Explore encrypting account data when biometric lock is enabled #35
Description
Context
Currently, the biometric lock only prevents UI access to the extension. The account data (addresses, labels, notes, tags) is stored unencrypted in browser local storage, which means:
- Someone with DevTools access can bypass the lock by modifying session storage
- Account data can be read directly from local storage without authentication
Since Orbit is read-only and doesn't store private keys, this is acceptable for privacy against casual observers. However, we could provide stronger protection.
Proposal
When biometric lock is enabled, encrypt the account data and only decrypt it after successful biometric authentication.
Benefits
- Protects account data even if someone has DevTools access
- Provides true data protection, not just UI protection
- Users who enable the lock likely want stronger privacy guarantees
Implementation considerations
- Use WebCrypto API for encryption
- Derive encryption key from WebAuthn credential (or use a separate key)
- Encrypt
local:accountsstorage - Handle migration for existing users with lock enabled
- Performance: decrypt on unlock, keep decrypted data in memory while unlocked
- UX: Clear messaging that re-importing from backup is needed if biometric access is lost
Threat model
This protects against: Someone with physical access to your unlocked computer who opens DevTools
This doesn't protect against: Malicious extensions, sophisticated attackers with system-level access
Open questions
- What should be the encryption key derivation strategy?
- Should we encrypt just accounts, or also connection data?
- How to handle key rotation if user re-registers biometrics?