1 comments

  • floathub an hour ago

    Hi HN. We use YubiKeys on desktops/laptops with pass/password-store, and have been fiddling with various ways to get them to work on our phones and tablets for a long time. Sort of dawned on us that since the Apple secure enclave gives the same sort of "non-extractable" protection as a YubiKey does, we could just use that. Paired with touch/face-id, seems like a pretty good YubiKey alternative for a mobile app. Since we could not find an iOS password-store client that uses the secure enclave, we wrote one.

    Bit of a fiddly setup process (see https://github.com/modiotlabs/sepass#using-the-app), but otherwise we're finding it very useful.

    Really appreciate any feedback on this, especially potential vulnerabilities or weak approaches we are taking. We are not full-time cryptography/security experts, so would particularly like to see a hearty critique of how we've gone about this from anyone who is.