2

The Problem: Use the platform TMP of my Windows Laptop/PC (no external device or USB token) as U2F in a web application to check if it is a known device.

My intended solution:

  • I need to store/create something (Cetificate, Private/Public Key or Virtual SmartCard) in the TPM that is known by the web application.
  • If possible an external application stores/creates this something in the TPM on the device (no Registration process with the web application)
  • The web application then silently checks if the device has that something without user interaction when the user tries to login

Where I'm stuck:

  • I read here that WebAuthn might be able to use the TPM without user interaction, but I did not understand how
    • "...in the case where there is no user verification at all, the TPM would be used as a U2F style second factor authenticator."
  • Can I only use the authenticators provided by the OS (Windows) or can I create a custom one that does not need a user interaction but still uses the TPM of the device?

Questions:

  • Is my intended solution even possible?
  • Is WebAuthn the right way to go or do I need to use something else?
MrMaavin
  • 71
  • 6
  • 1
    Proving TPM based services is usually a task of the OS. Which OS and web browser do you use? – Robert Jun 08 '22 at 11:41
  • Windows with FireFox/Edge – MrMaavin Jun 08 '22 at 12:16
  • Using Edge/Chrome you should be able to use Windows as Fido2 platform authenticator (check Windows Hello system settings). Already did that via https://webauthn.io. Set "Authenticator type" to "Platform (TPM)". – Robert Jun 08 '22 at 12:21
  • Yes this is possible, so i think the Problem was that i had not configured Windows Hello or something (I will edit my Question). But the problem i still have is how or if i can use the platform TMP as an U2F. Maybe i don't even need WebAuthn for a U2F... – MrMaavin Jun 08 '22 at 12:34

0 Answers0