machine-local, convenient 2FA - tpm2 + fido

Two-Factor Authentication using your machine’s tpm module

Two-Factor Authentication, also called 2FA, multi-factor authentication or MFA, is a great way to protect digital assets against unauthorized access.

If you want to authenticate yourself against a digital system, you have to provide some kind proof of your identity, backing your claim that you are who you are. These proofs of your identity are called factor.

Simple authentication usually relies on one factor, usually on the knowledge of a secret that is hard to guess, e.g. a password. Checking and providing this factor is the easiest to implement and provide, as it does not require additional hardware systems and complicated trust relationships.

With multi-factor authentication, you harden the proof of your identity by combining multiple factors, as the name suggests. So, several factors have to be presented to the digital asset so that it trusts your claim that you are who you are. If your password is cracked/guessed/stolen, your asset is still safe. If you lose your hardware token, your asset is still safe, as a finder of your token would also require your password.

Other factors usually are based on checking a unique physical property of the user or verifying the ownership of something that is hard to copy.

Physical property checks can be fingerprint or iris scans, facial biometric features or something similar.

Assets to prove ownership of for the authentication against digital systems can be mobile phones, e.g. providing proof with one-time codes received via text message or automated calls, or TOTP tokens. An other class of thing that can be used to prove ownership of are security tokens.

These security tokens consist of a hardware security module, which stores a generated secret, is trusted by the digital system (read: hard to copy, only accessible with physical possession), and can communicate with the digital system.

Most hardware tokens communicate either via USB, NFC, bluetooth or smart card readers and can be accessed from several devices. Which also means that I have to pull it out of my pocket and connect it to the device I am currently using in order to authenticate.

Now, if I am using my own device, e.g. my laptop (a device that is crucial to me, that I keep well protected and under close scrutiny), wouldn’t it be nice if I could somehow prove my ownership of this device as second factor?

In short: yes, we can use the trusted platform module (tpm), built into most modern laptops as hardware token, and with it provide proof of ownership of our device as second factor.

Software solution: tpm-fido

As stated by the project’s readme

tpm-fido is a FIDO token implementation for Linux that protects the token keys by using your system’s TPM. tpm-fido uses Linux’s uhid facility to emulate a USB HID device so that it is properly detected by browsers.

Installation

Assuming you have golang set up on your machine, simply run

go install github.com/psanford/tpm-fido@latest

Setup

tpm-fido needs permissions to access /dev/tpmrm0, provided by being a member of the tss group.

sudo usermod -a -G tss username

The user also needs access to virtual devices created by the uhid kernel subsystem, configured with a udev rule.

Assuming the user is a member of plugdev, create a udev rule at /etc/udev/rules.d/90-uhid.rules

KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="plugdev", MODE="0660"

Then, we have to make sure that the uhid module is loaded.

sudo echo "uhid" > /etc/modules-load.d/uhid.conf

After a reboot, you can use your tpm as security token in your local browsers by running tpm-fido.

tpm-fido can also be started in the background before it is accessed for maximum comfort. Access to it requires additional user interaction with a little click.

This can be achieved with a systemd user unit, for example:

[Unit]
Description=tpm-fido - tpm2 as fido token

[Service]
Type=simple
ExecStart=-/bin/bash -c 'PATH=~/go/bin:$PATH tpm-fido'
Restart=no

[Install]
WantedBy=default.target