2 Aug 2024 |
@lantizia:mozilla.org | * When the device receives this external data, it shouldn't be shown to the user, but instead Aegis (which would have to run in the background to listen for this information) should silently take the ID number... self-unlock the vault... lookup the TOTP for that ID... and locally generate a notification to show to the user, that mentions the TOTP code that the user needs. | 15:51:15 |
Wu Tingfeng | I think any sort of capability of listening for remote commands, even if explicitly opt-in only by the user, would drive users away from Aegis. | 15:51:18 |
@lantizia:mozilla.org | * But say Aegis Authenticator listened for some kind of incoming external communication (likely over the Internet, perhaps as a Google or Apple push notification sent by a 3rd party source external to your ophone) and the user has already told their installation of Aegis to trust this particular kind of communication... and in this communication is an ID number (no other data, so basically anonymized unless you ARE Aegis and know what it relates to) of an entry in the vault. | 15:53:03 |
@lantizia:mozilla.org | * But say Aegis Authenticator listened for some kind of incoming external communication (likely over the Internet, perhaps as a Google or Apple push notification sent by a 3rd party source external to your phone) and the user has already told their installation of Aegis to trust this particular kind of communication... and in this communication is an ID number (no other data, so basically anonymized unless you ARE Aegis and know what it relates to) of an entry in the vault. | 15:53:15 |
@lantizia:mozilla.org | * But say Aegis Authenticator listened for some kind of incoming external communication (likely over the Internet, perhaps as a Google or Apple push notification sent by a 3rd party source external to your phone) and the user has already told their installation of Aegis to trust this particular kind of communication... and in this communication is an ID number (no other data, so basically anonymized unless you ARE Aegis and know what it relates to) of an entry in the Aegis vault. | 15:53:52 |
@lantizia:mozilla.org | * Basically an external source of some kind that is trusted enough to tell Aegis what TOTP code it should immediately show as a notification to the user (much like an incoming SMS message). But this external source doesn't have any information except the ID number of the entry in the Aegis vault... it doesn't have access to the vault itself... and wouldn't receive any data back. | 15:54:41 |
@lantizia:mozilla.org | Redacted or Malformed Event | 15:56:15 |
@lantizia:mozilla.org | Redacted or Malformed Event | 15:56:39 |
@lantizia:mozilla.org | Redacted or Malformed Event | 15:57:19 |
@lantizia:mozilla.org | * Which if it depended on Google/Apple external push notifications (and perhaps some non-free library to do that) to receive this external data... well then it might be better to put this into another app anyway... to keep Aegis free and on things like F-Droid. | 15:57:42 |
@lantizia:mozilla.org | * Well given something has to stay running in the background somehow to listen for these incoming requests... perhaps that something could be installed separately. So you'd just be telling Aegis to trust that other app is allowed to open Aegis, unlock the vault, and read a single TOTP code from it? | 15:59:12 |
@lantizia:mozilla.org | * Which if it depended on Google/Apple external push notifications (and perhaps some non-free library to do that) to receive this external data... well then it might be better to put this into another app anyway... to keep the main Aegis app free and on things like F-Droid. | 15:59:39 |
@lantizia:mozilla.org | Redacted or Malformed Event | 16:00:52 |
@lantizia:mozilla.org | * But say Aegis Authenticator listened for some kind of incoming external communication (likely over the Internet, perhaps as a Google or Apple push notification sent by a 3rd party source external to your phone) and the user has already told their installation of Aegis to trust this particular kind of communication... and the only thing in this communication is an ID number of an entry in the Aegis vault (absolutely no other data, just an ID... which is practically anonymous unless you are Aegis with the right vault open... and know what that ID relates to). | 16:03:29 |
@lantizia:mozilla.org | * But say Aegis Authenticator listened for some kind of incoming external communication (likely over the Internet, perhaps as a Google or Apple push notification sent by a 3rd party source external to your phone) and the user has already told their installation of Aegis to trust this particular kind of communication... and the only thing in this communication is an ID number of an entry in the Aegis vault (absolutely no other data would be received, just an ID... which is practically anonymous unless you are Aegis with the right vault open... and know what that ID relates to). | 16:03:45 |
| valentinb102 joined the room. | 17:13:14 |
valentinb102 | Download Screen_Recording_20240802_130819.mp4 | 17:15:59 |
valentinb102 | Hi I have a slight issue related to screen zoom. Not sure if I should file a bug report on this though. It has to do with the export popup. | 17:16:03 |
alexbakker | valentinb102: Thanks for the report. I've prepared a patch to fix the issue: https://github.com/beemdevelopment/Aegis/pull/1444 | 17:44:48 |
valentinb102 | Well that was fast! Thanks a lot. | 17:45:39 |
alexbakker | Sure thing! | 17:48:01 |
@lantizia:mozilla.org | Regarding my crazy idea above... I'm not always looking at Matrix... so if anyone does have any thoughts (negative or positive!) then it's also been filed here... https://github.com/beemdevelopment/Aegis/issues/1445 | 18:00:04 |
@lantizia:mozilla.org | I'll likely also file this with Authenticator Pro (as I hear that is also popular) to see what the appetite is there. | 18:01:04 |
valentinb102 | In reply to @lantizia:mozilla.org Regarding my crazy idea above... I'm not always looking at Matrix... so if anyone does have any thoughts (negative or positive!) then it's also been filed here... https://github.com/beemdevelopment/Aegis/issues/1445 Is this similar to what the 2fas browser extension is doing? https://2fas.com/browser-extension/ | 18:08:35 |
@lantizia:mozilla.org | No that looks like it's sending the code in some kind of encrypted communication | 18:10:00 |
@lantizia:mozilla.org | This, intentionally, wouldn't... but takes away the hassle of having to find the right code | 18:10:27 |
valentinb102 | 2fas asks which code to send when you click on the browser icon and saves that. | 18:11:28 |
@lantizia:mozilla.org | I can't speak for "2fas" as I've never used it, but reading the home page tells me enough to know it's not the same idea. | 18:12:04 |
@lantizia:mozilla.org | If you've thoughts about the actual idea... put them on GitHub | 18:12:54 |
alexbakker | Lantizia: I admit I haven't done a thorough read of your proposal yet but this sounds very similar to https://github.com/beemdevelopment/Aegis/issues/1259. Except your idea also has a "self-unlock" step which I don't quite understand how imagine that'd work. I think my comment to that issue also applies here. If this is going to be implemented in a separate app, there's not much involvement from Aegis needed. All we'd need is some way to surface the right entry when another app asks for it. | 18:17:43 |