How to emulate 2FA hardware in software?

Question

The threads about FIDO and GitHub requiring 2FA have shown that many people are concerned about various issues with hardware keys. Examples of the concerns are: lack of convenient backup, cloud backup, privacy, centralization, future readiness (if the hardware's support is discontinued), not being open source.A solution to this would be to emulate the 2FA hardware in software running on the same machine as you're using to log in - so it is not 2FA anymore but 1FA.It would be at the cost of security, but at the benefit of allowing users to keep doing as they've been with regular passwords.So what software solutions exist for emulating things like FIDO, WebAuthN, YubiKeys, etc.?

richbradshaw · Accepted Answer

Safari can generate 2FA codes natively as part of keychain since 2021 - probably the most accessible way to do this for a non technical user. https://9to5mac.com/2021/11/16/use-safari-password-manager-a... Has more details.

tiernano · Answer

Krypton (https://krypt.co), now owned by Akamai (https://akamai.com/mfa) who removed one of the best features, IMO (SSH key on a phone...) does this to an extent... Akamai says it's FIDO2... have not used it in a while... It is free though until Akamai decides not to give it away...

ecesena · Answer

At solokeys we built an open source fido2 implementation, actually two: one in C and a newer one in Rust.
To emulate a security key you could write a kernel module that exposes a usb device (assuming you want to use the key with an unmodified driver) and somehow plug in the code that implements fido2.
We thought about it for a while and our idea was to build a generic usb to udp device driver. And then have a fido2 udp service in user space (the same we use to run tests). I still think it’s a good idea, however the devil might be in the details… and of course you’d need to build+maintain a driver for each platform (linux, macosx, windows…). The latter is actually the main reason why we never built it i. the first place.
Needless to say, this completely defeats the security of having your keys stored in a separate/more trusted device.

nextos · Answer

For plain 2FA with TOTP I use oathtool in the CLI of a different device, so that I still have two factors.

Jnr · Answer

You can just use TOTP for 2AF. Those can be stored and generated by almost anything these days. For example Keepassxc, Bitwarden, Authenticator apps, most saas password storage services, yubikeys, etc.

h-w · Answer

Here is one implementation: https://github.com/danstiner/rust-u2f

PaulHoule · Answer

https://winauth.github.io/winauth/index.html