NOTE: This project is still in the prototyping phase, but I'm posting early for three reasons:
- I want to let people know what I'm working on to get a sense of the interest.
- I want to give Yubico the chance to object to this before I submit any code to pwSafe. I would be sad if Yubico squashed this project, but I would be so much sadder if they sued me under the DMCA.
- By posting this publicly, I'm putting some pressure on myself to actually get this done.
Project Name: YubiKey emulation for pwSafe on iOS
License: TBD (depends on how things work out with the pwSafe team)
Description: The goal of this project is to add YubiKey-compatible HMAC-SHA1 challenge-response emulation to pwSafe for iOS so that safes can be shared between Windows PCs and iOS devices without sacrificing two-factor authentication.
Platforms: Hopefully all iOS versions supported by
pwSafeWebpage: The plan is to submit the code to App77 for inclusion in pwSafe, so unless there is a reason to post some of my code separately, I probably won't create a separate site.
Tutorial: None yet, but if App77 accepts my code, the
pwSafe FAQ should get updated
BackgroundI use
Password Safe on Windows and the
pwSafe app on my iPhone. I want to have access to my safes wherever I am, but I don't trust Dropbox enough to feel confident protecting my safes with just a password. Enter YubiKey, which saves the day with super-simple two-factor authentication! I can use it to securely access my safes from anywhere in the world ... except on my iPhone.
Some companies that produce less convenient hardware authentication tokens (e.g. for authenticating with your company's VPN) provide phone apps that emulate the functionality of the hardware token. Wouldn't it be nice if my iPhone could emulate my YubiKey, at least as far as pwSafe is concerned?
StatusAfter quite a bit of experimentation, I was able to write a simple Python script that accepts my Password Safe password and my YubiKey secret and generates the response required to unlock my YubiKey-secured safe (without using my YubiKey). The next step is to implement the equivalent code in Objective-C along with code for securely storing the YubiKey secret. Finally, I'll need to make changes to the pwSafe UI and contribute all of this back to the pwSafe team. (Isn't open source great?!)
I will post again or update this post as I make progress. I will also be updating a related thread on the pwSafe forum:
http://pwsafe.uservoice.com/forums/118319-general/suggestions/3050099-add-yubikey-otp-supportI'd love to hear feedback from folks who think this is valuable and folks who have suggestions/questions/security concerns. I'd also love to hear something from the Yubico team so I don't have to live in fear of receiving a DMCA cease-and-desist letter.
Thanks in advance for any feedback!