1988

  • Updated on Feb 6, 2026
  • 1 minute(s) read
  • VN
 Prev Next

What is the difference between TPM and software keys and how do we mitigate any security issues with the software key solution?

FIDO2 uses asymmetric (public-private) key pairs to establish identity when accessing a FIDO-enabled web services. The asymmetric key pair is generated on the FIDO2 device, typically a USB security key or smart badge. The private key is securely bound to the device. FIDO Eazy solution eliminates the need in buying USB security keys by employing the Trusted Platform Module (TPM) as a secure storage of the cryptographic keys.

TPM guarantees that malicious software cannot access the keys at all. Even the owner of the keys cannot give the private keys away to phishing or pharming attacks, as the keys are never visible outside the TPM unencrypted. The keys are said to be bound to the TPM. This means that the only way to sign something with one of those keys is to use the computer to send a request to the TPM. An attacker who wants to make use of those keys must access the computer actively. They can't make a copy of the key and use it offline, even with the cooperation of the legitimate user (who could have been tricked).

However, not all the PC's out there have the TPMs. To cover such cases, FIDO Eazy offers so-called "Software Tokens"/Software Keys. Basic software keys are just files on a hard disk. Although the keys are encrypted, in contrast to the TPM keys, they are vulnerable to offline attacks. To mitigate the risks of exposing the software keys to the outside world FIDO Eazy binds these keys to the PC’s HW. Although these keys are not as secure as the TPM keys, it would require complex reverse engineering effort to attack these keys.

Also, the attack is not possible without knowing HW details of the original PC’s where these software keys were originally generated. Using a software key within FIDO Eazy can be more secure (!) than some hardware FIDO keys somewhere else. We prefer hardware key (unshared TPM key for example). But software key should be secure! Most of today’s attacks are over the network and won’t be successful against FIDO.