“Locknest, I need to connect to a website.”
What Is Locknest?
Locknest is the hardware manager of your digital identity. To be clear, it means that instead of storing your logins and passwords in your browser, your mobile device or in the Cloud, you entrust them to your Locknest. What difference does it make? You narrow your attack surface to this one very robust device.
In the shape of a dongle that fits in the palm of your hand, Locknest is dedicated to the protection of confidential data, which means we guarantee an end-to-end encryption of your critical data, until your password is automatically written in the form field.
And rest assured, Locknest is very easy to use: you just need to open your Chrome browser (or any Chromium-based browser, like Edge or Brave), go on our web application and connect your Locknest via USB or Bluetooth and you’re good to go!
To autocomplete your web forms, you can use the Locknest’s extension for Chrome or our mobile app (Android or iOS): Locknest will be able to fill out the forms with the data you will have previously saved.
How Does It Work, Really?
To access your Locknest’s interface, you can use our web application on the Chrome browser (or any Chromium-based browser, like Edge or Brave), or the Android or iOS mobile app.
Connect your Locknest:
Getting started:
The first time you turn your Locknest on, you can name it, and then you have to choose your master key.
The master key is the unique password you’ll have to remember to access your Locknest. In order to guarantee the confidentiality of your data, we will never have access to it: it is crucial that you never forget it! But don’t worry, it is only composed of 7 digits.
Daily usage:
You can access the web application or the Android or iOS mobile app’s dashboard to add, remove or modify an item.
You can also automatically fill out web forms, thanks to the Locknest's extension for Chrome on a PC and the autofill service on mobile.
Locknest’s components
Secure microcontroller
USB-C port
Bluetooth antenna
Action button
RGBW LED
Lithium polymer battery
Locknest “MVP’s” Features
Windows, macOS and Linux OS with Chromium based browsers (Chrome, Edge, Opera, Brave…) and Android or iOS mobile support.
- Configure Locknest Give it a name, set and modify the master key.
- Add, remove, modify up to 512 items An item is: a title, a URL, a login, a password and a description.
- Fill out forms automatically on a PC with the Locknest extension for Chrome or on an Android or iOS mobile.
- Copy and paste the values of an item Useful for authenticating to software installed on your PC.
- Generate a password with an adjustable level of complexity, multiple lists of characters to use…
- Back up your data by exporting a password-encrypted CSV file, which you can import into a Locknest.
- Import authentication data from a CSV file (for example, exports from Chrome, LastPass, KeePass, etc.)
- Export Locknest’s data in a CSV file (non-secured) so you don’t loose anything, even if you leave us!
After the MVP, the Evolution of Locknest
Prioritizing is not an easy task! But as we wanted to offer a first version before going any further, we already have in mind what happens next. Here is the list of upcoming features, their priority being subject to the feedback and needs from our early adopters:
- Possible data backup on a secure and private French server: by subscribing to our online service, you will be able to make frequent backup of your data. Don’t get us wrong: this is solely a backup, not a hot use of data. To put it simply: Locknest’s operation will not change, it will still be the device that distribute your data, never the backup directly. The level of protection does not change either: we will never have access to your unencrypted data. The difference is that you will be able to create a copy of this local database, which will be encrypted twice, and store it on a secure server to recover it in case of a problem.
- 2FA/MFA support with the implementation of TOTP and HOTP algorithms for the generation of single-use codes (OTP).
- Implementation of the FIDO2 (U2F) standard support to allow passwordless authentication.
- Support for the main browsers not based on Chromium.
- Option de vérification des mots de passe enregistrés : robustesse, fuites, etc.
- Finer management of data import so as not to overwrite the database each time.
- Manual cleaning of the database, search for duplicates.
- Creation of a “guest” access to share your passwords securely.
- Multi-session handling: being able to run two sessions in parallel, on mobile and on PC for example.
- Creation of other Locknest ranges: larger storage space, unique connectivity (Bluetooth or USB), etc.
