diff --git a/go.mod b/go.mod
index 9f92e6b..4bc7fff 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/gorilla/websocket v1.5.0
 	github.com/jaypipes/ghw v0.9.0
 	github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea
-	github.com/kairos-io/tpm-helpers v0.0.0-20230118144616-3f28d1857da9
+	github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83
 	github.com/mudler/go-pluggable v0.0.0-20220716112424-189d463e3ff3
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/ginkgo/v2 v2.7.0
diff --git a/go.sum b/go.sum
index 4d59bea..0c1197b 100644
--- a/go.sum
+++ b/go.sum
@@ -506,6 +506,8 @@ github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea h1:1gnZW0HJt1Ye
 github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea/go.mod h1:w8k7pDYjFVvt/qsEDNN/nt9qw4URg70cEKLPHGhnNgU=
 github.com/kairos-io/tpm-helpers v0.0.0-20230118144616-3f28d1857da9 h1:tFaUS+aflMccC47F7njJBGzi9epZvUjwj+026qGE4Es=
 github.com/kairos-io/tpm-helpers v0.0.0-20230118144616-3f28d1857da9/go.mod h1:6YGebKVrPoJGBd9QE+x4zyuo3vPw1y33iQkNChjlBo8=
+github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83 h1:iMkcVgFwK943ssSyuHK2/iPzOqNnz496TMbdPx/WP6A=
+github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83/go.mod h1:6YGebKVrPoJGBd9QE+x4zyuo3vPw1y33iQkNChjlBo8=
 github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
diff --git a/pkg/challenger/challenger.go b/pkg/challenger/challenger.go
index 4ea3e08..cf783b7 100644
--- a/pkg/challenger/challenger.go
+++ b/pkg/challenger/challenger.go
@@ -88,7 +88,13 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 			label := r.Header.Get("label")
 			name := r.Header.Get("name")
 			uuid := r.Header.Get("uuid")
-			ek, at, err := tpm.GetAttestationData(token)
+
+			if err := tpm.AuthRequest(r, conn); err != nil {
+				fmt.Println("error validating challenge", err.Error())
+				return
+			}
+
+			ek, _, err := tpm.GetAttestationData(token)
 			if err != nil {
 				fmt.Println("Failed getting tpm token")
 
@@ -115,22 +121,7 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 				return
 			}
 
-			secret, challenge, err := tpm.GenerateChallenge(ek, at)
-			if err != nil {
-				fmt.Println("error", err.Error())
-				return
-			}
-
-			resp, _ := writeRead(conn, challenge)
-
-			if err := tpm.ValidateChallenge(secret, resp); err != nil {
-				fmt.Println("error validating challenge", err.Error(), string(resp))
-				return
-			}
-			fmt.Println("challenge done")
-
 			writer, _ := conn.NextWriter(websocket.BinaryMessage)
-
 			if !sealedVolumeData.Quarantined {
 				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, sealedVolumeData.SecretName, v1.GetOptions{})
 				if err == nil {