YUBIKEY and Codebook


#1

I want to at least use 2 factor authentication to open my password manager. Using the fingerprint for iOS is great, but I need something like Yubikey for my PC’s. Is there any move to implementing this for Codebook in the future?


#2

Hello @Mekbeth8

Codebook uses SQLCipher, our open source fully encrypted database [1] to store all of the data. In the event you are interested in learning a bit more about the security involved in the software, we discuss the design details here [2]. That said, we did some research [3] in which we implemented a custom virtual file system interface within SQLCipher to allow for integrations such as the Yubikey. Currently there has not been a large interested in adding this extended security from our customers, however we will consider this request and should interest increase we may pursue the feature. Thank you for your feedback!

[1] https://www.zetetic.net/sqlcipher/
[2] https://www.zetetic.net/sqlcipher/design/
[3] https://github.com/sqlcipher/sqlcipher/tree/vfs


#3

It’s not the same thing as setting up the system for full yubikey use, where the yubikey api is queried when you press its button, an ack is received, and you are let in, but here’s an idea, @Mekbeth8 :

Perhaps you’re aware that with a yubikey, you can program its second “slot” to return whatever string you want, using the yubico personalization tool. You could assign an extra long master password to your Codebook vault, and program that as a static password in your yubikey’s slot 2, and then do a long press on your yubikey to access that.

I created a quick annotated screenshot to show you how. If you want the long-press to also emulate an enter after the password is inserted, use the “insert tab” key for that, at the end of your password.

This method combined with using the iOS fingerprint access on iPhone, is probably at least worth a look.


#4

Rick,
That is a great workaround. Thanks!


#5

My pleasure @Mekbeth8.

Another idea. If you want to combine the “what you have” (yubikey) with “what you know” (a password), you could set the master password in Codebook to something like:

easy!47=army=TEAM=carry=fight=SLOWLY=HANG=27!

where,

  1. easy is something simple you remember, and type in first when prompted and
  2. !47=army=TEAM=carry=fight=SLOWLY=HANG=27! is what you program into the yubikey

Then, when prompted at your computer to enter the master password, you type the easy part in, then long-press the yubikey to get it to add the rest. On the iPhone, you just set it up so the whole thing is linked to your fingerprint.

The problem with the fingerprint scanning on iPhone is, you have to type it in some times since iOS forces that. I think on reboots or whatever.


#6

Hi @rickcogley,

An excellent idea of applying secret sharing with the use of the Yubikey! Thanks for sharing.


#7

Sure thing, @developernotes. I’ve been spending effort to get my clients in Japan to be more aware of security, generally speaking.

Say, on iOS, when you link your Touch ID to Codebook’s master password, is it true that indeed you sometimes have to enter it manually? Or, is that only for using Touch ID for unlocking the device?


#8

In the event that the Touch ID system fails to properly read your fingerprint, the Touch ID system will require that you enter your Touch ID pass code which will them retrieve the Codebook password from the secure enclave.


#9

If I don’t have a new iPhone or android with a touch ID I will need to use
a typable password still correct? Since I would have to type in the
password to access on the phone right?


#10

Yes, that’s the tradeoff @Mekbeth8


#11

I fleshed this out into a longer blog post, @Mekbeth8. Have a look if you like:

@developernotes @wgray I used/linked Codebook in the post, fwiw.


#12

Hi @rickcogley

Thanks so much for the reference and sharing the link!