You can use your VivoKey Spark, Spark 2, or Apex with Verify app. These options use the Verify API to authenticate the chip and access the vault. If you want fully autonomous / offline operation you can use the FIDO2 app on Apex or flexSecure. Other FIDO2 tokens that support CTAP2.1 and hmac-secret extension can also be used, but Apex / flexSecure are the target FIDO2 tokens for this application so support for compatible 3rd party tokens is coincidental.
I’ve literally added more features and FIDO2 support since recording the video above, so there are more goodies and settings available not shown in the video. What features? Gotta get it to find out
ah yeah I forgot to change the keyboard launcher.. i will update soon.
Unfortunately no, if FIDO2 is on the token it will default to that. Technically this is better for you as it’s offline, but if you want to avoid the PIN issue I could explore adding PIN caching similar to how NFC Passkey Bridge does it.
So I watched the video.. what does this actually do? Where are the files stored? Are they encrypted? What makes it a “vault”? What happens if the API is down, will that make your files inaccessible?
creates an encrypted repository for files on your phone that is inside the current app and OS encryption mechanism.. an extra layer of security for when things happen like “government employees” image your phone, or other people may have access to your phone periodically (shared phone scenarios, family phone use, etc.) or if you lose your phone and someone is able to leverage various workaround tools to access it.
Yep. They stay encrypted “on disk” and decryption happens in chunks on demand when file access is requested.
The files are only accessible when the vault is “unlocked”. When it’s locked, the files are not accessible to the file system or the app.
Yep, unless you use FIDO2 on Apex or flexSecure, then it’s fully offline. This allows Spark users to use the Vault but add a FIDO2 backup if they want.. even a J3R180 card with FIDO app loaded would work as a backup.
I guess another interesting aspect of this is the backup and import/restore function. Effectively you could create little encrypted file bundles by putting files in a vault, exporting it to a .vkv file, then only people with the associated chips could import the contents.
So, for example, you meet up with someone and add their chip to a vault along with yours. Now you could put files in, export the .vkv file, send it to them, then they could restore / import. The same goes in reverse.
I just want to comment and specifically praise the detailed cryptoanalysis and transparency documented on VivoKey Vault - VivoKey Technologies . Great job
From what I can see on that page it is possible to have multiple vaults but each one has to be associated with a unique chip. I was hoping for a way to make multiple vaults and have them all open with one Apex
The reason one can’t open multiple vaults (currently) is that there’s a priority to keep the existence of multiple vaults covert. If you were presented with a choice of vaults then it wouldn’t really be covert.. at least not in the same way.
