Emergency Access Currently
Right now Emergency Access grants access to your vault, with the only check being time. However if you’re temporarily incapacitated or not connected to the internet, you could miss the prompt to deny Emergency Access from your grantee.
The Secret Circle
What I propose is a version of Shamir Secret Sharing where you would form a group of trusted individuals (the Secret Circle). Each trustee would have to be a Bitwarden user, they would all put their master passwords in a vault and then the vault would be encrypted and it’s key would then further be encrypted and split into multiple shares.
Each trustee could then invoke an access request to Bitwarden, who then would send a notification to everyone in the Secret Circle explaining who has requested access to the shared vault. The trustees could then vote privately whether or not to grant access. If the Circle decides to grant access, then they submit their share and if they meet a predetermined threshold (say 3/6 or 2/3 shares), Bitwarden gives the trustee access to the vault.
Use Cases
Password Managers hold a vast amount of our most private data, passwords to: bank accounts, emails, phones, laptops, PCs, etc. By sharing access to your vault, you make yourself more resilient, in that if you are left incapacitated, your loved ones could get access to your devices and accounts to respond accordingly.
This is covered by the current Emergency Access implementation, however if your grantee were to have ill intent or more likely, their account becomes compromised, this can in turn make your vault vulnerable to attack.
By implementing a Secret Circle you can protect against the single point of failure of a single grantee.
Pros
- Greater security in the event of a rogue grantee.
- Greater resiliency in the event of a couple both being incapacitated.
- Great Marketing point, Secret Circle, sounds cool.
Cons
- Greater complexity when setting up.
- Requires you to have n friends.
- The shared master vault contains everyone’s master passwords, so not able to implement principle of least privilege.
- Bitwarden now holds the responsibility to hold the vault and ingest the correct number of shares to allow access.
- Government order could compel Bitwarden to notify them when a shared vault has been requested to be unlocked and then intercept shares once they are sent to Bitwarden.
Possible Improvements
-
Everyone holds a copy of the shared vault. Bitwarden doesn’t need to hold the vault and supervise the key share process. (This however allows trustees to convene in secret.)
-
A smaller ratio of shares are needed to grant access to a single trustee’s master password, all or a super majority of shares must be brought together to grant access to everyone’s master passwords at once. (This would require an impartial supervisor to grant access.)
Example
John and his wife, Jane, have gone missing off the coast of Gibraltar, their friends and family are worried and need access to their accounts. They know they need to get a court order or a death certificate to get access to the couples’ accounts. However the now international investigation will take time.
The facts are unclear and yet there presents an immediate need to get access to their accounts, they need to shut off utilities for their unoccupied home, they need to freeze bank accounts, track phones, look at travel itineraries etc. etc.
Their Secret Circle consists of John, Jane, his close friend Franklin, and Jane’s sister. Jane’s sister contacts Franklin and invokes Emergency access, Franklin agrees and the threshold of 2/4 shares is met. Jane’s sister is able to get into Jane and John’s accounts without having to wait for the investigation to complete or waiting for a temporary order from the courts.
Inspiration
I recently watched a talk by DeviantOllam talking about a “Secret Lawyer” who acted as the holder of the secret (secret being his close friends group’s master passwords to their respective password managers).
The lawyer would hold their passwords, and if one of the group decided they needed access to another member’s password manager, they would contact the Secret Lawyer and the Secret Lawyer would in turn contact the rest of the group to see if she should grant their request. The group would then vote on whether or not their presented a valid reason to get the password and she would act accordingly.
This of course would be a great solution, but being too poor to afford keep a lawyer on retainer, I figured some cryptography scheme could close the gap. Bitwarden already has Emergency Access, why not take it a step further?
Links
https://crypto.stackexchange.com/a/54169 #an explanation of the theoretical strength of SSS
https://www.geeksforgeeks.org/shamirs-secret-sharing-algorithm-cryptography/ #the math behind it
https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing # high level overview
https://www.youtube.com/watch?v=6ihrGNGesfI # DeviantOllam's talk on preparedness, relevant section at 1:05:40