Not every device has the necessary hardware, though; most desktops don't have it, so they would need to rely on external hardware such as USB keys. Furthermore, the demonstration video is clearly running on some kind of Linux/BSD system, where support for trust hardware is distinctly lacking.
I don't know why you would bother with a PIN on your password manager. My guess is that it's a feature designed for mobile devices, where access to the underlying key store is near impossible so brute-forcing is much less of a risk. Biometrics are usually available there as well, but if you don't trust them with your most secure passwords (you probably shouldn't) or if you want a backup, a PIN would be an excellent defence mechanism for when you've left your phone unlocked and a stranger is trying to steal your passwords.
Also, dongle support is pretty good for things like java PIV cards and yubikeys. I've successfully used a java chip card with website authentication in Firefox, and with VMWare view client. This has also worked for at least a decade or more - my main issue was with process in Firefox being a little convoluted and VMWare using out of date libraries and having a set of installer instructions that actually require explicit symlinking of the a system library. But that's not really linux's fault.
Fingerprints work great in modern Linux distros (I use them for sudo and sometimes unlocking my display), but the fingerprint hardware and the TPM don't seem to talk to each other. Windows Hello (and I presume TouchID) is set up to handle authentication and authorization together in one well-secured kernel blob with all kinds of TPM trickery to ensure security.
The Linux version of this process, at least as far as I could find so far, consists of identifying and authorizing the user alright, but the TPM's secret management seems to be handled by an entirely different system.
This means that brute-forcing or other attempts at access don't need to go through the biometric system on Linux whereas Windows Hello is more tightly protected against malware like that.
Dongles do work great! With WebAuthn/FIDO(2) we can hopefully soon start to let go of password managers completely. Passwords are useful but passwordless authentication is just better for most single factor authentication mechanisms in my opinion.
I had no particular desire to use TPM thus far, but you're right, searching briefly on this, it seems the tcscd daemon written by IBM provided by the "trousers" project does not seem to have any PAM integration. That said, presumably you could plug the 2 together (pam and tcscd) with some random script, right? Sure, that doesn't avoid the brute force scenario, but if it's just to store some ridiculously long random key so you don't have to type it in, it's not going to get brute forced anyway. (although in that case, why bother with the TPM?)
As for eliminating passwords, while I love the idea of hardware dongles, I'm always going to want to have a password on it.. I assume you mean eliminating having a ton of passwords as opposed to one good strong password on the dongle. But then, that's the same situation I'm in with the password managers anyway. It's not like I actually type my password into most websites anymore...
I think it could work, but I wouldn't want to protect my banking passwords and credit card details behind some random script.
What I mean is eliminating passwords on most services at all. For everything but real important stuff (banks, email, business accounts, that kind of stuff), I reckon my devices are protected enough that if someone can gain access to my devices unlocked enough, 2FA wouldn't prevent any threads anyway. Passwords are easy to brute force, but device-bound keys aren't.
Using the security chips inside my devices for authentication as a single factor is more than enough for most of my purposes. Today, most websites offer FIDO2/WebAuthn/U2F as a second factor, but I'd rather see them as a first factor with an optional password as a second factor.
My password manager protects me against nothing more than brute forcing and password reuse. Switching to TPM-first moves the protected bastion from a piece of software running in userland to either a kernel level-protected component or a dedicated piece of hardware. There's only so much you can do as a desktop application to protect your users' keys, after all.
I wouldn't want to force anyone into this system, but I do think with the hype FIDO2 was released with, I imagine browsers are going to push more for using FIDO2 as a primary factor where available.
Yeah, I understand... but follow me here. If I'm using a 50 character randomly generated password on a website using my typical ({a..k} {m..z} {A..H} {J..N} {P..Z} {2..9}) token generation, then they are going to be brute forcing 6×10⁸⁷ combinations right? That's not happening. So. Randomly generated passwords for sites, managed by a password manager, are much like device bound keys, but with the added advantage that I can still type it into something that doesn't support the device if I really need to... I still like the idea of dongles especially to enhance the master password. I just don't see what it wins me over a random site password.
And, I'm absolutely going to have a password on my dongle or laptop in case of loss. I don't really trust biometrics in that scenario either really. Especially fingerprints that would be all over the laptop. Biometrics are just a convenience that I recognise offers some modicum of security. That's why hooking it up to TPM seems to not add much.
... I do get hardening where the passwords are stored though... although, if the disc is encrypted using TPM (which linux definitely supports), I guess the main attack you'd be concerned about would be the OS being compromised while running, but aren't we just back to loggers then?
> I don't know why you would bother with a PIN on your password manager. My guess is that it's a feature designed for mobile devices.
Note that on desktop Bitwarden allows PINs to be alphanumeric, and any length. I use a PIN because my master password is more than 20 characters and I don't want to type it every time I restart my browser. My PIN is a decently strong password in its own right, but shorter than my actual master password.
>Not every device has the necessary hardware, though; most desktops don't have it, so they would need to rely on external hardware such as USB keys.
How?!? There's been an fTPM built into CPUs since Haswell on the Intel side and on the AMD side since before Ryzen. If you OEM it's enabled automatically if you bought a machine after July 28, 2016. If you DIY you literally have to flick one switch in the BIOS if it's not enabled automatically.
I know it has been, but Windows Hello doesn't seem to be available for my 7700k after explicitly enabling the fTPM. I think it requires TPM 2.0 support, which hasn't been supported for all that long.
Windows Hello doesn't require 2.0, it works on 1.2.
There is something interesting regarding the 7700k though on windows (especially 11), users have been claiming windows reports it as supporting TPM 2.0 but they still can't upgrade to windows 11 due to failing requirements. So I wonder if something else is happening there that also seems to be affecting windows hello for you, because on paper at least for windows 10 you should be able to use Hello no problem.
My CPU doesn't support TPM 2.0 with fTPM (and the motherboard manufacturer stopped selling TPMs for my motherboard years ago) so I'm sticking with Windows 10. It told me I could upgrade at some point but that was a false positive. Maybe my install is just broken in some way.
However, I do know that I had to manually enable the fTPM functionality on my motherboard and I highly doubt the average consumer is going to enable such features in their BIOS. I don't know when manufacturers started enabling fTPM support by default, but it's definitely not enabled by default in most 7th gen Intel boards and I doubt 8th gen changed much in that sense.
I'm not sure if fTPMs have endorsement key certificates. I should know, but mostly I work with dTPMs and vTPMs. Not that an fTPM not having an EK certificate is a big deal -- if you bootstrap a public key for it early enough in OS installation, you can just trust the fTPM.
Bummer that its not usable on the browser extension though. I used to have the desktop app but it ended up being mostly useless. 99% of my passwords go into the browser where I want autofill, and for the rest I almost always have a browser open anyways so I can just as easily copy/paste from the extension as the app.
You can use biometrics in the browser app, but you have to run the application and unlock that with biometrics after enabling browser integration in the settings. You also can't use the Windows Store version of the Bitwarden app.
Not every device has the necessary hardware, though; most desktops don't have it, so they would need to rely on external hardware such as USB keys. Furthermore, the demonstration video is clearly running on some kind of Linux/BSD system, where support for trust hardware is distinctly lacking.
I don't know why you would bother with a PIN on your password manager. My guess is that it's a feature designed for mobile devices, where access to the underlying key store is near impossible so brute-forcing is much less of a risk. Biometrics are usually available there as well, but if you don't trust them with your most secure passwords (you probably shouldn't) or if you want a backup, a PIN would be an excellent defence mechanism for when you've left your phone unlocked and a stranger is trying to steal your passwords.