Status-react: Keycard users should have a "remember me" feature too

Created on 10 May 2019  路  7Comments  路  Source: status-im/status-react

Problem

Standard Status users can chose on their login screen a "remember" me option, that allows them to not enter their password/Pin when they next try to login.

With current implementation keycard users don't have this choice, and must always tap their card and enter their PIN to login.

Desired behaviour

When first login with his keycard, we ask the user if he wants to be remembered. If he choses yes, then he won't be asked to tap his card or enter his PIN at next login. He will need to tap his keycard for any signing of transaction though.

open: do we want a way for the app to forget a user ?

Steps

  • design update to ask the user if he wants to remember his 'login'
  • implementation

FYI
@hesterbruikman
@dmitryn
@flexsurfer
@andmironov

feature keycard
Source
picture guylouis

All 7 comments

Some notes regarding implementation:

encryption-public-key and whisper-private-key needs to be securely stored to be able to login automatically.

Also, screenshot from Figma https://www.figma.com/file/dEIljL7UPbXgsZUA0Q4qlE5E/Onboarding?node-id=1125%3A187&viewport=2632%2C-1171%2C0.4031412899494171

Screenshot 2019-07-02 12 21 23

dmitryn picture dmitryn on 2 Jul 2019

@corpetty
this is not implemented yet, however it's on the backlog
can this be done post code freeze or should it be done before ?

cc @rachelhamlin

guylouis picture guylouis on 5 Aug 2019
👀1

this can be done post-freeze as we should have the same model for doing it (same as non-keycard).

corpetty picture corpetty on 6 Aug 2019
👍1

The proposal here https://github.com/status-im/status-react/issues/8535#issuecomment-535609803 is directly relevant to this issue, because to avoid having to login with keycard you need to store the chat account on the device and encrypt it with a secret stored in the keystore.

So I see it working that way:

  • if the device has no secured enclave, it still works as of now and there is no way to login without keycard, the keycard is basically your secured enclave
  • if it has a secure enclave, it works like the regular login described in the proposal, using the sha3 of the seed phrase as the secret to encrypt the db and the keyfile of the chat account (as well as accounts you exported on the mobile to use without keycard). User can then choose between PIN, card + PIN and biometric to authenticate for login and use of local keys, and still always need keycard for wallet accounts stored in keycard.

Additionally, the PUK is generated on status side, so I would suggest that we also use the sha3 of the mnemonic there, because there is no point adding the burden of another secret to save on the user. He will take a picture or ignore it.

This mean you can login with the pin only on keycard account, because if you really think about it or actually try to use keycard on your main account for just a few day, you will understand how silly login with keycard is.

yenda picture yenda on 27 Sep 2019

cc @andmironov @yenda
also, as discussed furing today's weekly, this should go through a design review, to make sure the full experience (no keycard/keycard, biometric/no biometric) is consistent, and user is not lost

guylouis picture guylouis on 27 Sep 2019
👀1

here are the latest designs for it

Screen Shot 2019-10-02 at 12 00 24

full flow here https://www.figma.com/file/dEIljL7UPbXgsZUA0Q4qlE5E/Onboarding?node-id=4566%3A12

andmironov picture andmironov on 2 Oct 2019

New issue for this https://github.com/status-im/status-react/issues/9354

andmironov picture andmironov on 30 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jakubgs picture jakubgs  路  174Comments
pedropombeiro picture pedropombeiro  路  63Comments
jakubgs picture jakubgs  路  44Comments
churik picture churik  路  41Comments
chadyj picture chadyj  路  92Comments