Hacker News new | ask | show | jobs
by marcosdumay 1021 days ago
On the one usage scenario that benefits a PC user, the TPM makes for a really bad yubikey. You can't carry it between computers, you can't back it up, and you are certain to lose it at some point when the computer breaks of gets outdated.

That means it either requires a second protocol for authentication, or that you will lose your accounts with all kinds of services all the time.
3 comments
Nextgrid 1021 days ago
The TPM covers cases where you want to authenticate the machine, not the user (who'd have a Yubikey they'd carry with them between machines).

There are plenty of valid use-cases where you'd want the machine to authenticate itself to services (VPN to enterprise network?) before anyone logs in (or ever logs in, as in the case of servers who operate unattended).

link
acdha 1021 days ago
> There are plenty of valid use-cases where you'd want the machine to authenticate itself to services (VPN to enterprise network?)

This one is huge: always-on VPNs mean enterprise security mandates don’t delay patching or other remote management tasks just because someone is on vacation or sick, and that stuff can happen at 3am on Sunday rather than when they start work. No more “please leave your computer on overnight” messages.

link
mgbmtl 1021 days ago
Depends on the implementation? For many services, I register my Yubikey, but also the Android fingerprint authentication (as well as TOTP as another fallback).

So for example, if I login to Gitlab on my phone, I can use my fingerprint (lockscreen auth). It's more convenient than using the TOTP app.

Similarly, I could register a TPM from my desktop that could be the same as using the fingerprint auth? It would only work from that desktop, but it's the same logic as my phone, and in a sense, that's a nice benefit.

link
donmcronald 1021 days ago
Every fallback method adds risk. Realistically though, I don't think any of it really matters. By far the weakest link everywhere is SMS/Email based account recovery and it's almost impossible to avoid those.

Sometimes I think the average person would be better of with a highly secured email account and magic links for everything else. Even for me, I have YubiKeys, TPMs, etc. configured for everything, but if I forget to lock my laptop and someone walks off with it, they have access to my email which is basically my entire digital life due to account recovery via email.

link
josteink 1021 days ago
> the TPM makes for a really bad yubikey. You can't … you can't back it up

Technically speaking, the exact same restrictions apply to a Yubikey.

That’s what makes it secure.

link