A place for developers to talk about building on Farcaster.

/dev

What are the security differences between storing a seed phrase in the following ways:

- Locked note in iCloud
- Password-protected in Keychain like how Rainbow does it
- largeBlob with a passkey in iOS17+

I think I understand the UX implications of each, but curious about the technical side

I like baking /goodbread and building apps on web3 protocols. DevRel @ ENS Labs

Technowatermelon. Elder Millenial. Building Farcaster. 

nf.td/varun

My general POV is that the security of all three is reasonably good, unless you're storing a life-changing amount of money in the wallet, in which case I would do none of these. 

The UX diffs between them are huge - largeBlobs wins by a big margin.

BDFL of Quilibrium, ex-Farcaster, ex-Coinbase, always opinionated, never hydrated

/quilibrium

Wrapped QUIL

Interesting, looks like Notes passwords are encrypted but maybe not via Keychain 🤔

Then there's a different "Secure Notes" feature in the Keychain Access app, I wonder if it's using the same underlying tech

@cassie wdyt?

TIL on Notes being e2ee separately from your iCloud data

Interesting, looks like Notes passwords are encrypted but maybe not via Keychain 🤔

Then there's a different "Secure Notes" feature in the Keychain Access app, I wonder if it's using the same underlying tech https://support.apple.com/guide/keychain-access/store-confidential-information-securely-kyca2268/mac

cc @cassie 

1/ Keychain is a more secure part of the operating system on iOS and macOS vs. Notes is an app, likely more basic password security (likely not encrypted)

Password-protected back up is likely decent encryption, but if you forget the password you're screwed.

- DO NOT USE NOTES. They don't enforce any secure data practices since they are just stored on disk (See Disk risks on right)
- KeyChain is the best option right now
- A PassKey is just replaces your password — It would be something that you could use to unlock your KeyChain (Wallet in crypto)

The problem is that the a file on disk mean anyone who hacks your computer can grab it, it has no data integrity, and will not be securely deleted, and it doesn't have secure sync. It does have a password and it is backed up into iCloud but that doesn't mean it's going to back up the correct bits.

hmm but my locked notes are securely synced via iCloud

Maybe I’m misunderstanding ?

We have a slide on this in our pitch deck… (except for the locked note).

Apple gave a talk on iCloud security in 2016 at blackhat.

We have a slide on this in our pitch deck… (except for the locked note).

Apple gave a talk on iCloud security in 2016 at blackhat.

https://youtu.be/BLGFriOKz6U?feature=shared

You can't use the secure enclave. It doesn't support secp256k1 ECC.

You can't use the secure enclave. It doesn't support secp256k1 ECC.

https://warpcast.com/joeblau/0x151e75

Related

https://warpcast.com/dwr.eth/0xef6d810c

I do indeed! I was aware of prf when I was looking into where/how encryption keys might be generated when using webauthn

you might also like the prf extension

https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension

largeBlob is interesting, I didn't realize that was part of the webauthn spec. Pretty positive implications for e2ee products IMO