What are the security differences between storing a seed phrase in the following ways: - Locked note in iCloud - Password-protected in Keychain like how Rainbow does it - largeBlob with a passkey in iOS17+ I think I understand the UX implications of each, but curious about the technical side
cc @cassie 1/ Keychain is a more secure part of the operating system on iOS and macOS vs. Notes is an app, likely more basic password security (likely not encrypted) Password-protected back up is likely decent encryption, but if you forget the password you're screwed.
largeBlob is interesting, I didn't realize that was part of the webauthn spec. Pretty positive implications for e2ee products IMO
My general POV is that the security of all three is reasonably good, unless you're storing a life-changing amount of money in the wallet, in which case I would do none of these. The UX diffs between them are huge - largeBlobs wins by a big margin.
What’s not often discussed with largeBlob is that it gets exposed to the JS context of the requesting page, so malicious JS dependencies can steal the key material stored in largeBlob. This can be ok depending on the context, but it’s much weaker than Keychain storage imho.
We have a slide on this in our pitch deck… (except for the locked note). Apple gave a talk on iCloud security in 2016 at blackhat. https://youtu.be/BLGFriOKz6U?feature=shared
- DO NOT USE NOTES. They don't enforce any secure data practices since they are just stored on disk (See Disk risks on right) - KeyChain is the best option right now - A PassKey is just replaces your password — It would be something that you could use to unlock your KeyChain (Wallet in crypto)