Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> They are stored on hardware tokens.

Not necessarily: the WebAuthn spec mentions two other types of authenticators in the introduction section (https://www.w3.org/TR/webauthn-1/#intro): "Broadly, compliant authenticators protect public key credentials, and interact with user agents to implement the Web Authentication API. Implementing compliant authenticators is possible in software executing (a) on a general-purpose computing device, (b) on an on-device Secure Execution Environment, Trusted Platform Module (TPM), or a Secure Element (SE), or (c) off device."

> There does not seem to be a way to have privately generated software keys

A specification is something different than an implementation. On https://github.com/herrjemand/awesome-webauthn you'll find (at the time of writing) two software implementations. https://krypt.co/ can be a third if you want to consider a U2F implementation as well.



The section https://github.com/herrjemand/awesome-webauthn#software-auth... talks about using Android phones or Wear OS to webauthn with Bluetooth. The section title is misleading. It's not about software tokens, but about turning one's phone or a smart watch into a hardware token.


The section title is correct: they're authenticators implemented in software, not relying on a TEE/TPM or any other bit of hardware for storing the keys. Apparently these don't run on on your CPU architecture and/or operating system of choice, but that's another issue. The claim of "they are stored on hardware tokens, there does not seem to be a way to have privately generated software keys" is incorrect.

Perhaps https://github.com/bodik/soft-webauthn is closer to what you're looking for.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: