Cacti Biometric Unlock
Cacti’s Vault is primarily encrypted using your passphrase. Cacti offers an alternate way to unlock your vault using Face ID or Touch ID (Biometric Unlock) on iPhones.
This article aims to inform you on the risks and exposure of using Biometric Unlock to help you make an informed decision.
What happens under the hood?
If you enable Biometric Unlock for your vault, Cacti stores your passphrase in Keychain. Keychain is an encrypted storage offered by iOS, and anything stored inside the Keychain by the Cacti app is accessible only to the Cacti app.
Every time you want to unlock your vault, we would first authenticate you using Face ID or Touch ID and once your identity is authenticated by iOS, we access your stored passphrase from Keychain and use that to decrypt your vault. We do not store your passphrase anywhere else.
The Risks
- The biggest risk of enabling Biometric Unlock is that your passphrase is stored somewhere. The risk in this comes from the fact that we assume that you would not store your passphrase anywhere else if you don’t enable this feature. Another assumption is that your passphrase is strong and long enough that the risks of someone learning your passphrase using social hacking or other methods are low.
- We believe that the Keychain is quite secure. It is probably as secure as other data on your iPhone when you have a passcode lock on. But, we can’t be sure. There have been some reports on people being able to access data in the Keychain in extreme situations like gaining access to your device backups when your device passcode is not very strong. But, we don’t know.
- Face ID and Touch ID, as convenient as they are, and as instrumental as they are in bringing good security practices to the wide audience of people, are not perfect. There have been reported cases of identical twins being able to access each other’s iPhones. You should consider this when enabling this feature.
Summary
Practically, the most secure one can be while using Cacti is to use a passphrase that’s over 32 characters long, and to not store this passphrase anywhere.
But, your needs may not be that extreme, and you may be okay to compromise some amount of security for the convenience and that’s okay.
As much as we would like to offer a one-size-fits-all solution to security of your data that is very convenient while being very secure, we practically can’t guaranty that. Security is a game of tradeoffs, and only by learning about it can you decide what’s best for you.
If you’d like to engage in a conversation about all of this, please hit us up by navigating to Settings in the Cacti app and finding either the Help | Contact Us section or the App Feedback section. We would love to hear from you.