WebAuthn & Hardware Security
Phishing-resistant, hardware-backed authentication for the modern terminal.
Ephemera uses WebAuthn (FIDO2) as its primary authentication factor to eliminate the vulnerabilities associated with static passwords and legacy TOTP. By requiring a physical touch on a hardware security key, Ephemera ensures that every certificate issuance is the result of a deliberate, human action.
Why WebAuthn?
| Feature | WebAuthn (Ephemera) | Traditional MFA (SMS/TOTP) |
|---|---|---|
| Phishing Resistance | Cryptographically bound to the domain. | Vulnerable to proxy/lookalike sites. |
| Physical Presence | Requires physical touch (User Presence). | Can be automated by remote attackers. |
| Private Key Safety | Key never leaves the hardware device. | Secrets stored on mobile/desktop OS. |
Interoperability
Ephemera supports all FIDO2/WebAuthn compatible hardware keys, including:
- YubiKey (5 Series, Security Key Series)
- Google Titan Security Keys
- Nitrokey (3 Series)
- Built-in platform authenticators (TouchID, Windows Hello)
Implementation Details
When a user runs ephemera login, the CA server generates a unique cryptographic challenge.
The client-side CLI interacts with the hardware key via the system's WebAuthn API. The key signs the
challenge, proving both the user's presence and the integrity of the hardware device.
Because Ephemera is designed for sovereign use, the WebAuthn implementation does not rely on external cloud verifiers. All cryptographic validation happens locally within the Ephemera CA server container.