Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not only that but this also enables offline attacking of the password. If you can compromise the Keybase server and grab the encrypted passwords, you can then attack it at your leisure with whatever computing power you can scrounge up, over whatever time duration you want. And when you break it, as long as any of the included devices are still on the account, you'd have complete access to everything.

Requiring existing devices to be actively involved in provisioning a new device prevents all of this.



Ah, that makes more sense.

So in Keybase, what does device to device provisioning look like? "Hey, you've just set up this device - a message has been sent to all your other devices, OK the message and come back here and you'll be good to go"


You just scan a QR code. Or if you want to do an offline device you can type in a a set of words that represent the key.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: