tpm-fido
SoftU2F
tpm-fido | SoftU2F | |
---|---|---|
8 | 3 | |
274 | 2,144 | |
- | - | |
2.4 | 0.6 | |
10 months ago | over 3 years ago | |
Go | Swift | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
tpm-fido
- Tailscale doesn't want your password
- On-device WebAuthn and what makes it hard to do well
- Passkeys in Chrome
-
WebAuthN and Fido for Linux
I also found this: https://github.com/psanford/tpm-fido
FIDO2 should be used more, hopefully more sites end up supporting it sooner rather than later.
- Bringing Modern Authentication APIs (FIDO2 WebAuthn, Passkeys) to Linux Desktop
-
Uber Investigating Breach of Its Computer Systems
If you have a Linux PC with a TPM, you can use https://github.com/psanford/tpm-fido to create and "plug in" a virtual USB WebAuthn key whose secret is irretrievably stored in the machine's TPM. This effectively asserts that your specific machine is being used to enter a given site. However, it's important to remember it doesn't necessarily verify that *you're* present, or even if *anyone* is present at all, since the presence check is done via a software dialog and can be pwned along with the rest of the system.
-
WebAuthn, and Only WebAuthn
There are a huge number of other vendors supporting Webauthn apart from Yubikey. (From the top of my head Nitrokey, Solo, Tomu, Mooltipass, Ledger, Trezor, Google Titan, OnlyKey, Token2).
You could also use the system TPM (https://github.com/psanford/tpm-fido).
A brief search didn't yield any FIDO2 software-only solutions for Linux, but I see no reason why in principle you couldn't implement it (perhaps interfacing https://github.com/google/OpenSK through hidg - similar projects do exist for U2F).
-
How to bypass Sprint/T-Mobile 2FA in under 5 minutes
I made a FIDO token (a platform authenticator) implementation that uses the TPM to protect your private keys on Linux: https://github.com/psanford/tpm-fido
SoftU2F
-
On-device WebAuthn and what makes it hard to do well
It's been a few years, but the main references I remember using:
1. Windows: https://github.com/frankmorgner/vsmartcard/tree/master/virtu..., which is a fix-up of the older https://www.codeproject.com/Articles/134010/An-UMDF-Driver-f..., and https://github.com/Watfaq/SoftU2F-Win/tree/master/SoftU2FDri.... Note that neither of these actually implement CTAP2.
2. Linux: There's plenty to refer to on HID gadgets, but https://blog.hansenpartnership.com/webauthn-in-linux-with-a-... and the code at https://git.kernel.org/pub/scm/linux/kernel/git/jejb/fido2-c... were my entrypoint.
3. Mac: I ended up not implementing a Mac version, but GitHub themselves used to support a CTAP1/U2F software authenticator, now archived at https://github.com/github/SoftU2F. I was going to work from that.
For the service I looked at different software "devices" interfacing with these kinds of drivers (or just the browser directly in Firefox's case).
1. Generic NIST SP 800-73 PIV: https://github.com/CCob/PIVert. Very limited scope, pentest tool with no extraneous features. It uses the BixVReader driver.
-
FIDO Alliance
Most open source tools I've seen that implement FIDO use a shared Attestation cert[0].
[0]: https://github.com/github/SoftU2F/blob/master/SelfSignedCert...
- Why Cloudflare’s CAPTCHA replacement with FIDO2/WebAuthn is a bad idea
What are some alternatives?
virtual-fido - A Virtual FIDO2 USB Device
webauthn - Web Authentication: An API for accessing Public Key Credentials
OpenSK - OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
keepassxc - KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
BlueRSA - RSA public/private key encryption, private key signing and public key verification in Swift using the Swift Package Manager. Works on iOS, macOS, and Linux (work in progress).
certifi-system-store - certifi-system-store, a certifi hack to use system trust store on Linux and FreeBSD
SwiftShield - 🔒 Swift Obfuscator that protects iOS apps against reverse engineering attacks.
SoftU2F-Win - Software U2F authenticator for Windows
softfido - A software FIDO2/U2F authenticator
truststore - Verify certificates using OS trust stores
PIVert