What does HackerNews think of tpm-fido?

There was a kinda-free option (as in you had to have an iPhone, but the app itself was free). Krypt.co had this based on the iphone's secure enclave. It was bought by Akamai, and it's not clear what state it's in.

https://krypt.co/

I think there was also an implementation for mac os based on the t1/t2 chip, but since I've never had such a mac, I've never looked properly into that. But that probably means that you could roll your own.

A quick google search yields this for Linux with a TPM: https://github.com/psanford/tpm-fido

Fido keys work just fine on linux. There's already a fido authenticator that protects your keys using the system's TPM[0].

[0]: https://github.com/psanford/tpm-fido

No you do not need to use anything proprietary to use WebAuthn. There are open source software[0] and hardware keys[1].

[0]: https://github.com/psanford/tpm-fido

[1]: https://solokeys.com/

It does, but there's actually a way to do this (ie. u2f without having to buy another device) in a safe way, by using the TPM available on most computers: https://github.com/psanford/tpm-fido

If you have a Linux PC with a TPM, you can use https://github.com/psanford/tpm-fido to create and "plug in" a virtual USB WebAuthn key whose secret is irretrievably stored in the machine's TPM. This effectively asserts that your specific machine is being used to enter a given site. However, it's important to remember it doesn't necessarily verify that *you're* present, or even if *anyone* is present at all, since the presence check is done via a software dialog and can be pwned along with the rest of the system.

> the power to make unphishable systems is being arbitrarily tied to hardware keys and secure enclaves

Its not though. First of all, windows, android, macos and ios all support being used as platform authenticators. No need to use an external hardware key to get the benefit. This is what most people should use (really most people should use passkeys tied to your phone once those become widely available).

I don't really understand your complaint that those implementations are tied to secure enclaves and TPMs. Every laptop issued by your company already has one of these in them. Why not use them?

I get that there's a fear that TPMs somehow enable DRM. Given that TPMs have been around for 20 years and haven't been used for DRM applications I think thats a bit overblown. But even if you do believe that, I don't see how you can conclude that using webauthn with a key protected by your TPM somehow enables DRM.

If you are really morally opposed to using a FIDO device that stores keys in protected hardware, go ahead and run a soft FIDO token! I wrote a software authenticator for linux that uses the TPM[1], but it also has a mode where it just uses keys stored in memory. There are other good software FIDO implementations[2]. These authenticators work on basically* every site that supports webauthn. Use them, they are still going to be much better than using SMS or TOTP factors.

*It used to not work on vanguard.com but that changed when they upgraded from the old u2f APIs to the webauthn API. It also doesn't work for one enterprise site I use for my job, which checks attestation certs to ensure the key is one that was issued by the company and is FIPS compliant.

[1]: https://github.com/psanford/tpm-fido [2]: https://github.com/danstiner/rust-u2f

FIDO usb devices just use the HID protocol so they work fine on linux. Chrome and Firefox both support them.

I wrote a FIDO implementation that protects the signing key using the system's TPM specifically for linux: https://github.com/psanford/tpm-fido

There is no reason why you couldn't implement a similar syncing strategy in a tool like this if you wanted to.

There is a huge number of other vendors supporting Webauthn apart from Yubikey. (From the top of my head Nitrokey, Solo, Tomu, Mooltipass, Ledger, Trezor, Google Titan, OnlyKey, Token2).

You could also use the system TPM (https://github.com/psanford/tpm-fido).

A brief search didn't yield any FIDO2 software-only solutions for Linux, but I see no reason why in principle you couldn't implement it (perhaps interfacing https://github.com/google/OpenSK through hidg - similar projects do exist for U2F).

I made a FIDO token (a platform authenticator) implementation that uses the TPM to protect your private keys on Linux: https://github.com/psanford/tpm-fido