Feature request -> Hardware token

[Rusty-Weasel]

Would be nice to see future support for hardware token, like nitrokey, yubikey and else,
as 2FA oder MFA should be standard nowadays.

[alexylon]

Thanks for the suggestion — this is something I'd like to add, and FerroCrypt was designed with it in mind, so it shouldn't require starting from scratch.

I can't promise it will make it in, since the current focus is finishing the next version. That said, it's definitely something I'm interested in exploring.

To help shape the idea: which device(s) do you use, and would you prefer the key alone to unlock a file, or the key plus a password, with both required?

[Rusty-Weasel]

To help shape the idea: which device(s) do you use,

Devices:

• nitrokey 3A/3C NFC
• nitrokey 3A/3C mini
• some old yubikey's

and would you prefer the key alone to unlock a file, or the key plus a password, with both required?

depends on usecase, i think for future both should be available, the most important target should to get min. 2FA (Passwort + HW Token, or other combination) or perhaps later MFA (pw + hw token + pin = 3 Faktor)

let see, at moment you have just password or key pair, next option would be hardware token,
based on hw token you have further different option, like ->

• just tap it,
• tap it + pin code,
• password + tap it + pin code
• etc

there are many options, but it should also be well useable, one tap it + pin for a folder should be useable as example, the same for every file would perhaps a nightmare, as it depend on usecase and criticallity, perhaps also both needed at same time...

if we look at nitrokey documentation, there are different ways, but not all use the secure chip on hardware, further in compatiblity with other hw token like yubikey or else, i think the best tradeoff between useability and interoperability with other vendor, perhaps password (like you have it) + hmac challenge response would be a good way, as hmac works over USB-HID only (smartphone nfc would not be possible, plugin nitrokey 3C in phone perhaps would work, idk at moment).

for inspiration look at KeePassXC Docu, they support allready both based on hmac challenge as second factor, they also explain in documentation, why not to use FIDO-U2F as example, as everthing should work offline, without any needed external connection.

Further Links:
Nitrokey HMAC Secret docu

For hmac challenge with nitrokey, you can create two nitrokeys with same hmac secret,
so that you got a physically backup, if the stick got damaged by any kind, as i got this issue with my yubikey some years ago (not funny).

Perhaps also another way is possible, from daily experience i like the tradeoff keepassxc does with hmac challenge response way, what kind you use in the end, depends on setup by user, as they can mix it totally to there behalf.