On Thu, 2019-04-04 at 12:24 +0000, Fuchs, Andreas wrote:
Just to prevent any misinterpretation, this is not about using the
TPM to do OTP on behalf of the user, but for the TPM to do OTP
to authenticate against the user. At least that was the intention
of mjg and I merely reimplemented.
Right. It's authenticating whatever the PCRs authenticate, to something
outside the laptop.
Yes, that lets "the user" know that their laptop hasn't been subverted,
by checking against an app on their phone. That's neat.
It also works perfectly for VPN services, by letting the VPN server
know that the laptop hasn't been subverted.
I guess you could use it for this, but I'd rather try a different
Do you know if there already exist any OTP or Yubikey APIs that
we could hook into with a new library, so we are available on all
OTP-supporting applications ?
There's liboath, which I mentioned:
It only supports software keys at the moment though. It doesn't even
support the Yubikey OTP applet. Perhaps it should learn, and TPM too.
The PSKC file format for storing OTP keys could also be extended to be
able to specify TPM-based keys.
There's also libstoken but that's really designed for RSA SecurID
stuff, not proper HOTP/TOTP. Maybe there should be something that
includes them all? Applications shouldn't have to get involved in
details and support everything separately through different libraries.
In the short term, once tpm2-totp has a pkg-config file I'll probably
just support it directly in OpenConnect like I did Yubikey and the