Ask HN: Is GNU pass and Yubikey (via NFC) supported on iPhone?
Hello,
I am considering moving from Android to iPhone in the near future. I think the only thing I can't really evaluate easily is whether or not there is support for GNU pass where the GPG key is stored on a Yubikey.
My Android password manager workflow is:
Need password -> Android pass app requests Yubikey Pin -> App requests NFC tap -> password decrypted.
Can I replicate this UX on iPhone today? What is GNU pass? It looks like people use it to refer to https://www.passwordstore.org/ which isn’t a GNU project? I have always assumed 'GNU' pass is more of a colloquial term - possibly because 'pass' rarely results in meaningful results when searching the web, as does 'passwordstore' (although at least it does point to the actual repository. I seem to recall a few years ago googling 'password store' would not even return that on the first page). As far as I am aware there is zero relation to GNU projects, aside from pass requiring GPG. I believe the author of pass is the same fellow who wrote wireguard. pass is a command that simplifies reading and writing sensitive text to encrypted files using GPG encryption.
It’s most often used to decrypt passwords and API credentials, copying them to the system clipboard for pasting elsewhere without writing the plaintext to the filesystem. Paired with an encryption key stored in an isolated device like a Yubikey, it makes for a powerfully secure password system — if you like using the command line for your passwords. I don’t know of any iOS apps that do this, but I now want one. Thanks for the explanation, but I actually do use the software that I linked to, however, it’s not a GNU project, so I’m just confused to if it’s a widely used misnomer or it’s a completely different software package then the one I linked to. It seems to be a misnomer on OP's part, they's also said about switching to 'gnu pass' in previous comments, but needing to get their head around GPG... I suspect rather than suggesting it's a GNU project, OP is creating a sort of portmanteau from GnuPG and pass. Seems to be a somewhat common misnomer online[1] and on HN[2]. [1] https://www.google.com/search?q=%22gnu+pass%22 [2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que... actually Bruce Byfield explains it in Linux Magazine: Pass is available in the repositories of most major distributions. As usual, you can also compile from scratch, but, if you do, take note of the dependencies, especially GnuPG (GPG) [6], which creates encryption keys, and Password Generator (pwgen) [7], which generates random passwords that contain random combinations of upper- and lowercase letters, numbers, and special characters. Without GnuPG and pwgen, you will be unable to set up Pass, much less actually use it. https://www.linux-magazine.com/Issues/2014/158/Command-Line-... https://github.com/mssun/passforios might be of interest. Unsure about Gnu pass, but several (offline) password managers on iOS support Yubikey. One such example is Keepassium (Open source, GPL)
https://keepassium.com/blog/2020/01/keepassium-1.10-yubikey/ Short answer: no. Longer answer: iCloud Keychain is end-to-end encrypted credential storage, and its workflow is: Need password -> Secure system hook to Keychain -> Keychain requests unlock via (face/finger/passphrase as appropriate) -> Password decrypted and auto filled. There are also third-party options, which can nominally use NFC keys[0] as auth factors, but I’m not currently aware of any that actually do. Personally, I use 1Password, because I’ve still got a Windows box in my world, and need something cross-platform, and since I’m paying for it, I know it’s the product and not me. [0] https://developer.apple.com/documentation/authenticationserv... > I know it’s the product and not me When wealthy clients come knocking with millions/billions of dollars to spend on advertising to, or vacuuming up data on, a company's customers, you are always potentially the product. Paying for a product/service doesn't mean that there isn't someone with more money willing to pay for your attention or data via that product/service. Those people become a company's real customers. The OPs workflow is entirely possible with https://github.com/mssun/passforios since over a year ago. As a side note, I believe iCloud Keychain is supported on Windows now. I believe you're right.. it has Chrome support on Windows but not macOS :P what about Ubuntu (or Linux in general)? Whoa whoa, let’s not get crazy! nice try though! :) AFAIK you can’t use anything except FaceID (or other system level security options) to secure the default password manager on iOS. But Yubikey does work with iOS, either the NFC one or the one with the lightning connector. Third party password managers are well integrated, so if one of them supported Yubikey I think you could achieve the same UX, but I’m not sure if any do. I’m not familiar with GNU pass sorry! Yes you can, you can use the https://github.com/mssun/passforios app which as of over a year ago supports Yubikeys. The UX of having to grab your Yubikey every time is a bit clunky though (although that is limitation of the security key medium itself rather than the app). My concern here is there appears to be a few open issues around Yubikey support - it sounds like it 'might' work as I described but it might not, and I don't have an iPhone to test with. I don't want to have to use the physical connector, for example. I will reach out to the developer and see if he can clarify directly. Well it works pretty well for me via NFC using a YK 5 and 5C. It’s a superb tool with Yubikey, but has a bad name. Can’t be easily googled.