undefined | Better HN

0 pointsjeroenhd2y ago0 comments

I imagine this should be possible with a very small connector addon that calls out to a secure wallet running on the desktop as a native application.

This requires some careful consideration to prevent phishing and other nastiness, but a native application could use native window prompts and techniques such as Windows Hello/TouchID as an authentication technique that's hard to spoof.

The complexity and risks are still there but you can hide away the important secrets much better with a native application than a browser extension ever could. It would also allow access to better sources of randomness and all kinds of sandboxing and exploit protection that aren't available with WASM.

0 comments

nailer2y ago

Crypto wallets also have access to the secure enclave via webauthn. I develop a new wallet (Portal) which will have webauthn but I know Glow uses Windows Hello right now.

lxgr2y ago

Yes, but WebAuthN can't be used for arbitrary signatures (which would be required to support various cryptocurrencies/blockchains), nor can it be used to decrypt data or derive keys, which would allow using it as an unlocking key for some hybrid solution.

I'm happy to be proven wrong if you've found a way around these fundamental constraints!

jeroenhdOP2y ago

Interesting! Does the WebAuthn API provide enough of a cryptographic basis to fulfill the needs of cryptocurrency wallets?

I know it works through public/private key sharing but I wasn't aware that it provides such direct primitives.

lxgr2y ago

It doesn't, at least not for generic/unmodified cryptographic applications.

WebAuthN signatures are of a very specific challenge/response format [1] that applications need to explicitly support. For example, SSH had to add new key and signature formats [2] to support it.

Theoretically, a blockchain/cryptocurrency application could adopt the WebAuthN signature format as its canonical or an alternative signature format, but I'm not aware of any popular one having done so.

[1] https://developers.yubico.com/WebAuthn/Concepts/Using_WebAut...

[2] https://github.com/openssh/openssh-portable/blob/master/PROT...

1 more reply

j / k navigate · click thread line to collapse

0 pointsjeroenhd2y ago0 comments

I imagine this should be possible with a very small connector addon that calls out to a secure wallet running on the desktop as a native application.

0 comments

nailer2y ago

Crypto wallets also have access to the secure enclave via webauthn. I develop a new wallet (Portal) which will have webauthn but I know Glow uses Windows Hello right now.

lxgr2y ago

I'm happy to be proven wrong if you've found a way around these fundamental constraints!

jeroenhdOP2y ago

Interesting! Does the WebAuthn API provide enough of a cryptographic basis to fulfill the needs of cryptocurrency wallets?

I know it works through public/private key sharing but I wasn't aware that it provides such direct primitives.

lxgr2y ago

It doesn't, at least not for generic/unmodified cryptographic applications.

WebAuthN signatures are of a very specific challenge/response format [1] that applications need to explicitly support. For example, SSH had to add new key and signature formats [2] to support it.

[1] https://developers.yubico.com/WebAuthn/Concepts/Using_WebAut...

[2] https://github.com/openssh/openssh-portable/blob/master/PROT...

1 more reply

j / k navigate · click thread line to collapse