Some may remember, I wasn’t a fan of the Spark series. I did not like the fact that VK keeps the keys, and I much rather like the private key approach the Apex line is / will be using.
My very dumbed down mental image of the authentication between a VivoKey spark and the VK servers is that the implant somehow proves it has a shared secret using symmetric encryption (AES). However the actual process might look, they have a shared secret.
This means that VivoKey holds the keys that your spark implants have.
Now is this bad? Yes. But how bad? Well, now it gets interesting.
Before I get to the point I just want to quickly highlight the difference between Apex and Spark in this context.
The Apex can do some more advanced cryptography, this allows it to also prove it has a secret, but it doesn’t need to disclose this secret to VivoKey. It’s called asymmetric encryption, the point is: VivoKey does not need to keep the keys (if they design it this way, which they most certainly do).
Now let’s talk about “Login with VivoKey”.
When you use this feature on a website, your Spark allows VivoKey to know who you are, then VivoKey tells this service that you are you and you have logged in.
This means VivoKey has the authority over who can login into what account, it’s only protected on VivoKeys side. What I mean by that is that it’s not actually the implant that’s talking to your 3rd party service you log in to (AFAIK).
So, what if VivoKey gets hacked? (as in completely, every service etc.)
On the first glance there really isn’t a big difference here. the attackers will have access to any account, because VivoKey has the authority for these logins. Tehy can just login into anything any VivoKey user has connected their implant to. But that’s the same with “Login with Google” and any other identity provider. This is how it works.
Btw I’m not 100% sure if all of this is true, feels like a good spot to say this.
So what security benefit does the Apex line bring in this context?
As I see it, it’s that Apex users can recover, and Spark users can not.
Once Spark keys are lost (which hopefully never happens) they are gone, every Spark can be spoofed now.
This is not true for Apex as VK should only hold the public keys for asymmetric encryption.
So yeah that’s the only real benefit in this case.
Ofc I’m ignoring the huuuuge security bonus that are all the 2FA related applets
But that’s another story.
Also since the platform is being redesigned idk show much of these thoughts will stay relevant.
You now know Apex doesn’t really increase security that much for VivoKey services (this is excluding things like U2F etc., I mean VK servers). So, will I get a spark? Eh, maybe, but I def was too harsh on it because I didn’t really think it far enough which I now did, I think.