What does HackerNews think of tpm-fido?
A WebAuthn/U2F token protected by a TPM (Go/Linux)
https://github.com/bulwarkid/virtual-fido/
https://github.com/keepassxreboot/keepassxc/pull/8825
https://github.com/psanford/tpm-fido
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/fido2-c...
I think there was also an implementation for mac os based on the t1/t2 chip, but since I've never had such a mac, I've never looked properly into that. But that probably means that you could roll your own.
A quick google search yields this for Linux with a TPM: https://github.com/psanford/tpm-fido
FIDO2 should be used more, hopefully more sites end up supporting it sooner rather than later.
FIDO2: https://en.wikipedia.org/wiki/FIDO2_Project
Arch/WebAuthN: https://wiki.archlinux.org/title/WebAuthn
U2F/FIDO2: https://wiki.archlinux.org/title/Universal_2nd_Factor
TPM: https://wiki.archlinux.org/title/Trusted_Platform_Module#Oth...
Seahorse: https://en.wikipedia.org/wiki/Seahorse_(software)
GNOME Keyring: https://en.wikipedia.org/wiki/GNOME_Keyring
tpmfido: https://github.com/psanford/tpm-fido
"PEP 543 – A Unified TLS API for Python" (withdrawn*) https://peps.python.org/pep-0543/#interfaces
> Specifying which trust database should be used to validate certificates presented by a remote peer.
certifi-system-store https://github.com/tiran/certifi-system-store/blob/main/src/...
truststore/_openssl.py: https://github.com/sethmlarson/truststore/blob/main/src/trus...
"Help us test system trust stores in Python" (2022) https://sethmlarson.dev/blog/help-test-system-trust-stores-i... :
python -m pip install \
--use-feature=truststore Flask
The question is often asked: isn't this less secure than a physical key or touch-id? The answer is yes, but only marginally. If you have no other access to a FIDO authenticator, using a soft authenticator will still be much better than using SMS,TOTP, or Push. Phishing is the most likely way 2fa will fail you, and this is still phishing resistant.
But passkeys are real and you can essentially use them today! The Android/Chrome integration is already quite good. The Chrome/iOS interaction works but is less smooth right now. That's going to get worked out quite quickly so if you have the option to use passkeys you should!
Its not though. First of all, windows, android, macos and ios all support being used as platform authenticators. No need to use an external hardware key to get the benefit. This is what most people should use (really most people should use passkeys tied to your phone once those become widely available).
I don't really understand your complaint that those implementations are tied to secure enclaves and TPMs. Every laptop issued by your company already has one of these in them. Why not use them?
I get that there's a fear that TPMs somehow enable DRM. Given that TPMs have been around for 20 years and haven't been used for DRM applications I think thats a bit overblown. But even if you do believe that, I don't see how you can conclude that using webauthn with a key protected by your TPM somehow enables DRM.
If you are really morally opposed to using a FIDO device that stores keys in protected hardware, go ahead and run a soft FIDO token! I wrote a software authenticator for linux that uses the TPM[1], but it also has a mode where it just uses keys stored in memory. There are other good software FIDO implementations[2]. These authenticators work on basically* every site that supports webauthn. Use them, they are still going to be much better than using SMS or TOTP factors.
*It used to not work on vanguard.com but that changed when they upgraded from the old u2f APIs to the webauthn API. It also doesn't work for one enterprise site I use for my job, which checks attestation certs to ensure the key is one that was issued by the company and is FIPS compliant.
[1]: https://github.com/psanford/tpm-fido [2]: https://github.com/danstiner/rust-u2f
I wrote a FIDO implementation that protects the signing key using the system's TPM specifically for linux: https://github.com/psanford/tpm-fido
There is no reason why you couldn't implement a similar syncing strategy in a tool like this if you wanted to.
You could also use the system TPM (https://github.com/psanford/tpm-fido).
A brief search didn't yield any FIDO2 software-only solutions for Linux, but I see no reason why in principle you couldn't implement it (perhaps interfacing https://github.com/google/OpenSK through hidg - similar projects do exist for U2F).