When you first set up your RememBear account, you saved a copy of your Backup Kit and stored it somewhere safe. The first section of your kit is filled with your New Device Key, a long random string that’s used for both encryption and authentication in RememBear. It’s generated and stored on the first device you use when your account is created, but never goes through our network.
The NDK is important because you’ll need to enter your NDK whenever you sign in to RememBear on a new device, either by manually entering the NDK or by using QR codes. While entering your NDK stores it on your device for future use, it also serves as an extra layer of protection for your account.
NDK as a password strengthener (encryption):
By design, RememBear encrypts all of your sensitive information with your Master Password. However, the strength of human-memorable passwords is limited, therefore the Master Password by itself may not provide enough protection against a determined attacker.
The NDK significantly increases the strength of your Master Password so that all encrypted data leaving your device, or being stored on RememBear servers, is protected from dictionary and brute force attacks.
NDK as 2FA (authentication):
Every time you login from a new device, RememBear servers have to authenticate that device. Similar to RememBear’s encryption, this is done with a combination of your Master Password and NDK.
Unlike standard password based authentication, RememBear uses the SRP protocol. This means you have to prove you know the Master Password and NDK, but doesn’t require sending either of them over the network for server authentication. For added security, each SRP authentication handshake is unique and cannot be replayed.
RememBear does not currently have an explicit 2FA method of authentication, but our authentication protocol has many similarities with common 2FA methods such as One Time Password authentication. Both methods require something the user “knows” (a memorable password), and something the user “has” (a token):
In the standard OTP case, the “has”, is a long random OTP token that’s usually stored on a mobile device at account creation and which generates authentication codes for every authentication attempt. In the case of RememBear this is the NDK which is used to generate a unique SRP authentication handshake response on every login.
The main difference between RememBear authentication and OTP 2FA is the storage of the “has” token. With standard OTP 2FA this is usually on a mobile device, whereas with RememBear the NDK is stored on all clients where RememBear is installed.
|Attack Method||New Device Key||2FA|
|Dictionary and brute force attacks on encrypted data on servers.||NDK strengthens encryption password significantly preventing these attacks.||Not used for encryption, so must rely on strength of master password only.|
|Rogue employee with server database access.||Master password and NDK are never shared with server and not stored anywhere.
Attacker would have to rely on dictionary/brute force attacks.
|2FA tokens are stored on servers and do not add protection against attacks on stored data.|
|Master password stolen/leaked.||Attacker cannot login to download vault items without knowing NDK as well.
If device itself is compromised, attacker may have access to both NDK and master password and be able to login.
|Attacker cannot login to download vault items without knowing 2FA token as well.
2FA token may be stored on separate device to compromised one meaning attacker cannot login.
The NDK strengthens password encryption significantly however, OTP is potentially a more secure method of authentication and we are working on adding OTP 2FA to RememBear in the future.