2FA Vivaldi Sync and 2FA Vivaldi Lock

ChimeraLove

(Edit)

1. Please add 2FA to Vivaldi Sync, so a Hardware Key like YubiKey can be used.
   (With a Passwordless option so just the key and it's pin can be used, so it won't be triple factor)

2. Additionally, please consider adding the option to lock Vivaldi altogether with 2FA, especially when working on a shared computer (more examples below).
   In other words, to be able to use hardware key like Yubikey to open Vivaldi "Secure Personal Browser Account".
   (Also the option for a time-out lock)

·

Adding 2FA to Vivaldi entails adding Encryption for Vivaldi User Data Independent from OS's Encryption.

My request is to be able to encrypt all user's data and passwords in Vivaldi.
This encryption would be a second layer to and independent from OS's encryption state.

·

---

At the moment Vivaldi is relying on the OS encryption to encrypt stored passwords.

As been said here:

@DoctorG said in Two Factor Authentication Scheme for Vivaldi.net Account:

Vivaldi encrypts login database with Windows Data Protection's key.

And here:

@mib2berlin said in Few question about security, Vivaldi and hardware key:

The passwords in Vivaldi are encrypted with the Windows user ID, very save, on Windows 11 Pro the whole harddisk is encrypted by default, not sure about Windows 10.

Also the browsing data can be accessed obviously:

@jane-n said in Two Factor Authentication Scheme for Vivaldi.net Account:

anyone with a bit more knowledge about computers can still access your browsing data through the browser's profile files

·

---

Here are 2 example cases:

·

• Case 1:

At my work there are few shared computers.
Some with Win11 and some with Win10 (without login password) which many people are using.

@DoctorG said in Few question about security, Vivaldi and hardware key:

If you have no password for your Windows account, then no encryption of log-in data is used.

I want to use my own browser daily on these computers but that would mean anybody with access to them can access my passwords and data.

In a case like this the encryption of the OS is useless in protecting user's password and data.

If Vivaldi would have it's own encryption, independent from the OS, for all of it's content and require hardware key or password to open the browser and access the data it will make it possible to use it on shared computers.

*At my work there are 2 more coworkers who use Vivaldi customized to them and they would also be happy if they could launch the browser, insert their hardware key / password and their unique customized browser with their own synced stored passwords and data would appear.

*Also the option for a time-out lock.

I think there is potential audience here for Vivaldi.
Companies that have many employees working with shared computers that it's employees use Vivaldi with personal hardware keys as their personal secure browser.

• Case 2:

I travel and work with my laptop and often need to leave it in art performances so people can use it for running various media (Dj performances, art installations, galleries, coffeehouse events, etc...) while I attend to other stuff.

In case this laptop is stolen I don't mind because I have backups but I use Vivaldi on that laptop!.

I don't want to 1. have another laptop with me or 2. sign out from Vivaldi account and delete the saved passwords before leaving the laptop because it is cumbersome and unsafe doing it every time. or 3 have two windows accounts.

( It was suggested to me here to use another windows account: https://forum.vivaldi.net/post/638583
I tried having two Windows's users on that laptop but that proved impractical as I was needing to download media that was sent to my google drive during a performance and was stuck because my account was connected in Vivaldi in the secondary windows user. This is incredibly inconvenient and cumbersome in more situations.)

Thank you for considering this feature request.

DoctorG

@ChimeraLove Interesting idea to have a hardware key protected profiles/access to Vivaldi.

ChimeraLove

@DoctorG Thanks

To continue the pitch :), I think this will also lure the paranoid I mean security conscious users as it will offer a more complete package regarding security.

Catweazle

On Windows there is at least OS encryption, not on many Linux distros. Therefore it is certainly a good idea to ensure independent encryption by Vivaldi.

DoctorG

@ChimeraLove Security and Privacy is not a means of what the WWW call "paranoid people".

But i think a really hardware protected storage of profile by a user key is better than what OSs have.
There might be situations where Vivaldi users need to protect their data immediately in a strong way. And i do not talk about criminal usage.

Catweazle

@DoctorG, it is certainly not necessary to put on a tin foil hat when good protection and security are required, especially in business applications. Today the Internet is a jungle with a thousand eyes watching, both by certain corporations that we already know and others directly with nefarious intentions. This turns browsing, lacking minimal protections into a real risk. A local protection at a particular level is not so critical (at least if you want to hide certain content from your partner or prevent your young son from doing his experiments carelessly), but it can be essential in a company, at times when there is the PC unattended.

DoctorG

@Catweazle said in Second Layer Encryption for Vivaldi's User Data - Independent from OS's Encryption.:

but it can be essential in a company, at times when there is the PC unattended.

Full ack!

ChimeraLove

@Catweazle I totally agree (was joking with the "paranoid").
Security and privacy are important and good practices for everyone in this world. Usually, they are considered more crucial for those who work with sensitive data, finance, cryptocurrency, etc..., but these people probably already maintain a certain level of security.
One could argue that it might be actually the opposite: that good security and privacy practices and education are more vital for less tech-savvy individuals who don't know much about computers and use the browsers for things like personal banking, as these people are most vulnerable and susceptible to scams and hacking.

And when these people are using their browsers at work it becomes a bigger problem.
I Just remembered another example for case 3:
A few years ago, I volunteered in a residential care center for psychiatric patients. In the office, the computer browsers used by staff members remained logged into their accounts constantly. And this office wasn't Fort Knox to say the least...

Catweazle

@ChimeraLove, this is the point, but apart from the measures that can be taken at the computer level, there is also a lack of education in this regard, because the biggest security hole is the user himself and some disastrous notions of the subject. I have seen people paranoidly using only TOR, but doing Google searches and telling their lives to their 1243 friends on Facebook.

nomadic

You could install a standalone version of Vivaldi and put it inside a password protected encrypted folder on the machine. Something like Cryptomator can do this, but it doesn't offer 2FA.

ChimeraLove

@nomadic That's seems like a good solution! especially if I could find one with hardware key support. I will try to find such software and update how it works.

But aside from my personal situation, back to the discussion here about security education

@Catweazle said in Second Layer Encryption for Vivaldi's User Data - Independent from OS's Encryption.:

there is also a lack of education in this regard

Since I wrote this request, I've become more aware of it and am now noticing more situations where this would have been helpful.

I told my friend about it and here is case 4: (which is actually the same case as previous ones)
His mother is a secretary in a local health center.
There are about 6 people who can use the computer, the secretaries have their accounts logged in. One secretary also gave her son the password so he could play while the pc is not used.
The "security" is based on trust and my friend isn't happy that his mother's account's data is synced there and visible.

Regarding education, even though it might seem like a drop in the ocean, I think that if such feature will exist, Vivaldi team can make a video explaining it's use, and also I believe Youtube channel such as All Things Secured, Chris Titus Tech and others will be interested in it, which will help spread the education...

I actually believe that such a feature will eventually become available in all browsers. It just seems to make sense in many situations, especially considering where security is heading in the future - passwordless, hardware keys, easier and yet more secure...

ChimeraLove

Hi again,
Honestly I don't know much about security, but I thought about case 5:

This added independent encryption may be of help against data harvesting apps, malware or malicious apps from accessing user data (also on mobile), especially passwords.

(Some apps have elevated permission to storage such as file managers and even though they go through special vetting process by Google I don't know if I should just trust the process blindly)

On similar logic that some password managers use locally stored encrypted file.

RasheedHolland

According to the forum software, I was mentioned in this topic, but I don't see it?

ChimeraLove

@RasheedHolland @DoctorG I have edited my first post and title after reading your discussion.