With the release of version 1.49.23 on iOS today, Strongbox now offers the possibility of creating Virtual Hardware Key’s. These are software implementations of the popular hardware tokens from various vendors. Strongbox already supports hardware keys over NFC and Lightning in the Pro edition.

Virtual Hardware Keys are a new feature of Strongbox available to all, free, for life. If you like Strongbox, consider supporting us by purchasing a subscription or license.

The Problem with Hardware Only Keys on iOS

While using a hardware token provides an excellent extra factor for encrypting your KeePass databases, there are (or were!) some downsides that really put a dampener on adoption of a hardware key as a second (or third) factor. One of the main blockers is the lack of support for NFC and Lightning in AutoFill mode. Apple does not allow NFC to be used in App Extensions (the technical term for the execution context of the Strongbox AutoFill component). Some vendors do not offer library support for Lightning (MFI) in App Extensions. This has led to a suboptimal situation whereby you can use your hardware key in the main Strongbox app, but you cannot use the extremely convenient iOS AutoFill feature.

Enter the new Strongbox feature, Virtual Hardware Keys. You can create a Virtual Hardware Key within Strongbox which is a software simulation of the process that takes place on your hardware key, technically a HMAC-SHA1 digest. To do this you will need the secret you programmed your hardware key with originally (something you will or should have stored somewhere very secure in case of device loss). Using this secret Strongbox can mimic your hardware key in software. Strongbox stores this secret securely in the Secure Enclave on your device.

Why Use a Virtual Hardware Key?

There are two main scenarios in which you’ll want to use a Virtual Hardware Key. Let’s deal with them in turn…

1. AutoFill Mode

As mentioned above, you cannot use a hardware key in iOS AutoFill mode due to system limitations. This led many to abandon a hardware key as a second factor on iOS. Because Virtual Hardware Keys are entirely software based, you can use them in AutoFill mode. Further, you can specify that a hardware key is required in the regular Main app (used to edit and provide full access to your database) but that a Virtual Hardware Key should be used in AutoFill mode providing super quick and convenient access to your passwords within other Apps. Both hardware and virtual hardware keys can work on the same database seamlessly.

2. Emergency or Disaster Recovery

While using a hardware token to secure your database provides an excellent level of security, it is very possible to lock yourself out of your database by losing the physical key. Once that’s done, there’s no way to unlock your database unless you have the original secret used to program your key. That’s why, in our setup instructions, we recommend you keep this secret somewhere secure (like a safe in your house and/or offsite).

Now with Virtual Hardware Key support you can use this secret if you lose your hardware token to create a new Virtual Hardware Key and recover your database.

How Do I Create or Use a Virtual Hardware Key?

See our help article on how to create a Virtual Hardware Key for AutoFill mode or disaster recovery.

* This work was inspired by the problems and solutions discovered while adding full YubiKey support to Strongbox. Kudos to everyone on Github for their help.

Recommended Posts