[Zinggi]

Hi all!

This is my first time posting something to HN, so please be kind.

I wanted to show what I’ve been working on for the last 6 months:

NoKey, a password manager without a master password. Instead, you can unlock your passwords by confirming from another device. E.g. if you need a password on your PC, you only have to confirm this on your phone. No need to remember any passwords!

The vast majority of the code is written in Elm and it’s fully open source.

There is a browser extension for Chrome and Firefox and an Android app. The application is only useful with at least two devices, so to really test it out, you’ll have to install it on two devices. There is no iOS version and the web app doesn’t work on Safari either (it's missing some stuff from the Web Crypto API), sorry!

Any feedback or questions are greatly appreciated!

[qz3]

I love the Idea, and I think it's pretty smart. When I'm doing work on my laptop, I always have my phone nearby. I think it's unlikely that both of them are compromised or stolen simultaneously.

Also, the Android app requires no device permissions, haven't seen that in a while.

[Zinggi]

> the Android app requires no device permissions

That's not true, it just uses the new way to ask for permissions. E.g. when you want to scan a QR code it requires the camera permission. But it only asks at that moment, not upfront as older android apps used to do

[jazoom]

Could someone use Firefox and Chrome extension on the same device as two different devices?

[Zinggi]

Yes, but it's a very bad idea. If you'd do this, you could unlock your passwords with a single device by confirming on Firefox or vice-versa on Chrome. This of course also means that if someone steals this device, they can unlock it too.

So don't do it.

[jazoom]

Yeah. That's what I don't want. So how do you prevent someone doing just that? They have Chrome open. They then confirm setup in Firefox using Chrome on the same device.

[Zinggi]

When pairing a new device (or in this case a new browser), that device doesn't automatically get any keys! When adding a new device, to complete the setup you also have to be able to unlock a password group, for which you need another device that already has keys.

In short, a new device doesn't have the same power as the others from the start, first new keys have to be generated which can only happen if you are able to unlock your passwords.

So just don't setup both the Firefox and Chrome extension and you're golden.

[jazoom]

Ah. So you essentially need 2 devices to set up a new device.

[Zinggi]

Exactly. Or even 3 if you make use of security level 3.

The only exception is at the start when there are no passwords stored yet.