Security is a mess, and why a threat model is important
-
Should you store them in the password manager itself?
No. Yubikeys support storing 2FA keys on hardware. Just buy one, they start from 33€.
Make sure you're getting a newer one.
They have versions which have a hardware vulnerability that allows the device to be cloned.
-
If someone observed you entering your
ring 0passphrase and stole your backup ofring 0orring 0itself, the database becomes vulnerable. For that reason, it is a good idea to encrypt your database using a different passphrase thanring 0, and/or mitigate the risk of someone having the ability to see you type yourring 0passphrase.Storing the
ring 0passphrase on a hardware security key as I mentioned in the previous reply allows you to automatically type yourring 0passphrase without the need to remember it or risk being seen typing it in. Another way to mitigate this attack would be enabling biometrics on yourring 0device. However, that doesn't protect seeing you type the passphrase in a BFU state.This is the method I've come up with:
I have a hardware security key (let's call it
hsk 0). It is configured to store the passphrase for my airgapped GrapheneOS phone (myring 0device).ring 0has biometrics enabled. This meanshsk 0is only used to unlockring 0in the BFU state, and can be kept in the safe otherwise. A second factor PIN can be applied toring 0, and a copy stored in the safe. In general, the second factor PIN will be used often enough to memorize. Myring 0has a KeePassDX database (db 0), and Aegis for TOTP (I want to avoid the mixup of saying 2FA when I am referring to TOTP).db 0is protected using a memorized passphrase, and also has biometrics enabled. I found that storing thedb 0passphrase using any other medium introduces too many risks and vulnerabilities. Insidedb 0is the duress passphrase forring 0, as well as all device credentials forring 1devices. The Aegis app will store TOTP for all accounts. An unencrypted backup of the phone will be made and stored in the safe.Let's pause here and recap what would need to happen in order to obtain a
ring 1passphrase:- An attacker would need either the phone or a backup of it
- If the attacker has the phone in a BFU state, the attacker would need
hsk 0stored in your safe to unlock it - If the attacker has the phone in an AFU state, the attacker would need your fingerprint as well as the second factor PIN you have memorized or a copy of it in your safe
- Once the attacker unlocks the phone, or if the attacker only has a backup of the phone, the attacker would need the passphrase only you know in order to unlock the database.
It's important the safe isn't stored in your home, but rather something like a safety deposit box, that way you aren't alone near the safe at any time.
The passphrase for Aegis is stored in
db 0, and biometrics can be enabled if you want. Eachring 1device contains an independent KeePassXC database each, that way if a device is remotely compromised while the database is unlocked the damage is minimal. An encrypted backup server is one of thering 1devices, which keeps all otherring 1devices automatically backed up. All accounts are protected via 2FA (whether it's another hardware security key (hsk 1) or TOTP). 2FA recovery codes are stored in a safe separate from ourring 0backup. That means TOTP follows the 3-2-1 backup method (1 copy onring 0, 1 backup in a safe offsite, and 2FA recovery codes kept somewhere else. 3 different storage mediums)Now, what an attacker would have to do to break into an account:
- Compromise the device hosting the KeePassXC database storing the account
- Compromise the KeePassXC database
- If the account is protected by TOTP: either compromise
ring 0and compromise Aegis, or find the backup ofring 0and compromise Aegis, or find the 2FA recovery codes - If the account is protected by a hardware security key: Find
hsk 1(or a backup of it)
Some hardware security keys allow entering a PIN before successful authentication. One of those is good as your "main"
hsk 1, and the PIN can be stored indb 0in case you forget (forcing the attacker to also need to compromisering 0to usehsk 1).I'm a bit tired while writing this, so please point out any obvious flaws. Here is a summary:
- A hardware security key
hsk 0stores the passphrase forring 0 hsk 0is stored in a safe (safe 0) when not in use, and a backup can be stored in another safe (safe 1)ring 0has biometrics enabled, as well as a second factor PIN- The second factor PIN is both memorized and a copy stored in
safe 0 - You have the passphrase for
ring 0's KeePassDX database (db 0) stored in memory db 0has biometrics enabled- Aegis is installed on
ring 0to store all TOTP codes - A backup of
ring 0is stored insafe 0 db 0stores the credentials for allring 1devices- One
ring 1device is used as an encrypted backup server for all otherring 1devices - Each
ring 1device has their own independent KeePassXC databases (db 1) - All accounts are either protected with another hardware security key (
hsk 1) or TOTP. - 2FA recovery codes are stored in
safe 1 - A copy of
hsk 1is kept insafe 0
You're system sounds well thought out and more than secure enough for most people's needs, so if that is what works for you I would go for it. I also like the fun idea for the duress passphrase, I just hope a friend doesn't get tempted to try and unlock your phone and accidentally wipe everything! Overall, the only comments I would make are:
- be wary of using biometrics for
ring 0, in countries like the US the cops can force you to use your biometrics, by law. GrapheneOS does have ways to quickly disable biometric unlock in emergencies, or automatically disable it after a set period of time - you are using both a security key and a passphrase for securing the
ring 0database. Perhaps commit to one of them, to reduce complexity. The more complicated the system, the more places there can be vulnerabilities - getting access into the
ring 0device is effectively compromising the database, even if you have a password on the database. There are numerous things that an attacker can do once in control of the device, like enabling internet, flash a custom rom and copy all the files over to make it look identical, installing a keylogger, changing the UI to hide any modifications, etc. This is also why I try to use myring 0device as little as possible, every time I enter the password is another chance for the password to be stolen - putting your Aegis TOTP app on
ring 0means you have to constantly use yourring 0device. I prefer to use myring 0device as little as possible, both for security and convenience. My TOTP app is on aring 1device instead, and is only used to secure online accounts (which I considerring 2). If you want to use 2FA forring 1then I suppose you are forced to put your TOTP app onring 0, though I find the inconvenience not worth it.
-
System shared this topic on
