Readit NewsXous (microkernel OS for Precursor) has an application called Vault that does FIDO2/U2F as well as password management and USB HID emulation.
https://www.crowdsupply.com/sutajio-kosagi/precursor/updates...
Much more on the dev board side and probably overkill for just this purpose but a really cool device.
Interestingly, Pinephone is in the almost good intersection of hackable and portable: :)
Hm, btw, what idiot flags link to sources that show that another idiot is arguing there's no genocide based on data linearly extrapolated from pre-genocide population growth?
https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-cl...
> Just a Linux kernel [...]
That's several orders of magnitude more lines of code than any FIDO authenticator implementation.
> Normally powered off, boots in 2 seconds. :)
Yubikeys boot even faster!
FIDO2 works only with websites that support it.
I don't really want to replace it. It works fine. But the toolchain for other platforms is becoming difficult to manage. I use pass with PGP Yubikeys as backing for each encrypted password. But the developer of the Android version has stopped supporting it and the person who took it over has removed yubikey support because he doesn't use it himself and doesn't care about it.
Of course I need to access my passwords on Linux, Windows, Mac, Android. Only iOS is not possible because Apple doesn't allow raw APDU access to NFC tags so you can't do OpenPGP functions.
I also don't want to use a password manager with a single master password like bitwarden. I want each password to be encrypted individually with the public key from a number of hardware tags (multiple, that's also a hard requirement). This way not my whole password database is instantly leaked when my master password gets compromised. Even when my endpoint gets completely compromised, the only passwords they will have are the ones I decrypted on it since it was compromised. Yubikeys require a physical touch for every decryption so you also can't 'milk' them for credentials when they're inserted and unlocked. Also, any password manager I use must be self-hosted, I hate and don't trust the big tech companies.
I wonder if this could be a new backend. And have support on all platforms (though iOS I don't care about personally, but it would be a nice to have).
No way to prompt it for data, or compromise it remotely.
No other features, no OS userspace, no wifi, no adb, no nothing. Just a Linux kernel + a tiny single userspace static binary based on lvgl for UI and libsodium for encryption/storage. Normally powered off, boots in 2 seconds. :)
Only way to upload sensitive data is to encrypt it yourself, while handling all the secret key material yourself, and then upload the result. You can't trust the website, when it has access to the secret key, regardless of whether it was derived from FIDO2 HMAC or whatever.
Dead Comment
Once the unwashed masses start coming in, the software and its interaction patterns pander to the lowest common denominator and the quality of the medium degrades.
Pandering to the masses would be in the form of specific desktop environment, and maybe specific distribution integrating it well with all kinds of desktop software.
Nothing would change for the existing users of obscure software, hackishly stitched together.