Comments (13)
From @ElCarlosCZ on January 12, 2018 23:42
Why not add both? ;-)
Im also voting for fingerprint support
from burstcoin-mobile.
From @ndawad on January 14, 2018 19:31
Why not... Sound like a great idea
from burstcoin-mobile.
From @harry1453 on March 4, 2018 13:11
I would be happy to work on developing this if the source code was out there.
from burstcoin-mobile.
@harry1453 This will soon be the case!
from burstcoin-mobile.
From @harry1453 on March 4, 2018 13:25
@cgebe Thanks!! Any idea of a timescale?
from burstcoin-mobile.
A matter of days.
from burstcoin-mobile.
From @harry1453 on March 4, 2018 13:37
Thanks! Would you mind letting me know when it happens? I am very keen to help out on this
from burstcoin-mobile.
You will be able to find the repo in our github org in addition to an announcement on twitter!
from burstcoin-mobile.
From @harry1453 on March 4, 2018 15:30
Thanks. On the actual issue, I understand the pin is not stored locally. This makes sense however if we were to enable fingerprint authentication either the pin would have to be stored locally to decrypt the passphrase (which is insecure) or the fingerprint data would have to be used to encrypt the passphrase, which would result in the user having to choose between using fingerprint or using PIN.
So the potential solutions are using an unencrypted copy of the passphrase and having the authentication at a GUI level only, keeping a plaintext copy of the pin in the application storage space, which is user-accessible on rooted devices, or some other solution such as this project, which could potentially allow us to store two copies of the encrypted passphrase: one encrypted with the PIN, one encrypted with the fingerprint. I will look into it!
from burstcoin-mobile.
Hey, thanks for the suggestion. Im happy to discuss this. Take into account, that at the moment the passphrase is saved encrypted (AES) with the following key: sha256(pin + device.id)
. The pin is not saved at all and therefore needs to be entered everytime an authorized action needs to be executed.
In order to not change the current process at all, an option would be saving the pin
or the key (sha256(pin + device.id
) encrypted with a key based on a constant provided by the fingerprint sensor and save it in an additional field of the account object. I need to look into the fingerprint library in order to verify this possible solution.
Edit: fyi, i do not want to replace the pin with the fingerprint process completely, just offer it as an alternative.
from burstcoin-mobile.
From @harry1453 on March 4, 2018 16:39
Edit: fyi, i do not want to replace the pin with the fingerprint process completely, just offer it as an alternative.
That makes absolute sense as a significant proportion of devices do not have fingerprint sensors.
Saving sha256(pin + device.id)
encrypted with the fingerprint data sounds like it would work nicely, however the NativeScript (I gather from other posts around here this is what we are using) library has only this (line 112):
onAuthenticationSuccess(): void {
resolve();
}
There are multiple branching options in that file but all of them end up with a true or false return value.
I suggest that we store on the device a separate copy of sha256(device.id)
which allows for the functionality to be added and then we rely on a programmatic block to prevent bypassing the PIN. We could potentially increase security by using sha256(device.id + (walletNumericID))
to prevent direct theft of the wallet without access to the app first, however both of these are susceptible to attacks if the device is rooted, as this allows direct access to the application's private data directory.
Also, are you on the Telegram group?
from burstcoin-mobile.
Sounds reasonable, i will look into this as well in the next couple of days. I would like have the fingerprint verification as an extension. So to say, it will somehow result in storing the pin or a derivation of the same encrypted in local storage. Unfortunately, by seeing your reference, the fingerprint library obviously cannot provide a constant footprint dynamically generated when touching the sensor (which would be the best case, to prevent an unhindered decryption in case the internal storage gets accessed or stolen by an attacker). I need to evaluate the options we have.
https://discord.gg/xenZTNw for direct communication. @cgb
from burstcoin-mobile.
From @harry1453 on March 4, 2018 17:25
Thanks for your help. I would love to be able to address or help to address this issue when the source code becomes open.
from burstcoin-mobile.
Related Issues (20)
- Replace pulltorefresh with radviewlist HOT 1
- Patch Notes 0.1.1
- Thoughts about Load Balancing HOT 2
- iOS Wallet issue when using tns run ios HOT 3
- App crashing on Android P Beta HOT 1
- Swiping from "Balance" has dead area HOT 5
- Make a "credits" button/submenu
- Naming accounts HOT 1
- Request - Dark Theme HOT 1
- Backup Passphrase HOT 3
- Feature Request: Account Transaction Notifications
- Passphrase 'spaces' issue
- Equip the wallet with an "optimum fee guesser" HOT 2
- Show common transactions and Multi-Out together in History
- Backend SSL cert expired HOT 2
- Deleted accounts should be gone
- I send 1981 burst Transaction #5323272026421703386, link: https://explore.burst.cryptoguru.org/transaction/5323272026421703386 but transaction not complete HOT 4
- Feature Request: Extended QR Code Scanning
- Assets don't appear on the app HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from burstcoin-mobile.