|
|
|
|
|
|
by Freak_NL
2612 days ago
|
|
|
WebAuthn can use the TPM chip in smartphones. It works the same as a discrete hardware WebAuthn token: the key material is generated on the chip, and never leaves it. The smartphone OS can't access the key on the TPM either, only use it cryptographically to prove possession of the key. You can test it right now with any recent Android smartphone with TPM chip: https://webauthn.io/ Apple will eventually join the club too once they stop dragging their feet. Of course with the TPM you effectively have a hardware token permantently physically linked to your smartphone, so it changes the security analysis a bit. For users this means that WebAuthn for accessing websites on a TPM-capable smartphone is really just a matter of unlocking the device when prompted. Quite user friendly. |
|
|