Hi, One of the presentations in fosdem's security devroom was about U2F. As far as I understood U2F is smart card which provides unique per server ECDSA256 keys. Those could be stored in the card or in the PC similarly to TPM (i.e., encrypted using a key that depends on the card and the site). The protocol includes registration, and is a simple challenge-response process. The differences between a PKCS #11 smart card and that one, is the specified registration protocol as well as its driverless nature. The U2F protocol is however limited to secp256r1 curve and cannot be extended beyond it. What do you think of that? Would it make sense to support it in openconnect? regards, Nikos [0]. https://fosdem.org/2015/schedule/event/second_factor_auth/ https://github.com/security-devroom/fosdem-2015/tree/master/presentations/universal-2nd-factor
