logoalt Hacker News

tybityesterday at 9:40 PM0 repliesview on HN

That’s what they do, but the TPM pepper is also needed for HMACing in their threat model. Otherwise the attacker just adds the victim’s user id to their hashing process too.