> 3. Key backup and recovery is handled automatically via the cloud (iCloud / Google Drive). Additional backup/restore options are available in our SDK. 4. Privacy: unlike OpenID and some other passwordless solutions, Keyri’s server does not store or see any private keys or any personal information. Our API simply facilitates the transmission of public keys and encrypted signed authentication requests
I was curious if you could speak more to this. There seems to be some tension between:
"Key backup and recovery is handled automatically via the cloud" and "Keyri’s server does not store or see any private keys or any personal information" but maybe I'm missing something. How can you do backup/recovery if you never see the private keys? Is there some kind of trusted reset functionality?
Thanks, this question touches on a very significant point.
Backup and recovery currently are handled by iCloud and Google Drive through Keychain and KeyStore, respectively, both of which form the backbones of Apple and Google password managers, respectively. The two cloud backup services (a) are fully encrypted both in transit and at rest and (b) are managed by Apple and Google, not Keyri. So the only parties that "see" the private keys are the user and Apple or Google, and the latter two only see encrypted copies of the keys, same as they only see encrypted copies of their users' saved passwords. Recovery also happens through Apple or Google when a user sets up their new phone using iCloud / Google Drive backups of their old phones, which are also encrypted in transit and at rest. Developers can additionally require users to enter a pre-specified passcode in order to decrypt their private key upon recovery, which involves another layer of local encryption.
Key pairs are generated locally on the device (i.e., Keyri's API does not generate/provision them). Private keys are stored encrypted at rest in phones' secure enclaves and only decrypted at run time once biometric verification is passed.
I was curious if you could speak more to this. There seems to be some tension between:
"Key backup and recovery is handled automatically via the cloud" and "Keyri’s server does not store or see any private keys or any personal information" but maybe I'm missing something. How can you do backup/recovery if you never see the private keys? Is there some kind of trusted reset functionality?
Thanks, and congrats on launching!