HMAC-Secret-Extension En/Decryption
- Enter the name/concept of the feature being requested
HMAC-Secret-Extension En/Decryption
Feature function
- What will this feature do differently?
I recommend this feature for desktop or mobile app users,where the
application will visit the correct URL on the user’s behalf. The app will
ask the user to type in their password and plug in their hardware key.
The hardware key reads a master seed from the encrypted database
and outputs an HMAC-SHA1 challenge response. This response is
appended to the user’s password. This forces the attacker to steal
the physical hardware key and strengthens the bitwise entropy of the
final password used for encryption/decryption. Since the seed changes
after each decryption, the HMAC-SHA1 challenge response also changes.
This is a feature KeePassXC has that convinced me to use it over all other
options. If Bitwarden adds an option like this for Desktop and Mobile app
users, I would be more willing to consider using Bitwarden.
Related Topics
- Are there any related topics that may help explain the need and function of this feature?
Yubikey; HMAC-Secret-Extension - Are there any references to this feature or function on other platforms that may be helpful?
References:
[1] KeePassXC on HMAC-Secret Extension Documentation and FAQ - KeePassXC