Hey y'all,
This is something I've been working on for a few months. It is a passkey system, similar to Apple Passkeys or a Yubikey, but it is entirely software based so you can sync credentials between devices.
Passkeys (and FIDO devices in general) allow you to use public keys instead of passwords or codes to authenticate. For instance, you can just click "Approve" on the device/software instead of having to copy a code, and there are no passwords to phish. This is a new piece of tech, so website support for logins are still limited, but it can currently be used for 2FA anywhere a Yubikey can be used.
Bulwark Passkey emulates the USB device in software, which allows you to sync credentials as well as copy them out. This is less secure than a dedicated hardware device, where credentials can never by copied or removed from the device, but it is much, much more secure and usable than passwords or one-time codes.
Please take a look, and I appreciate any feedback you might have!
(from the site:)
> Can I see the source code?
> Sure! Bulwark Passkey is built on top of an open source core called Virtual FIDO, which contains the USB emulation and FIDO protocol code, as well as the credential encryption and formatting. You can view the safety critical parts of the code, as well as easily decrypt and transfer your credentials out of the system.
So... it... isn't? It sounds like it isn't.
Like, maybe I'm just paranoid at this point, but regardless of how exciting this is in concept, I'm not too keen on using an (unaudited) virtual replacement for a hardware security token when I can neither audit the app I'm actually running, nor (preferably) build it from source; More generally, how would I even tell that the library in use by the app as-built is the same as the source on github?