Ask HN: How to emulate 2FA hardware in software?
8 comments
Safari can generate 2FA codes natively as part of keychain since 2021 - probably the most accessible way to do this for a non technical user. https://9to5mac.com/2021/11/16/use-safari-password-manager-a... Has more details.
Krypton (https://krypt.co), now owned by Akamai (https://akamai.com/mfa) who removed one of the best features, IMO (SSH key on a phone...) does this to an extent... Akamai says it's FIDO2... have not used it in a while... It is free though until Akamai decides not to give it away...
At solokeys we built an open source fido2 implementation, actually two: one in C and a newer one in Rust.
To emulate a security key you could write a kernel module that exposes a usb device (assuming you want to use the key with an unmodified driver) and somehow plug in the code that implements fido2.
We thought about it for a while and our idea was to build a generic usb to udp device driver. And then have a fido2 udp service in user space (the same we use to run tests). I still think it’s a good idea, however the devil might be in the details… and of course you’d need to build+maintain a driver for each platform (linux, macosx, windows…). The latter is actually the main reason why we never built it i. the first place.
Needless to say, this completely defeats the security of having your keys stored in a separate/more trusted device.
To emulate a security key you could write a kernel module that exposes a usb device (assuming you want to use the key with an unmodified driver) and somehow plug in the code that implements fido2.
We thought about it for a while and our idea was to build a generic usb to udp device driver. And then have a fido2 udp service in user space (the same we use to run tests). I still think it’s a good idea, however the devil might be in the details… and of course you’d need to build+maintain a driver for each platform (linux, macosx, windows…). The latter is actually the main reason why we never built it i. the first place.
Needless to say, this completely defeats the security of having your keys stored in a separate/more trusted device.
For plain 2FA with TOTP I use oathtool in the CLI of a different device, so that I still have two factors.
[deleted]
You can just use TOTP for 2AF. Those can be stored and generated by almost anything these days. For example Keepassxc, Bitwarden, Authenticator apps, most saas password storage services, yubikeys, etc.
Here is one implementation: https://github.com/danstiner/rust-u2f
A solution to this would be to emulate the 2FA hardware in software running on the same machine as you're using to log in - so it is not 2FA anymore but 1FA.
It would be at the cost of security, but at the benefit of allowing users to keep doing as they've been with regular passwords.
So what software solutions exist for emulating things like FIDO, WebAuthN, YubiKeys, etc.?