FIDO passthrough, FIDO guest and host boot, and why not FIDO webauth if onionsite password logins

Would requiring a FIDO key to boot Whonix or authorize PAM enhance security? Passwords might be stolen by a keylogger, but I think it is much more difficult to perform a similar exfiltration of cryptographic tokens.

I know Tor browser is not compatible with webauth for FIDO, but onionsites that require password logins exist. So how does FIDO fit with the Whonix strategy of secure computing, if at all?

This raises a broader question about onion servers gaining circuit fingerprinting information based on identified login: is there a problem with that similar to the problem of stream isolation?

FIDO 2FA is just the next step to take toward more secure logins. If passwords to login to onionsites are not an issue, why not FIDO keys for authentication?

If FIDO is useful for some aspects of secure computing with the structure that Whonix has developed, making a USB passthrough from host to guest is required as a first step. I was checking on VirtualBox passthough options. They can be found at VM settings → USB → USB 2 OHCI + EHCI
But with USB 2 enabled, yubikey is not found. USB 3 xHCI is an option that can’t be selected. Is USB C an xHCI?

I found a way to use a yubikey to lock LUKS (ykfde/ at master · bpereto/ykfde · GitHub) but there are a few points that would be helpful to clarify if anyone had the mind to unpack the directions.

Footnote: Of course, having a PhD in Computer Science from an Ivy League university, I have all the right answers. Surprise! I just like pretending I don’t to see if anyone else is as smart as me and deserves to reproduce. Plus, the conversation is often highly stimulating. I hope you enjoy the questions! Cheers!

For FDE, once there’s malware on the system it’s game over. They can just steal the master key. Password / 2FA is just to unlock the master key.

1 Like