I think it could work, but I wouldn't want to protect my banking passwords and credit card details behind some random script.
What I mean is eliminating passwords on most services at all. For everything but real important stuff (banks, email, business accounts, that kind of stuff), I reckon my devices are protected enough that if someone can gain access to my devices unlocked enough, 2FA wouldn't prevent any threads anyway. Passwords are easy to brute force, but device-bound keys aren't.
Using the security chips inside my devices for authentication as a single factor is more than enough for most of my purposes. Today, most websites offer FIDO2/WebAuthn/U2F as a second factor, but I'd rather see them as a first factor with an optional password as a second factor.
My password manager protects me against nothing more than brute forcing and password reuse. Switching to TPM-first moves the protected bastion from a piece of software running in userland to either a kernel level-protected component or a dedicated piece of hardware. There's only so much you can do as a desktop application to protect your users' keys, after all.
I wouldn't want to force anyone into this system, but I do think with the hype FIDO2 was released with, I imagine browsers are going to push more for using FIDO2 as a primary factor where available.
Yeah, I understand... but follow me here. If I'm using a 50 character randomly generated password on a website using my typical ({a..k} {m..z} {A..H} {J..N} {P..Z} {2..9}) token generation, then they are going to be brute forcing 6×10⁸⁷ combinations right? That's not happening. So. Randomly generated passwords for sites, managed by a password manager, are much like device bound keys, but with the added advantage that I can still type it into something that doesn't support the device if I really need to... I still like the idea of dongles especially to enhance the master password. I just don't see what it wins me over a random site password.
And, I'm absolutely going to have a password on my dongle or laptop in case of loss. I don't really trust biometrics in that scenario either really. Especially fingerprints that would be all over the laptop. Biometrics are just a convenience that I recognise offers some modicum of security. That's why hooking it up to TPM seems to not add much.
... I do get hardening where the passwords are stored though... although, if the disc is encrypted using TPM (which linux definitely supports), I guess the main attack you'd be concerned about would be the OS being compromised while running, but aren't we just back to loggers then?
What I mean is eliminating passwords on most services at all. For everything but real important stuff (banks, email, business accounts, that kind of stuff), I reckon my devices are protected enough that if someone can gain access to my devices unlocked enough, 2FA wouldn't prevent any threads anyway. Passwords are easy to brute force, but device-bound keys aren't.
Using the security chips inside my devices for authentication as a single factor is more than enough for most of my purposes. Today, most websites offer FIDO2/WebAuthn/U2F as a second factor, but I'd rather see them as a first factor with an optional password as a second factor.
My password manager protects me against nothing more than brute forcing and password reuse. Switching to TPM-first moves the protected bastion from a piece of software running in userland to either a kernel level-protected component or a dedicated piece of hardware. There's only so much you can do as a desktop application to protect your users' keys, after all.
I wouldn't want to force anyone into this system, but I do think with the hype FIDO2 was released with, I imagine browsers are going to push more for using FIDO2 as a primary factor where available.