A place for developers to talk about building on Farcaster.

/dev

What are the security differences between storing a seed phrase in the following ways:

- Locked note in iCloud
- Password-protected in Keychain like how Rainbow does it
- largeBlob with a passkey in iOS17+

I think I understand the UX implications of each, but curious about the technical side

I like baking /goodbread and building apps on web3 protocols. DevRel @ ENS Labs. gregskril.com

Technowatermelon. Elder Millenial. Building Farcaster. 

nf.td/varun

My general POV is that the security of all three is reasonably good, unless you're storing a life-changing amount of money in the wallet, in which case I would do none of these. 

The UX diffs between them are huge - largeBlobs wins by a big margin.

BDFL of Quilibrium, Eng @ Farcaster, ex-Coinbase, always opinionated, never hydrated

/quilibrium

Interesting, looks like Notes passwords are encrypted but maybe not via Keychain 🤔

Then there's a different "Secure Notes" feature in the Keychain Access app, I wonder if it's using the same underlying tech

Interesting, looks like Notes passwords are encrypted but maybe not via Keychain 🤔

Then there's a different "Secure Notes" feature in the Keychain Access app, I wonder if it's using the same underlying tech https://support.apple.com/guide/keychain-access/store-confidential-information-securely-kyca2268/mac

cc @cassie 

1/ Keychain is a more secure part of the operating system on iOS and macOS vs. Notes is an app, likely more basic password security (likely not encrypted)

Password-protected back up is likely decent encryption, but if you forget the password you're screwed.

- DO NOT USE NOTES. They don't enforce any secure data practices since they are just stored on disk (See Disk risks on right)
- KeyChain is the best option right now
- A PassKey is just replaces your password — It would be something that you could use to unlock your KeyChain (Wallet in crypto)

hmm but my locked notes are securely synced via iCloud

Maybe I’m misunderstanding ?

We have a slide on this in our pitch deck… (except for the locked note).

Apple gave a talk on iCloud security in 2016 at blackhat.

We have a slide on this in our pitch deck… (except for the locked note).

Apple gave a talk on iCloud security in 2016 at blackhat.

https://youtu.be/BLGFriOKz6U?feature=shared

What’s not often discussed with largeBlob is that it gets exposed to the JS context of the requesting page, so malicious JS dependencies can steal the key material stored in largeBlob. This can be ok depending on the context, but it’s much weaker than Keychain storage imho.

Related

https://warpcast.com/dwr.eth/0xef6d810c

Venture Partner at marinventures.com | Security Consultant at horizonslaw.io | Cybersecurity M.S. Candidate at gatech.edu

largeBlob is interesting, I didn't realize that was part of the webauthn spec. Pretty positive implications for e2ee products IMO