Request user identification or action for each item extraction
Proton pass contains (by construction) my most important secrets, so I really do not want any of them to be possible to extract without my consent, even if some device gets compromised. In case anything on my machine is compromised, I still want this to be of as limited impact as possible, by making sure that as few items as possible can be extracted.
Would it be possible to add an additional optional layer of security, for example asking the user to strongly authenticate (with a FIDO2 device for example) to "unlock" secret extraction on a per item basis?
For example, that could work in the following way:
I visit a website for which Proton Pass holds the login and the extension or app gets activated, or in the Proton Pass online App I click on a specific item, while already being logged in the corresponding Proton Pass tool
This means that Proton Pass would now need to extract and decrypt the data corresponding to this specific item (for example, the "Login" item corresponding to the website); to be able to do this, the Proton Pass tool generates an authentication challenge, even though I am already logged in the tool
As a user, I fulfill the authentication challenge that is single use so it can only be used to retrieve data from once specific item: for example, I fulfill an OTP code, or even better a FIDO2 challenge; the challenge issued clearly indicates which item is to be unlocked, and the local Proton Pass tool only gets access to the actual data once the challenge is completed
Once the challenge is fulfilled, the Proton Pass tool received the data necessary to get the fields of the current item and allows me, for the next 45 seconds, to extract any field from the corresponding item.
This would mean that, though my laptop would be logged into Proton Pass, even if my laptop or browser is compromised the attacker can only extract very little data from Proton Pass - at most one item at a time, for each authentication challenge I perform.
Personally this is already kind of the strategy I use (I now have my password manager in gopass, and I use an external GPG smartcard to decode my secrets; it means that there is no way, even if my laptop is compromised, to extract any information without me plugging in my smartcard, and pressing its button, for each item to extract). It would be very nice if it could be supported in Proton Pass, and this is typically the kind of feature I will wait until adopting Proton Pass for serious use.
-
guy312 commented
(Naturally, it would be necessary to provide possibility to register several alternatives for the challenge, such as several FIDO2 keys, so that one could loose one key but still use another registered one)