Question about QR Code log in; Improved security measures for Day One in general
-
Hello,
Congratulations to the new QR code login method for Day One Web as this makes the use of Day One Web much simpler. For privacy reasions, I log out every time after using Day One Web, so this is a really important feature.
Can you please specify the techniques ensuring that the private encryption key is never sent to the servers? How does this work?
For an app that focuses on privacy and that keeps so important information as private thoughts and feelings, I wished that with the QR Code login, 2-Factor Authentification would have been supported.
Some other feautures that are in my eyes indispensable for such an app with these information:
- Possibility to change the encryption key without creating a new account
- Auto-log-off-feature for the Web app
- E-Mail information when you log in to Day One to get informed about every succesful log in to identify abuse
- Possibility to see all connected devices with possibility to log off
Do you have any plans to support this?That would give me much more trust and a better feeling to put my thoughts into Day One.
Thanks and best,
Elysee
-
Hi @cryptycus
Regarding the encryption key, the web client creates a key and that is encoded on the QR Code. The mobile device reads that and uses it to encrypt the Day One Master Key. Then the encrypted master key is sent to the server and the web client gets it from the server, since the web client created the encryption key then it can decrypt it.
The server has no way to decrypt it so even though it goes through the server, they don’t really see the key.There’s some more information about end-to-end encryption on our site here:
End-to-End Encryption FAQ
I see you added the feature requests to our Feature Requests forum, so I’ll address those there instead.
-
Day One Forums 