June 2022 VivoKey Apex Flex update

But in those scenarios… your just using the apex to log into a cloud password manager?

Not actually stored local to the apex?

You can store an offline/local Keepass database, and unlock it using the hmac-sha1 applet.

even though apex has a lot of storage (80kB) compared to the NExT or even the xDF2 / flexDF2 (8kB) … it’s still a far cry from what would be needed to store a ton of password data. This is why the Apex will not likely ever have a natively stored password database. The best bet will be to use Apex as a key to access / decrypt an encrypted password database of some kind… either access to a cloud based password manager, or literally decrypting a password database file like how Keypass works.

One option is to store encrypted secrets in NDEF text but you still won’t fit much.

ndef is quite wasteful actually… if you have to have a special app or something to decrypt, then you might as well sort yourself out a raw storage applet and write your own interface for it. that way you could store raw binary without need for message and record headers etc… but still, it’s not likely to be worth doing at all because of the limited number of site credentials you could store.

to make it work you’d have to store not only the username and password for the site, but also the url of the site so you know which website the credentials are for… and maybe you could do some substitution for username … like ^1 means username 1 which is like my@email.bro and ^2 means other@email.hah or whatever… but still you would run out of room pretty fast.

I guess I was underestimating storage requirements
I was thinking 50 or so… website user password

I guess I’ll have to consider cloud stuff

But doesn’t that add a point of vulnerability? Like didn’t keepass or someone get hacked recently?

1 Like

if implemented correctly and used with a strong master key, the vault file itself can be public.
The Apex can provide strong keys in a secure way.

But you’d still need an app on your phone to interact with the apex to log into the cloud manager?

I liked the idea of not needed anything on the phone, being able to just use a random phone if needed

Not a deal breaker, just need to reevaluate… I was hoping for something lower friction for my non programmer brain

kinda? but also not really… so AES is typically what’s used to secure large amounts of data because public key crypto is notoriously slow. sometimes PKI can be used to encrypt an AES key and then that key is used to decrypt the larger data volume… but anyway, if you have an encrypted database of passwords you can, in theory, make it public… put it on 20 websites… sync it across dropbox, google drive, and several computers… and as long as the encryption algo isn’t compromised, it’s fine…

so often “hacked” means some other aspect of implementation has been compromised, not the actual encryption… so like, someone gets remote access to your computer, then you decrypt your password database to use it, and they take a copy of the decrypted database… that’s a possibility… but if your computer is already compromised you’re already in a bad spot because even if your passwords were on your apex, they could just collect them as you used them.

this would not be really possible unless you wanted to just read raw text data from an NDEF record and then pick through it to find your passwords… if it’s even possible… i mean if you want to require no apps at all on the phone then the phone OS is left to do whatever it feels appropriate to display the text record on screen… and it might not even display the entire text record… or it might not allow text selection and copying to clipboard… and the whole password database would be clear text on your implant for anyone to read and make a copy of.

it’s just not pragmatic… it’s kind of like people who demand their password database must be usable offline… when 99.9999% of the passwords stored in the database are all for online cloud services… the requirement of needing to access it with a phone that has no apps on it seems kind of obtuse… know what i mean?

1 Like

Keepass is offline though, and you can use a key file + your implant for extra extra security if you wanted.

I think keepassXC even supports syncing offline over USB so you could sync your db between phone and pc, without it going online

1 Like

You wouldn’t be able to do anything more than plaintext NDEF on a phone without app.
In theory, there is Web-NFC, but that’s only supported on some browsers on some android phones. And Limited to NDEF. So for something that deserves the name “password manager”, you need a native app if you want to do it correctly

To be clear, none of this was a criticism or me being obtuse… I’m just trying to make heads or tails of it

A solid point, I just like local storage when possible, prevents weirdness like not being able to access something due to a ddos, or a server is down… also harder to steal something if it’s not on the net in general

Not a deal breaker, I just misunderstood some stuff… and am still trying to learn

The required app thing was just me thinking, if I lost or forgot my phone… I could use a friends to retrieve a password if I needed… , but I don’t think I’m willing to go plain text to achieve that lol

1 Like

no problem… happy to hash it out with you :slight_smile:

yeah… my thought here is that if you have a solution that relies on an app and that app is made available via the normal published app stores, and maybe as a apk sideload via any of the alternative app stores out there… then it’s not too big a hurdle to borrow a phone and ask to install the app there so you can access your stuff… but honestly in today’s world, old phones are a common junk drawer denizen… I have two old phones on my desk right now… each of them has the fidesmo app on it… for example. Access to a phone so you can use your implant and log into online services isn’t all that difficult to come by for most people… but not all people.

1 Like

I use a self hosted bitwarden install that uses my vivokey key U2F for 2 factor validation. It works well. And feels less cloud when it’s self hosted.

Is this vaultwarden?

It is! And works great. I have my whole family on my install.

1 Like

Will have to do some testing and compare to 1Password. Thanks for the recc.

Is KeePassXC available on Google play for Android devices? I see a couple apps related to keepass but with different names by different developers. Wasn’t sure if this was a side loaded app or was available somewhere else.

I’m just trying to figure out the best password manager to use with Apex.

Keepass2Android is the name of the app I use on android :blush: