Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Bulwark Passkey – A virtual Yubikey-like device for 2FA or WebAuthN (bulwark.id)
29 points by cmdli 10 months ago | hide | past | favorite | 8 comments
Hey y'all,

This is something I've been working on for a few months. It is a passkey system, similar to Apple Passkeys or a Yubikey, but it is entirely software based so you can sync credentials between devices.

Passkeys (and FIDO devices in general) allow you to use public keys instead of passwords or codes to authenticate. For instance, you can just click "Approve" on the device/software instead of having to copy a code, and there are no passwords to phish. This is a new piece of tech, so website support for logins are still limited, but it can currently be used for 2FA anywhere a Yubikey can be used.

Bulwark Passkey emulates the USB device in software, which allows you to sync credentials as well as copy them out. This is less secure than a dedicated hardware device, where credentials can never by copied or removed from the device, but it is much, much more secure and usable than passwords or one-time codes.

Please take a look, and I appreciate any feedback you might have!

This is a very cool concept, however,

(from the site:)

> Can I see the source code?

> Sure! Bulwark Passkey is built on top of an open source core called Virtual FIDO, which contains the USB emulation and FIDO protocol code, as well as the credential encryption and formatting. You can view the safety critical parts of the code, as well as easily decrypt and transfer your credentials out of the system.

So... it... isn't? It sounds like it isn't.

Like, maybe I'm just paranoid at this point, but regardless of how exciting this is in concept, I'm not too keen on using an (unaudited) virtual replacement for a hardware security token when I can neither audit the app I'm actually running, nor (preferably) build it from source; More generally, how would I even tell that the library in use by the app as-built is the same as the source on github?

That's a fair point. I would like to have the entire thing be open source for security purposes like you mentioned, but right now the frontend is built with TailwindUI, which is a paid set of components, so I was worried about open sourcing that up front.

I will take a closer look at how to open source it, especially the parts that would be security critical. I do agree with the general policy of not trusting security devices you can't audit yourself (which is why I opened up the core library earlier).

This is a really cool product! I'm so glad someone is finally trying to solve this problem.

Not having control of your secrets is a big problem. It is why I continue to use TOTP for some things.

Maybe lean into the practical problem this solves and how it empowers the user?

I am going to suggest this to people. But I feel like I'd have to explain to them what it does, and why it is cool. I remember a few years ago when Keybase took off a few years ago. I think Keybase did a pretty good job of presenting itself to it's audience.

I know plenty of people who understand what a Yubikey is, but might not understand what this app is.

Personally, I love that I could keep backups of my TOTP secret keys in encrypted qr codes on paper in a safe, if I wanted to.

I think it is deeper than just the technical part of it. I think people really like anchoring their accounts to something that they can "see".

It would be really easy to let you import and export your secrets to physical media. And there are some interesting options with chaining your secrets to other hardware tokens (that you are in control of).

Of course it gets very tricky when suggesting anything security related. I don't want to tell people that they shouldn't use hardware tokens. But I think that relying on hardware tokens can be really inaccessible, which can itself be make a system less secure.

Best of luck!

So, I look a closer look and it seems like TailwindUI does allow for building open source software, so I made the Bulwark Passkey repo public (https://github.com/bulwarkid/bulwark-passkey) if you wanted to take a look!

> but it is entirely software based so you can sync credentials between devices.

AFAIK one can flash a Yubikey with a specific AES key and make the Yubico backend aware of that AES key. The OTPs won't start with cccc but something else then (this is used to differentiate from the default flashed AES which is already known by Yubico).

So what's stopping you from flashing the same AES key to another Yubikey, essentially duplicating your key (at least for OTP)?

This is of course not as secure as the initial AES known by Yubico and present on your Yubikey (not readable).

I appreciate the usefulness for websites that use a passwordless login; where WebauthN is the only means of authentication. However, having implemented WebauthN on various websites as a second factor. On these websites the user is expected to enter a password as proof of something they know, and supply a USB device as proof of something they have.

With projects like Apple Passkeys or this one, aren't we reducing the usefulness of 2FA to simply proof of something you know but spread over two different inputs?

OMG this is why I currently can't use Linux. If your device can accept the "platform" mode of webauthn, I can go back to Linux. I currently have to use an app that only allows "platform" authentication.

I look around every couple of months to see if there is something that'll work, but I haven't seen anything.

Nothing will work. You need to get a platform authentication capable usb key. It's the nature of the beast and I'm not happy about it either.


Applications are open for YC Winter 2024

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact