2SV and AxCrypt

[Jason]

Dear Developers,

I have been toying with the new version of AxCrypt and I noticed that when signing up for an account there is no option for 2-Step Verification. This is becoming more or less standard now on most websites especially security-related sites.

It’d be nice to see an optional feature on the web interface allowing the use of a TOTP/HOTP. There are lots of open source libraries out there which allow integration of a Google Authenticator 2SV system and this is universally compatible with most 2SV apps (including Authy).

The suggestion better protects the account because:

• You have a rudimentary password manager which needs better protecting [2SV would increase security]
• It would require 2SV confirmation to reset password / delete account [emails can be intercepted]
• If the AxCrypt password is saved in the web browser, it’d require the extra code prior to login

It’s not foolproof but it appreciably increases security in those scenarios.

[SvanteSpectator]

Hello Jason,

Thanks for the input! However, there’s a fundamental difference between authentication (with any number of factors) and encryption. I’ve written a longer text on this here: https://forum.axcrypt.net/blog/encryption-vs-authentication/ .

Svante

[Jason]

I know there’s a difference between authentication and encryption but my suggestion was mainly concerned about access to the web interface.

Many online password managers have 2SV or 2FA and they’re also zero-knowledge. The second step/factor is added to make it that little bit more difficult.

[SvanteSpectator]

Hello Jason,

Well, some of the web access does require knowledge – specifically the online password manager. We will be working on a more complex model in the future where indeed we’ll have a ‘zero knowledge’ protocol for all that can work that way, and not require sending any passwords to the site.

Most components for this are in place already, but it’s still non-trivial to implement so it’ll probably take a little while more.

[Author]

Posts