Suggestion To Add Support For HMAC Secret FIDO2 Extension Assisted Encryption/Decryption

HMAC-Secret-Extension En/Decryption

  • Enter the name/concept of the feature being requested
    HMAC-Secret-Extension En/Decryption

Feature function

  • What will this feature do differently?

@tgreer @cscharf

I recommend this feature for desktop or mobile app users,where the

application will visit the correct URL on the user’s behalf. The app will

ask the user to type in their password and plug in their hardware key.

The hardware key reads a master seed from the encrypted database

and outputs an HMAC-SHA1 challenge response. This response is

appended to the user’s password. This forces the attacker to steal

the physical hardware key and strengthens the bitwise entropy of the

final password used for encryption/decryption. Since the seed changes

after each decryption, the HMAC-SHA1 challenge response also changes.

This is a feature KeePassXC has that convinced me to use it over all other

options. If Bitwarden adds an option like this for Desktop and Mobile app

users, I would be more willing to consider using Bitwarden.

Related Topics

  • Are there any related topics that may help explain the need and function of this feature?
    Yubikey; HMAC-Secret-Extension
  • Are there any references to this feature or function on other platforms that may be helpful?


[1] KeePassXC on HMAC-Secret Extension Documentation and FAQ - KeePassXC

[2] Client to Authenticator Protocol (CTAP)

FIDO2 hmac-secret key (as opposed to just 2FA) is both secure and convenient if implemented properly. I realize the original poster is asking for hmac-secret as a second factor in encryption, but another thing to consider would be simply using it to decrypt the master key instead of the master password (with possibility to enroll multiple keys, and fallback to the master password). If the key is used with PIN/biometrics requirement, this is already a second factor.

Linux systemd recently added support for FIDO2 in full disk encryption (LUKS) as well: Unlocking LUKS2 volumes with TPM2, FIDO2, PKCS#11 Security Hardware on systemd 248

1 Like