- Add filters and folders in the application dashboard to sort entries.
- Possibility of saving other types of data: credit cards, identity cards, addresses, etc.
- Add tutorial videos to help the user and refine the onboarding journey.
- Possible deactivation of Bluetooth connectivity
- Creation of a “whitelist” of preferred devices to connect via Bluetooth.
- Add a regular expression search option in the application dashboard search bar.
Our Security Pledges
Why is Locknest a secure device?
The use of these modules offers the best balance between data protection and speed:
A hardware True Random Number Generator module
This hardware accelerated module has been tested using the German BSI statistical tests of AIS-31. It provides full entropy outputs to the application.
It will be used to construct a NIST (SP 800-90) compliant Deterministic Random Bit Generator, acting as a live entropy source.
A hardware Advanced Encryption Standard (AES) accelerator module
This module encrypts and decrypts data using an algorithm and implementation fully compliant with the AES, as defined in the Federal information processing standards (FIPS) publication 197.
Key size can be up to 256 bits.
A hardware PKA accelerator module
This module provides acceleration of RSA, DH and ECC operations.
The Password Journey
To fill a form, the password stored in your Locknest has a secure journey:
The password stored in the microcontroller’s flash is transferred into memory (RAM)
Depending on your connection to Locknest, it will be securely sent via USB or via Bluetooth.
The password arrives in the mobile app.
The password arrives in the web app.
The password is now available in the Chrome plugin.
Android or iOS launches the autofill service.
The password is copied to the web page.
“Thanks Locknest!”
How Can Locknest Be Secured With a Master Key as Small as 7 digits?
To reach our simplicity and security pledges, we studied various attack scenarios with the aim of finding the best protection mechanisms. A 7-digit PIN is our answer, and this is why:
Scenario 1: Brute-force attack
- Given that Locknest is a hardware device that can be fully shutdown, this scenario implies that the attacker has got hold of it (stolen) and has as much time as needed to find the master password.
- Given that the attacker has full access to the device, he will use all communication means available (USB and BLE)
- To set ourselves in the worst scenario, the attacker has also stolen the secondary Locknest, and therefore has twice as many tries.
Our solution:
According to our math, a 7-digit PIN has an overall entropy of 23 bits, which is considered very weak since only 2 ^ (23-1) tries (4,194,304) are needed, on average, to find it. On a normal system, without any time penalty mechanism, this would be instantaneous.
But Locknest applies a time penalty through a ban mechanism from the 3rd PIN error until the correct PIN has been entered. During these 10 minutes ban period, any try will simply be ignored.
The overall time for the attacker to find (on average) the master secret is: (((4,194,304-18) – 18) * 10 / 3 / 2) minutes, or just over 13 years. This should give enough time to the real Locknest owner to realize that it’s Locknest has been stolen and act accordingly.
Scenario 2: Extracted data attack
- The attacker bypassed all the protection against illegal data access.
- The attacker has access to the cyphered data, encrypted with the FIPS-approved AES-256 bits key.
Our solution:
As specified in the NIST SP 800-132, “Recommendation for password-based key derivation” in the case of storage applications, a 7-digit PIN is not safe enough to be used as a deciphering key.
A very strong key derivation algorithm is highly recommended, and this is exactly what we decided to implement.
The attacker now has two options:
• Trying the countless possibilities provided by the key derivation algorithm.
• Brute-forcing the virtually unbreakable AES 256 bits key.
What about the upcoming online storage plan?
Regarding the cold storage plan, that we will launch soon, data will obviously be stored on dedicated, up-to-date, monitored and with restricted access servers.
We anticipate two additional cipherings on top of the initial Locknest ciphering. One for which the deciphering key is only known by the owner, one for which the deciphering key is only known to LockNest Group.
As for the described scenarios, we will select the ciphering algorithms among the recommended ones in order to provide the best security for your data.
A 7-Digit PIN. Not 6 nor 8!
6 -digits
Considering our ban mechanism, it would, on average, take 9 months for an attacker to find the master key. We judged this value to be too low.
