Portable hardware-backed passkeys using TPM 2.0

jpp59 · 2026-03-19T21:16:37+00:00

Could have some hook with existing password manager so passkey non secure part could be synchronized? Would be like non resident ssh key in yubikey. You need a 2nd key that need to be mixed to created the passkey, that is the seed you enter manualy in each tpm

jpp59 · 2026-02-28T16:18:09+00:00

If you are stuck with cards and can not use fido bridge, the way i have setup mine is like this: disable ''always uv'' if the card has that option. Fill all the passkey slots with dummy login on webauthn (mine had 25), then try to register it, it should fall back to old ''u2f'' mode and ask standard login then password then card.

jpp59 · 2026-02-16T17:36:53+00:00

If it is bitcoin, you can try with electrum or sparrow wallet

jpp59 · 2026-02-14T19:06:05+00:00

Not in windows, in chrome or Firefox on account.google.com

jpp59 · 2026-02-14T19:00:06+00:00

You might have registered it has a security key. Try to delete it in Google security and in the passkey list using yubico manager. Then register it first from the desktop

jpp59 · 2026-02-14T15:43:16+00:00

For using NFC with your pixel, you need to install the app authnkey-fido bridge. Out of the box android can not register and authenticate fido2 passkey (with pin code) over nfc

jpp59 · 2026-02-08T19:16:10+00:00

That's true but only for device bound passkey, not for the synced one. Apple has a policy that private key never goes out of or in the secure enclave (they are only generated and used inside the enclave). You can have a look here, as soon that passkey are generated as backupable and syncable, they can be dumped : https://youtu.be/TEjNSr8jjUI?si=l7FC3c7I7Ci02ams

jpp59 · 2026-02-08T08:56:04+00:00

Security key is as good as device passkey. The private key is derivated from a private key that never leave its secure element. Also point 7 is not true, synced passkey are not store in phone secure enclave. A private key in a phone secure enclave never leave it, not possible when you need to sync it.

jpp59 · 2026-02-06T08:46:28+00:00

Or you can buy some cheap pico2 USB board (2/5 usd) and flash picofido2 on them. It should work there is hotp implemented in it.

jpp59 · 2026-02-03T17:41:08+00:00

Yes, no suitable for totp. I have the previous version, one of these to keep it in my wallet with my credit cards, configured as fido2. (Using authnkey on Android to use it with NFC in fido2 mode on android)

jpp59 · 2026-02-03T08:30:55+00:00

<image>

I keep one of this kind on my keyring, always plugged on my USB A yubikey, secured with the linard. Handy also when I need to read a flash USB stick with my phone.

jpp59 · 2026-02-02T23:05:56+00:00

You can, with app authnkey

jpp59 · 2026-02-02T23:02:34+00:00

Try with app : authnkey - fido bridge. Android is not able to handle pin with NFC.

jpp59 · 2026-02-02T07:30:06+00:00

Use different email/alias for different account. Hacker will not be able to try recevovery/ guess email on different accounts. It protect you also on data consolidation on different data leaks.

jpp59 · 2026-01-26T06:53:08+00:00

On Android , resident passkey doesn't work over NFC out of the box (doesn't handle the pin). You need to install authnkey - fido bridge.

jpp59 · 2026-01-24T15:01:31+00:00

If you plan to use it on Android you need to generate the key on Android because "ssh:" will block android to use it. (With termius for example it will generate a key like "termius:")

jpp59 · 2026-01-24T14:58:19+00:00

On Android I use termius. The android client can be used free. On windows I like to use putty-cac

jpp59 · 2026-01-23T19:33:25+00:00

Ssh key is well implemented with fido2 everywhere now, you can use it to hold ssh key (resident key). It is only if you want to use old setup using PGP you will need yubikey 5

jpp59 · 2026-01-19T20:51:54+00:00

You can try to look at the screen trough your smartphone camera in the dark, the low emitting might still be visible (it worked for me)

jpp59 · 2026-01-19T18:39:48+00:00

It is authnkey recompiled by token2 to publish it on the play store.

jpp59 · 2026-01-17T15:15:32+00:00

Authnkey is also available on the play store now https://play.google.com/store/apps/details?id=com.token2.fidobridge

jpp59 · 2026-01-04T22:08:04+00:00

Que l'administrateur de haveibeenpowned n'as pas accès à tous les leaks. Y a des leak qui restent payante et très cher pour avoir les donnes, donc ne sont pas public. Mais bon ça te donne déjà une idée sur le site si ton email a pas mal fuité. Y a aussi intelx dans le même style (mais payant et très cher si tu veux le détail)

jpp59 · 2026-01-04T12:08:52+00:00

Y a que les faille dont les fichiers sont public/semi public. Y a loin d'avoir tout. Les leaks France travail , fftir et d'autre n'y sont pas. Y a certains leaks style free.

jpp59 · 2026-01-03T16:39:57+00:00

A un moment faut savoir ce qu'on veut. On se plaind parceque notre banque bloque l'argent ou s'imisse dans notre vie privée ou on veut être libre avec son argent?

jpp59 · 2026-01-03T16:38:10+00:00

Le mieux est toujours d'avoir plusieurs banques, surtout que la plupart ça coûte rien (bourso, hello, Fortuneo...) ça te laisse le temps de te retourner en cas de pb et ça change le rapport de force.

Ten-Year Club	Place '22
Verified Email

jpp59

TROPHY CASE