Other than the price, it ticks all the boxes. 100 bucks is prohibitive, especially if you need multiple backups.
Login to reply
Replies (14)
desktop only, though :(
Yeah, it does lots of fancy stuff. The biometric ability seems to have a floor price of $20, at least based on a quick amazon search: https://www.amazon.co.uk/usb-fingerprint-reader/s?k=usb+fingerprint+readerhttps://www.amazon.co.uk/usb-fingerprint-reader/s?k=usb+fingerprint+reader
If building / using a thing like this one might consider having backup in some sort of other kind of device that don't require the biometric, just for cheaper backups.
Yeah. The Yubico devices with NFC tags (that work on mobile) lack biometrics.
Is PIN entry not an option? Couple of buttons could be cheaper than biometrics.
No one will remember them :(
ah, look! yes, and in a reasonable price range as well. This is doable! Open-sourceing a solution that would work on any USB is how to do it; and then recommend some different hardware like this Lexar you found
Amazon.com: Lexar® JumpDrive® Fingerprint F35
Amazon.com: Lexar® JumpDrive® Fingerprint F35
I may get one to play with. Needs Windows for setup, though. 😢
What does the display need to show?
Oh I meant the USB drive. The phone doesn't need to show anything other than "Restore?"
In my use case, yes. The idea is to just have a secured backup for the private key.
I keep thinking about this. You said the restoration device would be left with trusted friend(s). So let the friend do the verification. Two keys needed to restore the account. Perhaps two TOTP codes, generated by two yubikeys. The friend won't give their TOTP out if it's not the owner of the account. TOTP lets them verify the person remotely if needed. The account owner goes for their stashed key, friend gives it to them, owner TOTP goes in, friend TOTP goes in, account restored. Tie all these various codes to the account during initial setup.
We can't let a friend have any roles on the recovery process because that creates legal liability on the friend to keep the information (which is medical) secure. In the US, if a friend has access, the friend must be HIPAA trained and compliant. So, instead, what we want is to use the friend's physical security to host encrypted information that only the owner of the account can decrypt.
Ah I see. I didn't realize it was that formal. Dang, biometrics is the way, then. Back to square one.