You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now there are 2 prompts, one for authentication (polkit), and one for approval. It would be nicer to just have 1 prompt. Some polkit (or pam) authentication modules don't require interaction (f.e howdy). I'm not sure if we can detect this.
If we just accept this, then the "risk" would be that, using a no-interaction required auth method, a malicious app could trigger the biometrics prompt, and instantly get the vault user key from goldwarden, while the user is sitting in front of their computer.
The text was updated successfully, but these errors were encountered:
For the record, I'm personally fine with either as long as the "risk" is described clearly to the user. Malicious applications on the same device are only a secondary goal to strive towards where reasonable. In this case, the usability is significantly hurt.
I think these would be possible options to handle this:
Make the approval pop-up optional (e.g. by having a config entry / env var), so users with/without concerns could opt-in/out of having to "double" approve all requests
Do the same as howdy and state in the docs that users who do not want to take this risk can add another (required) PAM/Polkit verification step in form of a password/PIN/etc.
Right now there are 2 prompts, one for authentication (polkit), and one for approval. It would be nicer to just have 1 prompt. Some polkit (or pam) authentication modules don't require interaction (f.e howdy). I'm not sure if we can detect this.
If we just accept this, then the "risk" would be that, using a no-interaction required auth method, a malicious app could trigger the biometrics prompt, and instantly get the vault user key from goldwarden, while the user is sitting in front of their computer.
The text was updated successfully, but these errors were encountered: