Provided both Nitrokey PRO2 and HSM2 allow to keep a private key secure what prevents someone from creating a software authenticator using such a private key say via PKCS11 only for signature generation like in general U2F/FIDO2 devices?
It is known there are different software authenticators like Google authenticator which can work without hardware U2F/FIDO2 token, why not using a Nitrokey private key by them for better security?
The only problem can be creation of a chain of trust for a generated private key inside a Nitrokey.
In U2F/FIDO2 devices such key is generated once and signed by a manufacturer trusted certificate?
Can we sign our own key by some certificate authority to get described software authenticator working as expected by FIDO specification?
Another interesting issue/feature related to such authenticator could be ability to duplicate such authenticators (though it is not recommended by FIDO specifications)? We could just generate a master private key on the host PC and copy it to each Nitorkey PRO2/HSM2 used as an authenticator’s storage place for signature key.
If you know such software, please share a link to it.
May be https://github.com/LedgerHQ/ledger-u2f-javacard
can be an example of something similar, but it is not pure software and for some reason it needs an additional Java applet inside a cryptochip if I understand it correctly?
Another interesting thread:
Btw, cannot a U2F/FIDO2 USB HID device be software emulated via something like USB-IP, etc.?