8 -digits
An 8-digit PIN has obviously a theoretically better entropy. However, we (humans) would be very much tempted to take an important date, such as a birth date, which would be much too easy for the attacker to guess.
7 -digits
As previously demonstrated, an attacker would, on average, take 13 years to break your 7-digit PIN. This is, according to us, a perfect balance between ease of use and security.
Why Is Locknest More Secure Than Online Password Manager?
First, simply storing your data physically in an independent safe reduces the number of vulnerabilities: reducing the number of links in a chain, however robust, remains the most effective! All the more so if most are really weak…
Second, with an online database, each time a request is made to retrieve your data, it will transit on the Internet. Of course, encryption protects them, but as the saying goes: once is enough.
Rather than being always available on the Internet, with Locknest, your secrets are only sent to the Web if needed. The Locknest app communicates with Locknest via Bluetooh or via USB.
On a smartphone, the autofill feature is handled by the Android or iOS system. And on a computer, it’s only via the Chrome plugin, which uses HTTPS, that your secrets (and only the ones you need) are made available to the Web page.
Our Simplicity Pledge
What makes Locknest easy to use every day?
At Locknest, our goal is not only to create the most secure solution for your authentication information, it is also to make digital security accessible to as many people as possible. We therefore believe that to give you control over your confidential data, we must offer you a solution that will easily fit into your habits.
With the choice of a physical manager, we offer you the best and simplest of all protections: disconnection. You avoid any intrusion attempt by making all your data inaccessible simply by turning off the key.
In addition, we have decided to only give you a 7-digit PIN to remember to access your Locknest. Thanks to a ban system after 3 unsuccessful attempts, Locknest remains extremely secure while avoiding forcing you to remember a long and complex master key.
With Locknest, It’s Easier To…
Fill out forms online
Once you’ll have save in your Locknest a login and a password for a website or an application, this item will be suggested each time you go back to the authentication form.
You will only have to set Locknest as your autofill service once on your Android or iOS mobile and to install the extension on your Chrome browser.
Access your passwords from all your devices
As it is the device that holds all your authentication data, no more synchronizations galore between your mobile and your PC. Surely, you have better things to do!
Protect yourself from digital identity theft
Your passwords are secured inside your device. It is simpler for you: a simple 7-digit PIN to remember instead of an endless list of passwords.
For the attacker, on the other hand, it gets harder: it becomes impossible to steal your data without having access to your device and without knowing your master key!
Your data will now be accessible only through this two-factor authentication.
Avoid compromising multiple accounts at once
Since you only have one 7-digit PIN to remember, you might as well take advantage of the strong password generator!
You can easily have a robust and different password for each of your accounts and thus preventing a chain reaction if one of your password is compromised.
Adopting Locknest means choosing security without complexity!
Why Buy a Locknest if Chrome and Android or iOS Already Remember Passwords for You?
First, for security reasons: there is nothing better than a dedicated solution, which is totally transparent. Nothing obscure with us: your authentication information is stored inside your device, you (and only you!) access it from our web or mobile application.
To automatically fill out forms, you use our Chrome extension or the autofill service on your mobile. There is no synchronization to do between your PC and your mobile, since it is the Locknest key that is at the center of the system. You do not lose any data switching from one device to another and you always know where your information is.
Our device is robust and it is the sole holder of your secrets, so you are better protected than with a multiplicity of solutions where the vulnerability of a single one can expose the whole chain.
How to Avoid Being Helpless in Case of Loss of the Locknest?
Loosing one’s keys happens. That’s why we make duplicates. It’s the same for your Locknest: buying two devices will allow you to very easily export data from your primary Locknest to import them in your secondary one. Or you can just keep this encrypted file as a backup.
In a second step, an online backup subscription will be available. If you are particularly interested in this feature, let us know! Our product development is user-driven, so we always welcome your feedback.
A question?
Check out our FAQ ou Ask us at contact@locknest.fr!