This is pretty cool, and being able to make a FIDO2 device that I can just keep at home next to the PC is pretty appealing. I already have a Yubikey in my keychain for carrying with me, but the keychain isn't at my desk, so having a second one would be pretty great.
It would be amazing if this supported FIDO2 resident mode, it could store thousands of credentials (Yubikeys can only do 25 non-thousand credentials).
Not sure if applicable to your use-case, but I'm using a HyperFIDO Mini[1]. Much cheaper than the Yubikey, and the form factor is also nice for just keeping it in a (reachable by hand) USB port. Though I carry mine on the keychain (and have an older, bigger one at home as a backup).
/me looks at his collection of electronic parts: Absolutely :) However, there is only so much time one can spent on this. Reminds me I should continue working on some FOSS after $dayjob is done for today...
Oh, it's just U2F? You want FIDO2 with resident key support to get the really nice OpenSSH workflow (plug the key in to a new computer, run ssh-add -k, now you can SSH to all your computers).
Last time I tried there were a few, more complex commands than this. Could I use a udev rule to add my SSH keys as the device is plugged so I don't have to run anything?
FIDO2 enables resident keys. With resident keys the web site can have a flow where you just go "It's me" (maybe you enter a PIN, or touch a fingerprint sensor, Apple just announced they're doing this with FaceID) and you're signed in. Without a resident key, there's a back and forth where you give a username, then maybe a password, and then your authenticator comes in to provide a second factor.
This is because the FIDO2 device actually has (finite) slots to remember e.g. credentials for funky-jokes.example so when you're at funky-jokes.example a WebAuthn API call can ask for those credentials and sign you in. No username, no password, you've presented all the credentials needed in one step. Whereas when keys are not resident the authenticator is relying on the web site to know (from your username) its ID, without being told the ID it can't do the authentication dance, so you will need to enter a username/ email address.
Resident keys are clearly a great idea in a phone (iPhone, Pixel, whatever) because it's not like gigabytes of flash storage will be exhausted storing credentials for the dozens or even thousands of sites you have credentials for.
It's less obviously a great idea for a Yubikey or cheap USB Security Key that maybe only has space for a dozen credentials. Maybe it makes sense to use it for that one web site you sign into every day, or to replace the main SSH key you use but if a Yubikey has 25 slots it doesn't make much sense for one to be "bush-jokes.example" which you last visited ten years ago...
I didn't try any command line utilities and only use it for the web with Firefox (e.g. GitHub). Can confirm: Works well on both Linux (needs some udev rule, but I think that's true for all these sticks?) and Windows.
To further answer GP: Lacks Bluetooth/NFC, so it's not usable with a smartphone (okay, maybe with a large USB-OTG adapter). No idea on the supported protocols, I think Yubikeys offer a lot more options there, but it's good enough for web authentication.
Manufacturer support was pretty good: My first token was DOA, and I got a replacement token plus a free Mini. The replacement is now my backup unit and, as mentioned, carry the Mini on my keychain.
Oh, that's really weird. I got it from .de delivered to DE. Maybe send the manufacturer a mail and ask them to fix it? Mine came DOA and I remember them to be pretty friendly.
Chiming in to mention SoloKeys, it's open source, FIDO2 certified and supports 50 resident keys.
@snakeye, please feel free to port over the CTAP implementation to your device (same for the other tokens I'm reading in the thread). We have already 3 products selling with our firmware.
Is Somu the same as the current Solo? (Not that I've had much opportunity to exhaust it...) I don't remember seeing that documented, or if the processor/storage is the same.
On the topic of the implementation, is there any estimate for arrival of the PGP support?
I mentioned SoloKeys farther down the thread, I'm really excited about the new version. Is that coming out soon? I know it was supposed to come out in June, but haven't heard anything yet. I actually sent you guys an email a few minutes ago.
That's good news, thanks! Do you know how many resident keys you're going to end up storing? I'm really suffering with the Yubikey's 25, I'm going to write a post on SSH auth with FIDO2 and would like to be able to recommend SoloKeys.
What I am doing, and I find it to work really well is to have a yubikey nano (https://www.yubico.com/product/yubikey-5-nano) in one of the front USB ports of my PC case. Super easy to reach and takes no room at all.
The couple dozen keys storage limit definitely feels limiting if this ever supposed to be commonly used. Is anyone using the resident mode which OP mentions?
I am, and yes, it's definitely limiting. I wouldn't buy a Yubikey because of that, I'm very excited about the new Solo keys that should be coming out soon, those will probably support thousands of keys.
I had used this for a while, the problem I had was that I change phones much more often than I change hardware keys, so I had to change every key on every site every year or so, which was too tedious.
I have opened a few issues in your repo, I want to try this out but there's very little documentation. I know I can probably just `pio build -t upload`, but I'm not sure about the schematics.
In general you can try the project with ESP32 development board and upload the firmware using `pio run -t upload -t monitor`
Then you need to pair the Bluetooth device. Afterwards you should be able to see connection requests in the serial monitor when you start authentication.
The actual authentication commands are not implemented yet, so it will not go further. Sorry :(
I'm using a bluetooth keyboard and I type my passwords in plain text. I don't think that public key sent over bluetooth is less secure. So it's a very tricky topic and I think it's more about corporate insterests that actual security.
Bluetooth security has always been a mess and even the specification itself has had egregious bugs that almost all devices were and often are still vulnerable to: you can force 8bit symmetric keys if you like: https://knobattack.com
I would never trust any wireless keyboard or mouse on any even marginally important computer. Bluetooth security is a broken mess, and taken together with the mess most bluetooth functionality is (e.g. perpetually broken, laggy, stuttering, forgetful, lofi audio profiles) bluetooth needs to die asap.
It is encrypted with MITM protection. That's why I do not believe in severe security issues in BLE. There can be problems with particular implementations, but in general it should not be less secure that typing password on a keyboard.
Fantastic. I have been thinking that the best possible thing would be an external device with a screen and a key pad input. This seems to be exactly that.
You need the screen because the protocol includes the concept of an authenticator with a screen, and that allows you to verify the information even more compared to a yubikey or something like that.
That was my assessment as well a few years back, which drove the project I'm working on now. I embedded both the authentication (TOTP at the time) and content encryption functions directly into the keyboard and added an internal screen. I had been working through all the attack surfaces of trying to do it in the same kernel space as a compromised node and just decided that was the wrong way to go. Demo of the prototype I built is here: http://www.anomie.tech/deck/anigma-keyboard.m4v
You can not extract private key from ATECC508A while it can be an issue with custom key storage built on Arduino. The chip itself costs around one dollar so why not?
I understood the point the article was trying to make here, but, actually, it's become almost a nightmare to find a Micro USB cable in my home, so I had to answer "yes".
Every time one breaks or gets tatty I bin it and don't replace, because, really, the only thing I need it for is my PS4 controller and the baby monitor. I've burned through a decade or so worth of them thrown in boxes and drawers.
It gets really hard these days to find one when I need to charge my PS4 controller and the baby monitor needs charging at the same time.
While I'm on the go, I guarantee I don't have one. Phone, wife's phone, Switch, tablet, power bank, laptop, earbuds, all USB-C charging. It's taking me some time and careful purchasing choices to get to the point where I can carry a single power brick to fast charge all the devices I carry with one connector/cable, adding Micro USB back in would actually be an inconvenience.
It would be amazing if this supported FIDO2 resident mode, it could store thousands of credentials (Yubikeys can only do 25 non-thousand credentials).