Introducing EnigPass: An Air-gapped Hardware Security Key Research Survey

Hello PrivacyGuides Community,

I’m dark, a computer science university student, passionate advocate for digital privacy and the creator of EnigPass. Today, I’m excited to introduce you to a project born out of a deep commitment to enhancing online security and safeguarding personal privacy. EnigPass is an air-gapped, FIDO2 passkey authenticator designed to offer a secure, passwordless login experience. Inspired by the principles of air-gapped security, our mission is to provide a tool that empowers users to protect their digital identities effortlessly.

About EnigPass:

At the heart of EnigPass is a commitment to providing a transparent, free and open-source, and air-gapped security solution through QR code scanning, inspired by the Bitcoin SeedSigner. We understand that many in our community seek alternatives to proprietary security keys due to concerns over their non-disclosure agreements (NDAs) and closed-source nature. EnigPass is designed to meet this need by offering a secure, passwordless login experience through an entirely DIY approach and leveraging QR code technology for private air-gapped FIDO2 authentication. By eliminating traditional passwords, EnigPass aims to mitigate common security threats such as phishing and data breaches, empowering users to protect their digital identities in a way that aligns with the principles of openness and user control. The project is currently in the development stage, and we are dedicated to refining EnigPass with the highest standards of security and user-friendliness, all while ensuring the process and technology remain transparent and accessible to those who value the DIY and air-gapped approach to hardware security.

Why Your Feedback Matters:

The PrivacyGuides community, known for its discerning understanding of privacy and security issues, is the perfect audience to help us refine EnigPass. Your insights, critiques, and suggestions will be invaluable as we strive to create a tool that truly meets the needs of privacy-conscious users. To gather your feedback, we’ve prepared a short survey that should only take a few minutes to complete. Your responses will directly influence the development of EnigPass, ensuring it aligns with the real-world needs and concerns of users like you.

Individuals: EnigPass: An Air-gapped Hardware Security Key using an Information-Theoretically Secure Algorithm

In addition to reaching out to the broader PrivacyGuides community, I’ve also prepared a separate survey link specifically for the PrivacyGuides team members. Your work has been a cornerstone of my journey in understanding and valuing digital privacy and open-source principles even back when you guys were still privacytools.io. It’s not an exaggeration to say, I wouldn’t have my passion for defending privacy in the digital world and cybersecurity without you guys guiding me and countless others for years now. The guidance and insights provided by the PrivacyGuides team have been instrumental in shaping not only my perspective on privacy and security but also in inspiring the creation of EnigPass. It would be an immense honour and I would be deeply humbled to have your expert feedback on this project. Your insights will be incredibly valuable in refining EnigPass to ensure it truly meets the high standards of privacy and security that PrivacyGuides embodies.

PrivacyGuides Team: EnigPass: An Air-gapped Hardware Security Key using an Information-Theoretically Secure Algorithm

Looking Forward:

We’re not just seeking feedback; we’re inviting you to be part of EnigPass’s journey. Whether through completing the survey, sharing your thoughts below, or suggesting ideas for improvement in the survey, your engagement can help shape the future of digital privacy and security.

Thank you for considering participating in this exciting phase of EnigPass. We can’t wait to hear your thoughts and work together towards a more secure digital world.

Best regards,
dark

3 Likes
Note to the Privacy Guides team

Why this user can post in the Project Showcase category even though he isn’t in the @developers group? Am I missing something?

Jonah added the post to project showcase

1 Like

This post was approved by the team, the author reached out to us and we’ve reviewed the questions in the questionnaire. The questionnaire is for a university study and we will likely fill it out ourselves.

Very happy to hear that our work inspired you in this down this path. It’s an interesting topic on it’s own, a lot of developers don’t really think about a privacy first design, which has actually been suggested in Privacy Guides for developers?

3 Likes

Yes in fact, me and my team are planning to release it as free and open-source software under the AGPLv3 copyleft free software license for the Authenticator software running on the RPi zero, and GPLv3 for the QRBridge browser extension and if time allows us, mobile app version, right when we start doing our alpha testing stage a few months from now. I do believe that privacy first design should really be baked in even before the development stage begins, which we carefully did, ensuring that every feature and implementation decision was made with privacy as the top priority.

5 Likes

I shared in more details also in your survey. But I believe this idea is somewhat flawed.

If you teach people to scan QR codes to authenticate it allows someone to execute a man in the middle attack. This could be done by proxying the QR code and displaying this on a phishing website. If that shares the credentials back to the attack who has your addon installed that could could grant them access.

The entire idea of passkeys / FIDO2 is that it is phishing resistant. I believe your current solution does not provide this security.

I might have missed something in your design leading me to this assessment, so feel free to challenge me.