It's 1.2M for an app that doesn't meaningfully increase security. Let's suppose this thing gets somewhat popular. Now malware will detect the presence of this app, wait until a legitimate request gets initiated, and piggy back off that. You approve the request, the malware logs into your servers/repos, does whatever evil thing it needs to do, let the original app do its thing, and you're none the wiser.
Very professional code there .... <a href="https://github.com/kryptco/kryptonite-android/blob/master/app/src/main/cpp/native-lib.cpp" rel="nofollow">https://github.com/kryptco/kryptonite-android/blob/master/ap...</a><p>Cannot wait to trust these guys with my ssh key!<p>/s
Why on earth would I want my ssh keys on a device that is almost always connected to the internet if security is a major concern? A Yubikey (hardware based key) is by far the best solution.
I've been using Kryptonite a little bit and generally I'd say it's been a pretty pleasant experience. While I personally haven't spent much time weighing the pros and cons from a security perspective (and I'm not a security expert, so in all likelihood I'm not in a position to give a fair evaluation of it), from an overall user experience perspective these guys have done a really solid job.<p>If I have any gripe it's that, when using with Git, Visual Studio Code's Git autofetch feature winds up causing Kryptonite to issue a push notification to my phone every couple of minutes after first authorizing for three hours, with no way to granularly suppress notifications. That's really kind of the point of Kryptonite, obviously, but it's possible there's a better solution for this on Kryptonite's end that wouldn't require any contortions from users.
How does this work if you lose or break your phone?
I know several people who use 2FA apps on their phones to log onto services and whose phones broke and they couldn't log on. While there is usually some way to recover your logon I'd argue that for most people and uses the chances of losing/breaking/replacing their phone and having to go through a painful recovery process outweigh the security advantages.
Any Windows support? YubiKey's advantage (Aswell as the fact that it's designed for keystorage, and malware can now just target Android and can automatically approve it themselves) is that it works crossplatform; I can use a YubiKey (when I can afford one) with PuTTY - there seems to be no way to do this.
This sounds like a neat idea but I have to agree with gruez that this is a disaster waiting to happen.<p>I carry my KeePassX DB on my phone and know it is slightly safer than typical cloud providers because it isn't actively being targeted.<p>That said, I would try this out.