@basenote thank you for taking the time to break all of this down, very much appreciate it
Weâre excited to keep improving filekey, and this is just the kind of feedback we need.
What browsers did you try? Unfortunately browsers like Safari will not work with hardware security keys until they have better PRF support.
The file size is basically limited by memory right now. Weâre implementing an improved approach that should get around this limitation in v2.
Originally we were only going to support hardware security keys for this very reason. Some of the popular password managers just donât natively support PRF very well or at all, making this an issue. But they should catch up soon, and then this shouldnât be an issue going forward.
Sounds like a weird bug, if youâre open to it would love to DM you so I can capture whatâs going on and we can fix the issue for you.
Agreed, itâs annoying, weâre working on it.
If you have a version of windows 10 or below it wonât work, because thereâs not OS level support. But Windows 11 should work. Which version of Windows did you try?
Again, thank you for writing all of this up, itâs super helpful! Iâll followup over DM to see if we can fix issue 4 for you.
I tried Firefox, Brave, and Safari. Only Brave worked. I personally only want it to work on Firefox and Brave at the vert least. But bonus points for others.
Sure!
Windows 11. I am 24H2 on the latest version as far as I can tell.
â
Thank you for following up. Iâm happy to help you improve this!
Found it very slick in my test usage. I like the share key feature the most . I donât know if any other project has ever had this type of usage with fido2
@rockwellshah Iâve built a similar web-based tool that coincidentally got posted around the same time as this one.
I ended up taking a look at Filekey and how it works, partly to satisfy curiosity and partly to see how it compares to what I implemented.
I thought that Iâd share a couple of suggestions based on my experience with it and with writing a similar tool:
As many have pointed out, itâs difficult to get to use it (I tried a Yubikey and also tried software keys, like those one can simulate from the Developer Tools pane, all to no avail). I understand that this may not be entirely your fault (my own experience with WebAuthn show that itâs non-trivial to implement something that works consistently for a wide user-base). Now, thatâd be fine if this is intended as an MVP / tech preview, but otherwise you may want to improve on this aspect. Similarly, Iâd consider offering a fallback for users that canât or wonât use a key or supported password manager, such as generating a passphrase.
The following is mostly based on what I could gather from looking at the source code and looking at your demo video, since I wasnât able to actually try it out:
You suggest installing Filekey as a PWA for offline use (or at least, mention the option). Unfortunately, PWAs are vulnerable to arbitrary updates from the server, so Iâm not sure how I feel about this option. Since the tool is quite capable of running offline, I suggest offering an option to download the HTML directly, and maybe some brief instructions on self-hosting for mobile (since iOS in particular doesnât like opening local HTML files)
Filekey doesnât use a Content Security Policy (CSP). I suggest that you add this and block as much as you reasonably can (itâs supported as a header and as a meta tag, Iâd do both; the more restrictive CSP applies, and you can even make it dynamically more restrictive). The reason being that this is a foolproof way (at least, as much as the web allows) of blocking network capabilities. This way, you and your users can be reasonably certain that data wonât be leaked.
While one can inspect the source code and itâs reasonably readable, Iâm assuming that you have some kind of build process in place (if you donât, maybe I suggest starting with that). Itâd be nice to have a repository one can use to inspect the source code as well as a build process thatâs deterministic. This way, one can more easily audit how things work and also be reasonably certain that it hasnât been tampered with.
Nitpick: Since Iâm not able to use the app, I wasnât able to test this, but I noticed that you generate extractable AES keys when they donât really seem to be exported. For defence-in-depth, the extractable flag should be false.
I see that youâre working on version 2, so I hope that these comments may be useful to incorporate to that.
Crazy coincidence! Your tool looks cool, and reminds me of Portable Secret, which was one of my inspirations for starting to create security tools. Thanks for taking the time to look at Filekey!
Do you remember what browser you used? Unfortunately passkeys+PRF are only supported by certain browsers and password managers. I think we could make it clearer in the interface though with the failure message what the requirements are so people arenât confused. We had considered fallbacks, but we really are trying to get away from passwords.
You can make PWA updates explicitly user opt-in to prevent this. We did this approach for our other privacy app BitNote and we intend to bring it over to filekey.
Agreed. Itâs on the to-do list. We have a very strict CSP for BitNote, so we are familiar with the benefits.
Agreed, a repo would be nice, and Iâll be building one out soon.
Thatâs pretty cool. Do you have reference material about this, or could you point me to the parts in BitNote that implement this? I wasnât aware that this was possible (one of the ways I thought this usually breaks is that the service worker source itself canât be intercepted, and browsers may refresh the SW every ~24 hours or so).
