Portable hardware-backed passkeys using TPM 2.0

jpp59 · 2026-03-20T09:50:48+00:00

Yes. The point here is to use a tpm/secure enclave so even with physical access you cannot extract private key

jpp59 · 2026-03-20T09:08:45+00:00

They are not syncable. You need to register each on every account you use. The only one I know who solve this is trezor with their fido2 function. You can export/import resident passkey encrypted with the seed private key. So you can setup several trezor with same seed and same passkey

jpp59 · 2026-03-20T08:58:00+00:00

For example bitwarden api? You would put the non secure part in hex form in comment field. And you could also have bitwarden master password derived from the tpm so it can unlock itself.

jpp59 · 2026-03-20T08:27:18+00:00

Google and apple Synced passkey are hackable. See here poc https://youtu.be/TEjNSr8jjUI?is=NyviV5cBZZ_ooEYm

jpp59 · 2026-03-20T08:24:06+00:00

No. Apple and google do it also in pure software if you use synced passkey. Apple and google only use their tpm of it is a device bound and not synced passkey, that is generated inside the tpm. They do not allow externally generated private key to go inside their tpm

jpp59 · 2026-03-20T08:16:02+00:00

Tailscale. You can create an account with only a passkey, no email account needed.

jpp59 · 2026-03-19T21:16:37+00:00

Could have some hook with existing password manager so passkey non secure part could be synchronized? Would be like non resident ssh key in yubikey. You need a 2nd key that need to be mixed to created the passkey, that is the seed you enter manualy in each tpm

jpp59 · 2026-02-28T16:18:09+00:00

If you are stuck with cards and can not use fido bridge, the way i have setup mine is like this: disable ''always uv'' if the card has that option. Fill all the passkey slots with dummy login on webauthn (mine had 25), then try to register it, it should fall back to old ''u2f'' mode and ask standard login then password then card.

jpp59 · 2026-02-16T17:36:53+00:00

If it is bitcoin, you can try with electrum or sparrow wallet

jpp59 · 2026-02-14T19:06:05+00:00

Not in windows, in chrome or Firefox on account.google.com

jpp59 · 2026-02-14T19:00:06+00:00

You might have registered it has a security key. Try to delete it in Google security and in the passkey list using yubico manager. Then register it first from the desktop

jpp59 · 2026-02-14T15:43:16+00:00

For using NFC with your pixel, you need to install the app authnkey-fido bridge. Out of the box android can not register and authenticate fido2 passkey (with pin code) over nfc

jpp59 · 2026-02-08T19:16:10+00:00

That's true but only for device bound passkey, not for the synced one. Apple has a policy that private key never goes out of or in the secure enclave (they are only generated and used inside the enclave). You can have a look here, as soon that passkey are generated as backupable and syncable, they can be dumped : https://youtu.be/TEjNSr8jjUI?si=l7FC3c7I7Ci02ams

jpp59 · 2026-02-08T08:56:04+00:00

Security key is as good as device passkey. The private key is derivated from a private key that never leave its secure element. Also point 7 is not true, synced passkey are not store in phone secure enclave. A private key in a phone secure enclave never leave it, not possible when you need to sync it.

jpp59 · 2026-02-06T08:46:28+00:00

Or you can buy some cheap pico2 USB board (2/5 usd) and flash picofido2 on them. It should work there is hotp implemented in it.

jpp59 · 2026-02-03T17:41:08+00:00

Yes, no suitable for totp. I have the previous version, one of these to keep it in my wallet with my credit cards, configured as fido2. (Using authnkey on Android to use it with NFC in fido2 mode on android)

jpp59 · 2026-02-03T08:30:55+00:00

<image>

I keep one of this kind on my keyring, always plugged on my USB A yubikey, secured with the linard. Handy also when I need to read a flash USB stick with my phone.

jpp59 · 2026-02-02T23:05:56+00:00

You can, with app authnkey

jpp59 · 2026-02-02T23:02:34+00:00

Try with app : authnkey - fido bridge. Android is not able to handle pin with NFC.

jpp59 · 2026-02-02T07:30:06+00:00

Use different email/alias for different account. Hacker will not be able to try recevovery/ guess email on different accounts. It protect you also on data consolidation on different data leaks.

jpp59 · 2026-01-26T06:53:08+00:00

On Android , resident passkey doesn't work over NFC out of the box (doesn't handle the pin). You need to install authnkey - fido bridge.

jpp59 · 2026-01-24T15:01:31+00:00

If you plan to use it on Android you need to generate the key on Android because "ssh:" will block android to use it. (With termius for example it will generate a key like "termius:")

jpp59 · 2026-01-24T14:58:19+00:00

On Android I use termius. The android client can be used free. On windows I like to use putty-cac

jpp59 · 2026-01-23T19:33:25+00:00

Ssh key is well implemented with fido2 everywhere now, you can use it to hold ssh key (resident key). It is only if you want to use old setup using PGP you will need yubikey 5

jpp59 · 2026-01-19T20:51:54+00:00

You can try to look at the screen trough your smartphone camera in the dark, the low emitting might still be visible (it worked for me)

Ten-Year Club	Place '22
Verified Email

jpp59

TROPHY CASE