>> You can use apache client authentication with SSL certificates only. Of >> course you will need to create a self-signed CA, which you will use to create >> the web server public/private key pair and also sign each client's >> certificate >> and upload it along with your CA certificate to the user's browser. This >> explains the principle: >> > Now, a solution a more traditional desktop is to use an SSL key stored > on a smartcard, which I'm sure Diego has blogged about on > planet.gentoo.org as he is into those. That has all the advantage of > the TPM as far as key security goes. However, you're still vulnerable > to xss and keyloggers and such.
Is an SSL key stored on a smartcard better than a TOTP password? They seem roughly equivalent to me. I don't think either would restrict access by device. - Grant
