Skip to content(if available)orjump to list(if available)

TKey – Security for the New World

TKey – Security for the New World

9 comments

·February 6, 2025
Visit

gnabgib

Popular in:

2023 (204 points, 78 comments) https://news.ycombinator.com/item?id=38764353

2022 (305 points, 119 comments) https://news.ycombinator.com/item?id=32896580

Note they've had a couple of security vulnerabilities https://news.ycombinator.com/item?id=39830553 https://news.ycombinator.com/item?id=40055726

rekabis

> 2922 (305 points, 119 comments)

Dude. Can I borrow your time machine?

gnabgib

It's not nearly as reliable as my typo machine (corrected)

gclawes

Been tracking this project for a while, I'm surprised they don't have a FIDO2 implementation yet, given how popular that's gotten

dathinab

their approach is a one which is fully stateless on the chip (see their documentation for why)

theoretically this is quite desirable but various protocols aren't build in a way enabling it

e.g. TOTP pushes a secret from the server to the client, instead of having some form of deterministic key exchange

similar while FIDO protocols and passkeys could have been designed in a way which can work fully stateless they are not

now it doesn't mean you can't make it work with tkeys but it can get more complex e.g. for TOTP using TKey to guard a local password vault which then does the TOTP instead of having the TOTP on the key directly (but then while TOTP is better then SMS 2FA it's still pretty bad compared to what technically is possible, like much worse then a lot of people realize)

woodruffw

> similar while FIDO protocols and passkeys could have been designed in a way which can work fully stateless they are not

It's been a while since I've looked deeply at FIDO, but I think they would have had to make a handful of nontrivial security concessions to make WebAuthn stateless. One pretty important one that comes to mind is the token counter, which in principal enables RPs to detect a cloned credential.

Rafert

The counter can always be 0, which is what cloud synced passkeys are doing IIRC.

plagiarist

I've seen this one before, when I was looking for something like a human affordable HSM.

I think it is a really smart concept. Take the measurement feature of a TPM but remove the untrusted components supplying the measurements.

I really want one. I just currently don't know how to write device driver stuff and my ADHD means if I don't accomplish a project instantly I won't accomplish it at all.

cyberax

You can get Nitrokey HSM for $100: https://shop.nitrokey.com/shop/nkhs2-nitrokey-hsm-2-7?catego...