Password managers are convenient, but I've never used them because they pose a substantial security risk. If you let someone use your laptop, they can get access to your unencrypted passwords in a matter of seconds if you have autofill enabled. And if your computer's password is compromised, all your saved passwords are also compromised (since most browser based password managers rely on your system's password or password vault). To battle this issue, I developed DoubleAuth which is a chrome password manager that requires authentication from the user's smartphone before autofilling password forms on websites.
What it does
DoubleAuth is a chrome password manager that requires authentication from the user's smartphone before autofilling password forms on websites. The computer stores passwords, each encrypted with a random 40-byte key, and the smartphone stores each random key. Thus if the computer is compromised, the attacker only has access to passwords, each of which is encrypted with AES and a 40-byte key. If the phone is compromised, it only contains random keys, none of which are useful without the encrypted passwords. (Go to 0:55 in the video for a demo)
How I built it
- I used Google's chrome extension sdk to write the password manager.
- I used Node.js and MySQL to write the backend, which manages the communication between the computer and the phone.
- I used Android Studio to develop the DoubleAuth Authentication android app.
Challenges I ran into
I'm not very familiar with developing backends and I had never used Node.js prior to this project, so I had to learn how to write code for Node and how Node.js works in a very limited amount of time. Thinking of a truly secure password manager design took some time.
What I learned
- New chrome extension APIs (message passing, etc)
- How to design a secure application
Accomplishments that I'm proud of
I learned how to use lot of new tools and successfully developed a secure, reliable, and easy to use password manager with 2-factor authentication.
What's next for DoubleAuth
- Make the UI nicer
- Add an initial setup page where the user can link his/her phone with the extension (currently the id is hard-coded)