Two-Factor-Auth with FIDO U2F Support

Topics: Feature Requests
Sep 30, 2015 at 10:34 AM
Are there any plans for implementing some kind of two-factor strong authentication.
I'd love to see that with FIDO U2F Support just like Google has.
Sep 30, 2015 at 8:36 PM
+1 This would be a dramatic improvement in security.

Example would be using a Yubikey device.
Here is generic info about using a Yubikey for full-disk-encryption:
https://www.yubico.com/applications/disk-encryption/full-disk-encryption/
(info is a bit old though)
Nov 19, 2015 at 7:47 AM
+1 - either two-factor authentication, or using a token/smartcard´s asymmetric encryption functionality in a secure way (freshly salted every time) is strongly recommended.
Feb 28, 2016 at 5:48 PM
Edited Feb 28, 2016 at 5:49 PM
Is that already available or will be implemented in future releases?
Coordinator
Feb 28, 2016 at 10:31 PM
Classical 2FA solutions like FIDO are not adapted to disk encryption since they are designed for authentication, not decryption/encryption. There are ways to adapt them for disk encryption but these tweaked solutions are fundamentally flawed because they rely on the fact that the official software is the only interface to load the encrypted data: in real-world scenarios, an attacker will use his own software to perform brute-force to decrypt the data, completely bypassing the 2FA solutions.

The only real extra protection is through the use of a smart card and asymmetric encryption as proposed by thobarth: instead of having the master key encrypted only by the password derived key, a second encryption layer would be added by using RSA or Elliptic Curve public key encryption.
Thus, the RSA/ECC private key on the smart card/token will be needed to first decrypt a blob of data and the result will then be processed by the password derived key in order to obtain the master key.

Thanks to approach, an attacker would need to have access to both the smart card and the password in order to decrypt the data, even if he used some custom made software since the asymmetric decryption can not be bypassed.

Actually, integrating asymmetric encryption through smart cards in VeraCrypt has been on the road-map since the beginning of the project because my main field of expertise has always been around smart cards. My current idea is that such feature will be implemented as an "Entreprise" type feature that would come in the form of a plugin.

For now, nothing has started yet on this but a decision will be made in the coming months on how this should be handled. Such development is not trivial and it requires significant changes and work so one possibility would be to offer such feature for a fee or at least have some kind of funding to implement it.
Mar 7, 2016 at 5:21 PM
+1 vote. PIV functionality of Yubikey would perfectly fit, wouldn't it? So would RSA keys stored on OpenGPG smart card (or OpenPGP applet of the same Yubikey). Personally I'd happily pay for such functionality (as for some others too) and/or contribute in a crowdfunding campaign and/or do some coding, if it goes forward. I believe 2FA seriously increases overall security of the system.
May 28, 2016 at 3:03 PM
Edited May 28, 2016 at 3:39 PM
idrassi wrote:
Actually, integrating asymmetric encryption through smart cards in VeraCrypt has been on the road-map since the beginning of the project because my main field of expertise has always been around smart cards. My current idea is that such feature will be implemented as an "Entreprise" type feature that would come in the form of a plugin.

For now, nothing has started yet on this but a decision will be made in the coming months on how this should be handled. Such development is not trivial and it requires significant changes and work so one possibility would be to offer such feature for a fee or at least have some kind of funding to implement it.
I would highly appreciate that to use it with a Nitrokey Pro. However, asking for a fee would mean it won't become fully open source? That would be a pity!
In that case I'd go for a funding. (Maby on kickstarter or indiegogo?)


Would that also solve this issue? https://www.nitrokey.com/documentation/applications#a:hard-disk-encryption
Security Consideration: Please note that TrueCrypt/VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.
May 28, 2016 at 11:05 PM
Edited May 28, 2016 at 11:06 PM
idrassi wrote:
Actually, integrating asymmetric encryption through smart cards in VeraCrypt has been on the road-map since the beginning of the project because my main field of expertise has always been around smart cards. My current idea is that such feature will be implemented as an "Entreprise" type feature that would come in the form of a plugin.
LarsTom wrote:
I would highly appreciate that to use it with a Nitrokey Pro. However, asking for a fee would mean it won't become fully open source? That would be a pity!
In that case I'd go for a funding. (Maby on kickstarter or indiegogo?)
I agree. Fundraising should be the way to go, as it leaves the scource of the plugin open.
And with over a million downloads, raising enough awarenes, for such a project, should be possible too.