Hardware TOTP support for passwordless.dev?


Related to Passwordless.dev Hope this is in scope for the community. Is it possible to use / integrate a hardware based TOTP code generator with Passwordless.dev ?

If yes, any prefferences for vendors / devices


Hi @ostergaard,

Anders from Passwordless.dev here. Currently we only use WebAuthn (Passkeys etc) but I think there is potential in adding TOTP as an option (TOTPs have their upsides, but is also more phisable).

Do you mind telling me a bit more about your use case for this?


Hi Anders

Absolutely. We are providing Identity Services for Municipalities (In Denmark for now) and many users in the sector dosnt have adevice as part of their employment. Employes providing healtchare services to citizens usually have access to shared devices and even interim employes are usually created and activated within minuttes. Therefore we are looking for a combination of using own devices supplemented by the abillity to use hardware based TOTP units.

What are the hardware based TOTP devices you’ve looked at?

And just as a note, passwordless.dev do support a similar scenario using hardware security keys running WebAuthn / FIDO2, e.g. Yubikeys: Buy YubiKeys at Yubico.com | Shop hardware authentication security keys

Using a FIDO2 Security Key, you get the phising protection that OTP lacks as well as a simpler user experience (no reading codes, phat fingering input etc)

I am looking at Token2. We would love 2 use Youkeys, but I dont see how i can deploy them to users without a device?

I think Yubico might have better documentation on rollout than I do, but one of the best use cases for Security Keys are when accessing systems via a shared device/computer.

Just a quick summary:

  • Each employee gets their own Security Key (good to have one per employee for auditing who is who in the system). They work/look like a flash drive.
  • When a new employee is hired, you register the key to the System and tie it to the Employee (this can be done in many different ways and quite automated, again, there is better documentation available).
  • Employee A can now use any computer with the software and authenticate themself by inserting the key / or tapping the device via NFC.
  • During offboarding, you de-activate the user account as normal and clear any credentials in passwordless.dev and ask for the key back so you can re-use it for the next person.

Not sure. It still seems complicated compared to enrolment of a TOTP unit.
Maybe my developers can help me understand the potential better. It all comes down to easy enrollment and easy administration of the security keys and still being able to support the multiple devices and OS our cusstomers are using.