> every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems.
This is why WebAuthn needs to become way more popular.
Which is why it's so unbelievably stupid that the power to make unphishable systems is being arbitrarily tied to hardware keys and secure enclaves when it could just be an app on your system, deployed for free instantly across a whole fleet of machines that manages keys behind the password protected full disk encrypted systems they already have. "Oh but then someone who compromises the user loc... sssh the phishing protection alone is worth it."
I know I'm talking about software authenticators, but the whole "movement" if you wanna call it that seems to be openly hostile to them to the point of implementing DRM via attestation because there's money to be made in selling new disposable plastic thing.
Its not though. First of all, windows, android, macos and ios all support being used as platform authenticators. No need to use an external hardware key to get the benefit. This is what most people should use (really most people should use passkeys tied to your phone once those become widely available).
I don't really understand your complaint that those implementations are tied to secure enclaves and TPMs. Every laptop issued by your company already has one of these in them. Why not use them?
I get that there's a fear that TPMs somehow enable DRM. Given that TPMs have been around for 20 years and haven't been used for DRM applications I think thats a bit overblown. But even if you do believe that, I don't see how you can conclude that using webauthn with a key protected by your TPM somehow enables DRM.
If you are really morally opposed to using a FIDO device that stores keys in protected hardware, go ahead and run a soft FIDO token! I wrote a software authenticator for linux that uses the TPM[1], but it also has a mode where it just uses keys stored in memory. There are other good software FIDO implementations[2]. These authenticators work on basically* every site that supports webauthn. Use them, they are still going to be much better than using SMS or TOTP factors.
*It used to not work on vanguard.com but that changed when they upgraded from the old u2f APIs to the webauthn API. It also doesn't work for one enterprise site I use for my job, which checks attestation certs to ensure the key is one that was issued by the company and is FIPS compliant.
[1]: https://github.com/psanford/tpm-fido [2]: https://github.com/danstiner/rust-u2f