[baybal2]

Smartcards cost less than a dollar, and are omnipresent.

I think you can already integrate PCSC with openssh.

A good thing about smartcards is that ones compatible with CSP are driverless, and PnP in Windows. This means they can enjoy at least some semblance of keylogger protection for key password/pin with WinCAPI.

[VortexDream]

Got any links about how to use a smartcard?

[xaduha]

If you're interested in contactless cards with an option in the future to upgrade to something like Omni ring (https://store.nfcring.com/products/omni) or to use them with your phone, then do this:

1) Buy a contactless card reader from a good source e.g. https://www.javacardsdk.com/product/acr1252u or last two from this table https://webshop.d-logic.net/nfc-rfid-device-comparison, don't buy NFC ones, you need smartcard support specifically.

Also steer clear of cheep ACR122U readers from ebay or ali, for some reason there are a lot of fakes https://www.acs.com.hk/en/press-release/2266/advanced-card-s...

2) Buy a few contactless javacards e.g. https://www.javacardsdk.com/product/j3h145/, don't buy EMV ones unless you're Europay, Mastercard or VISA.

3) Once you get them install opensc, pcsc-lite, ccid and get gp.jar from https://javacard.pro/globalplatform/ and read some pages from https://github.com/philipWendland/IsoApplet/wiki, it will get you started.

[rkeene2]

Step 1 is to buy a reader, any reader which is ISO 7816 compliant is fine.

Next, buy a smart card. The most famous brand I can think of right now is Gemalto, but there are lots of options. You can buy them in quantities of 1 extremely cheaply from AliExpress, but I'm not sure of the quality.

Smartcards are just little computers which run Java Applets (GlobalCard), and they come either blank or with software already loaded on them.

If they are blank you have to load software onto them. One open source option is CoolKey.

In either case you will need software on your computer to talk to the software on the card to ask it to do things, like sign an arbitrary piece of data. This software is called middleware (the stack looks like Application -> Middleware -> PC/SC subsystem -> smartcard reader driver (usually CCID compliant) -> smartcard software, so why it's called middleware I don't know).

For Windows, I only know for sure that PIV (US Government, NIST SP 800-73) card applets are supported, but there is a whole "minidriver" thing. I suspect you'll have to read the applet (or card, if preloaded) documentation to know for sure. macOS used to have a cryptographic layer called tokend, but it's deprecated and replaced with something else. For other things, PKCS#11 is the standard mechanism for talking to the card's application.

Feel free to reach out with further questions.

[baybal2]

Excellent write up on howto. A note from me, Windows also supports GIDS smartcards since a while too. Which means that Google titan key (Feitian ePass FIDO-NFC) will also work now (both as as smartcard, and a fido key.)

[baybal2]

https://www.rcdevs.com/docs/howtos/epass/epass/

This is a howto for USB key, a smartcard will be basically the same except you will program the card at first as the seller instructs you, or just enter the pin if they are already initialised.

[madjam002]

A lot of smartcards won’t support FIDO2 though which the web is using going forward.

[xaduha]

It will support whatever you install on it, there are some U2F applets and some stalled work on FIDO ones last I checked. All the necessary tech is there, the issue is with browser support. Google has this https://chrome.google.com/webstore/detail/smart-card-connect..., but it's Chrome OS only.

[baybal2]

It's fairer to say it's going sideways, not forward with them.

FIDO is not a replacement for smartcards, nor a complement to smartcards. Fido is "Just better than passwords" level of authentication.

The golden standard for HTTPS security, two side mutual auth with public keys on TLS level for example is only there with smartcards.

[tialaramex]

Doing mutual auth is great security but it has a horrible privacy story. Advertisers would, I'm sure, love knowing that this visitor to PornHub's custard pie fight section is the exact same person who bought the book "In Praise of the Klan" on Amazon and the one who bought take-out from a Chinese in Denver last Thursday. The clever thing about say WebAuthn is that you get an excellent privacy story to go with your security. Even if PornHub, Amazon and that Chinese place all conspire against you, with the advertisers, they don't end up learning if you're the same person even though you used the same Security Key all over the place.

[md_]

Please. We prefer it be called the Hoboken squat cobbler.