some require very sophisticated hardware (e.g. for Google Titan, they are performing a side-channel attack studying the electromagnetic signals and then using a custom ML model). While possible, they still require lots of sophisticated attackers.

@ItalyPaleAle commented on GitHub: All of the links you share require physical access to the security key, and some require very sophisticated hardware (e.g. for Google Titan, they are performing a side-channel attack studying the electromagnetic signals and then using a custom ML model). While possible, they still require lots of sophisticated attackers.
OVERLORD commented 2025-10-07 23:51:41 +03:00
Author
Owner
Copy Link

@TommyTran732 commented on GitHub:

@savely-krasovsky

Given what hardware and resources they used to restore one key.

All I know it is that with various keys it is possible to gain access to their flash storage with relative ease and that their internal storage is not encrypted.

Not to mention that they would have had to steal it beforehand.

So do you walk around with an unencrypted laptop? Must be so secure because nobody ever steals your hardware right?

Even synced passkeys set a very high bar for security

They do not. In the case of Bitwarden for example, the users are compelled to use the web vault to perform certain actions from time to time, and the web vault can be trivially compromised by malicious server or reverse proxy. Or in the case of Apple Keychain, the keychain is encrypted against the device PIN. How many iPhone users set a diceware passphrase on their phone? Or is it simply the norm for people to use an extremely weak 4 digit PIN?

and security keys just raise it even higher

It depends on the key and the firmware. Not all FIDO2 security keys are created equal.

@TommyTran732 commented on GitHub: @savely-krasovsky > Given what hardware and resources they used to restore one key. All I know it is that with various keys it is possible to gain access to their flash storage with relative ease and that their internal storage is **not** encrypted. > Not to mention that they would have had to steal it beforehand. So do you walk around with an unencrypted laptop? Must be so secure because nobody ever steals your hardware right? > Even synced passkeys set a very high bar for security They do not. In the case of Bitwarden for example, the users are compelled to use the web vault to perform certain actions from time to time, and the web vault can be trivially compromised by malicious server or reverse proxy. Or in the case of Apple Keychain, the keychain is encrypted against the device PIN. How many iPhone users set a diceware passphrase on their phone? Or is it simply the norm for people to use an extremely weak 4 digit PIN? > and security keys just raise it even higher It depends on the key and the firmware. Not all FIDO2 security keys are created equal.
OVERLORD commented 2025-10-07 23:51:41 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

@TommyTran732 come on, are you seriously using state-of-the-art attacks as an example? And essentially assuming unlimited time and money? Given what hardware and resources they used to restore one key. Not to mention that they would have had to steal it beforehand. Even synced passkeys set a very high bar for security, and security keys just raise it even higher.

@savely-krasovsky commented on GitHub: @TommyTran732 come on, are you seriously using state-of-the-art attacks as an example? And essentially assuming unlimited time and money? Given what hardware and resources they used to restore one key. Not to mention that they would have had to steal it beforehand. Even synced passkeys set a very high bar for security, and security keys just raise it even higher.
OVERLORD commented 2025-10-07 23:51:41 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@TommyTran732 please refer to #446, I think @savely-krasovsky has explained this very well there.

@stonith404 commented on GitHub: @TommyTran732 please refer to #446, I think @savely-krasovsky has explained this very well there.
OVERLORD commented 2025-10-07 23:51:42 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

All I know it is that with various keys it is possible to gain access to their flash storage with relative ease and that their internal storage is not encrypted.

All I know it is that without extensive knowledge that only few people posses and a bunch of expensive hardware nobody will be able to hack your keys "with relative ease".

In my opinion, both @ItalyPaleAle and I are trying to tell you that your threat model is very different from the one the developers had in mind when Pocket-ID was created. You're expecting to be targeted by state-level actors, or at least by a group with the resources to hire leading specialists with high-end labs to carry out a targeted hack, which could include stealing your key beforehand. IMO, Pocket-ID isn't a good fit for that, simply because it wasn't advertised or developed as a "highest-security" product to begin with.

@savely-krasovsky commented on GitHub: > All I know it is that with various keys it is possible to gain access to their flash storage with relative ease and that their internal storage is not encrypted. All I know it is that without extensive knowledge that only few people posses and a bunch of expensive hardware nobody will be able to hack your keys "with relative ease". In my opinion, both @ItalyPaleAle and I are trying to tell you that your threat model is very different from the one the developers had in mind when Pocket-ID was created. You're expecting to be targeted by state-level actors, or at least by a group with the resources to hire leading specialists with high-end labs to carry out a targeted hack, which could include stealing your key beforehand. IMO, Pocket-ID isn't a good fit for that, simply because it wasn't advertised or developed as a "highest-security" product to begin with.
OVERLORD commented 2025-10-07 23:51:42 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

So do you walk around with an unencrypted laptop? Must be so secure because nobody ever steals your hardware right?

The reasons we encrypt our laptops' drives are VASTLY different: because extracting data from a laptop's hard drive requires nothing more than a screwdriver and a SATA cable (so every person with minimal IT training can do that), for compliance reasons (FIPS/HIPAA, etc), or to make it easy to re-sell them (because SSDs are hard to securely erase). There's more: these threats are often non-targeted (thousands of laptops are left at airports every year by distracted travelers...), and once someone has your laptop you generally cannot perform a remote wipe.

You're trying to say it's equivalent to using state-of-the-art, extremely sophisticated attacks on security keys. Which are generally targeted (just finding a YubiKey at the airport won't help much if you don't know whose key it is and for which accounts), and require very complex methods and tools. You can also remotely disable the security key (removing its association to the account) as soon as you realize it is lost, rendering it useless.

@ItalyPaleAle commented on GitHub: > So do you walk around with an unencrypted laptop? Must be so secure because nobody ever steals your hardware right? The reasons we encrypt our laptops' drives are VASTLY different: because extracting data from a laptop's hard drive requires nothing more than a screwdriver and a SATA cable (so every person with minimal IT training can do that), for compliance reasons (FIPS/HIPAA, etc), or to make it easy to re-sell them (because SSDs are hard to securely erase). There's more: these threats are often non-targeted (thousands of laptops are left at airports every year by distracted travelers...), and once someone has your laptop you generally cannot perform a remote wipe. You're trying to say it's equivalent to using state-of-the-art, extremely sophisticated attacks on security keys. Which are generally targeted (just finding a YubiKey at the airport won't help much if you don't know whose key it is and for which accounts), and require very complex methods and tools. You can also remotely disable the security key (removing its association to the account) as soon as you realize it is lost, rendering it useless.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#68
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?