I don’t wish to derail the thread, so I will keep this concise.
Heads (original developer: Trammel Hudson) incorporates (a rewrite of) a piece of software called TPMTOTP (original developer: Matthew Garrett). The latter’s name is a concatenation of Trusted Platform Module and Time-based One-Time Password, and it allows the BIOS to authenticate to the user via a 6-digit TOTP code, in conjunction with:
- the TPM on the motherboard, and
- a separate device that the user has paired with the BIOS via a QR code and that is capable of running the TOTP algorithm.
The latter device needn’t necessarily have any kind of network connectivity and could, for example, be an Android device running FreeOTP.
Garrett gave an explanation of TPMTOTP in 2015 at 32C3, as part of the talk Beyond Anti Evil Maid.