Questions - clarification about security (storage on device, sign in after use) #337
Comments
|
Hey @corobin , Thank your for your genuine questions. Sorry for delay in the response.
You have raised a very valid concern. To reduce the risk, we will add on-device auth whenever user will click on |
|
Thank you for the detailed response.
this is excellent!
Thank you for the very prompt response to address this! In my other enhancement request I just added some more context about the recent authy leak to illustrate the case for stronger protections for secret export #338 (comment)_ but i understand that is more complicated and will take time if and when you choose to implement it. so the patch of integrating the existing device auth workflow into account sign in is a great step. thanks! |
Hello,
I have a couple of questions about the Android app:
How are the token secrets stored on device? (is it using e.g. android keystore? own encryption? plaintext?)
If i start using the app in offline-only mode (i.e. without an account), and then later go into settings and choose to sign in (or create an account), what happens to all the existing tokens that are already saved? will they be automatically saved to the new account? or will they all be erased? the significance of this is whether or not somebody can exfiltrate the tokens just by logging in or creating an account on a device that already has local-only tokens saved.
Apologies that this does not fit the usual format for an issue, but I hope this might be useful info for others too.
Thanks!
The text was updated successfully, but these errors were encountered: