Stronger Security for Codebook

Hi Everyone! I would really like to know as to when stronger security will be implemented for Codebook on iOS & Windows 10? By stronger security, I mean 2FA/MFA or something similar to be implemented. Codebook is a great product, but with all the breaches that are happening lately, I am really concerned for my sensitive information that’s stored in Codebook. Are you guys at Zetetic waiting for a data breach to happen, before implementing 2FA/MFA or something similar? Honestly, it’s about time that this issue gets sorted, it’s long overdue.
I’m not here to start a fight with you guys…All of you work really hard at Zetetic, and produce really great products, like Codebook.

Hello @mdelport Thanks for getting back in touch and for your continued use of Codebook (and STRIP before that!). This is something that we are actively working on, and have even performed initial testing with it internally, so I can at tell you that is a feature that will definitely be included in a future release of Codebook.

For additional context, one of the reasons this is so much more complicated to implement in an application like Codebook, is that we don’t actually store any of your data remotely online or in the cloud. With a number of other password managers, they may be dependent on an online service, whereby the 2-factor is actually an function, but not necessarily integrated in the the encryption mechanism itself. This is, of course, much easier to implement.

With Codebook there is no dependency on a Zetetic-run service or API, and decryption is a purely local operation. As such, the design restrictions and complexity are much higher if we are still to allow synchronization between devices, etc. Some upcoming changes in SQLCipher and Codebook will allow this with a high degree of security, while still allowing independent application functionality, i.e. without relying on a centralized authentication service.

1 Like

Hello Support. A great product which I have used since the early days. I share the concern about a single password protecting critically sensitive date. What progress is being made to provide MFA validation on mobile or desktop. Thank You.