Hacker News new | ask | show | jobs
by StavrosK 2182 days ago
This is pretty cool, and being able to make a FIDO2 device that I can just keep at home next to the PC is pretty appealing. I already have a Yubikey in my keychain for carrying with me, but the keychain isn't at my desk, so having a second one would be pretty great.

It would be amazing if this supported FIDO2 resident mode, it could store thousands of credentials (Yubikeys can only do 25 non-thousand credentials).
8 comments
archi42 2182 days ago
Not sure if applicable to your use-case, but I'm using a HyperFIDO Mini[1]. Much cheaper than the Yubikey, and the form factor is also nice for just keeping it in a (reachable by hand) USB port. Though I carry mine on the keychain (and have an older, bigger one at home as a backup).

[1] https://hypersecu.com/tmp/products/hyperfido

link
snakeye 2182 days ago
This project is a spin-off from my wireless biometric authenticator. I was asked to make it open source many times.

Other than that - I've got one on my keyring as well. But buying one is not as fun as making :)

link
archi42 2182 days ago
/me looks at his collection of electronic parts: Absolutely :) However, there is only so much time one can spent on this. Reminds me I should continue working on some FOSS after $dayjob is done for today...
link
gruez 2182 days ago
That's surprisingly cheap, less than $10 for a token. Any downsides?
link
ChrisSD 2182 days ago
No FIDO2 so it won't work with everything. No NFC.
link
StavrosK 2182 days ago
Oh, it's just U2F? You want FIDO2 with resident key support to get the really nice OpenSSH workflow (plug the key in to a new computer, run ssh-add -k, now you can SSH to all your computers).
link
alias_neo 2182 days ago
Can I do this with a Yubikey?

Last time I tried there were a few, more complex commands than this. Could I use a udev rule to add my SSH keys as the device is plugged so I don't have to run anything?

I think I was using PIV last time.

link
StavrosK 2182 days ago
Yes you can, SSH 8.3ish uses FIDO2 and doesn't do anything Yubikey-specific. That means you don't have to bother with all the agent stuff, and it works with any dirt-cheap FIDO2 key.

EDIT: I'm going to post a writeup tomorrow detailing how to do this, because it's wonderful and super secure.

link
tialaramex 2182 days ago
Yes, any vaguely modern YubiKey implemented FIDO2 which is what you need.

However you need fairly modern OpenSSH (this year) for both clients and servers. Both need to be upgraded because the authentication protocol itself is different, so an older server has no idea how to authenticate with FIDO2.

To get the behaviour the parent describes you must make sure to follow the instructions for resident keys, and these instructions won't work on cheaper FIDO (not FIDO2) devices that designed be used as second factors. Without resident keys the authenticator only works when at the computer you used to enrol it, which is fine for a personal workstation/ laptop but not great if you need to roam.

link
flipbrad 2182 days ago
Looks like they have a FIDO2 "Pro" version coming soon: https://www.amazon.co.uk/HYPERFIDO-MINI-FIDO2-HOTP-Security/...
link
rlpb 2182 days ago
According to https://hypersecu.com/tmp/downloads/files/datasheets/HSTE-NB... it does support FIDO2.
link
ChrisSD 2182 days ago
That's the PRO version. As flipbrad said, it doesn't appear to be available yet. At least I can't find how to purchase one.
link
rlpb 2182 days ago
There are some available here (in the UK): https://www.amazon.co.uk/gp/product/B0813YWZB2
link
gruez 2182 days ago
What are some use cases where you must use FIDO2? A sibling comment mentioned SSH authentication, but what about websites?
link
tialaramex 2182 days ago
FIDO2 enables resident keys. With resident keys the web site can have a flow where you just go "It's me" (maybe you enter a PIN, or touch a fingerprint sensor, Apple just announced they're doing this with FaceID) and you're signed in. Without a resident key, there's a back and forth where you give a username, then maybe a password, and then your authenticator comes in to provide a second factor.

This is because the FIDO2 device actually has (finite) slots to remember e.g. credentials for funky-jokes.example so when you're at funky-jokes.example a WebAuthn API call can ask for those credentials and sign you in. No username, no password, you've presented all the credentials needed in one step. Whereas when keys are not resident the authenticator is relying on the web site to know (from your username) its ID, without being told the ID it can't do the authentication dance, so you will need to enter a username/ email address.

Resident keys are clearly a great idea in a phone (iPhone, Pixel, whatever) because it's not like gigabytes of flash storage will be exhausted storing credentials for the dozens or even thousands of sites you have credentials for.

It's less obviously a great idea for a Yubikey or cheap USB Security Key that maybe only has space for a dozen credentials. Maybe it makes sense to use it for that one web site you sign into every day, or to replace the main SSH key you use but if a Yubikey has 25 slots it doesn't make much sense for one to be "bush-jokes.example" which you last visited ten years ago...

link
donmcronald 2182 days ago
That sounds worse to me. I don't like the idea of having my identity tied to a device. What if I lose it? My favorite setup right now is to keep my username / password in a password manager that I sync to multiple places to ensure it doesn't get lost. Then I use a YubiKey with FIDO / U2F on sites I consider important. I have a main and a spare YubiKey and both get added to my profile (except AWS who only support one key).
link
solarkraft 2182 days ago
I've had detection issues with some (unpopular) Linux command line tools. No issues with Firefox on Windows and Linux, though.
link
archi42 2182 days ago
I didn't try any command line utilities and only use it for the web with Firefox (e.g. GitHub). Can confirm: Works well on both Linux (needs some udev rule, but I think that's true for all these sticks?) and Windows.

To further answer GP: Lacks Bluetooth/NFC, so it's not usable with a smartphone (okay, maybe with a large USB-OTG adapter). No idea on the supported protocols, I think Yubikeys offer a lot more options there, but it's good enough for web authentication.

Manufacturer support was pretty good: My first token was DOA, and I got a replacement token plus a free Mini. The replacement is now my backup unit and, as mentioned, carry the Mini on my keychain.

link
dividedbyzero 2182 days ago
Could you say which ones? It would be good to know whether anything I use is known to be problematic with these.
link
Freak_NL 2182 days ago
Despite having a 'buy now' link to amazon.{de,fr,es,uk}, it refuses to ship to the Netherlands. That's disappointing (and sloppy).
link
archi42 2182 days ago
Oh, that's really weird. I got it from .de delivered to DE. Maybe send the manufacturer a mail and ask them to fix it? Mine came DOA and I remember them to be pretty friendly.
link
ecesena 2182 days ago
Chiming in to mention SoloKeys, it's open source, FIDO2 certified and supports 50 resident keys.

@snakeye, please feel free to port over the CTAP implementation to your device (same for the other tokens I'm reading in the thread). We have already 3 products selling with our firmware.

https://github.com/solokeys/solo

link
gnufx 2182 days ago
Is Somu the same as the current Solo? (Not that I've had much opportunity to exhaust it...) I don't remember seeing that documented, or if the processor/storage is the same.

On the topic of the implementation, is there any estimate for arrival of the PGP support?

link
StavrosK 2182 days ago
I mentioned SoloKeys farther down the thread, I'm really excited about the new version. Is that coming out soon? I know it was supposed to come out in June, but haven't heard anything yet. I actually sent you guys an email a few minutes ago.
link
ecesena 2182 days ago
Currently manufacturing the very first batch: we're waiting for the PCBs to be shipped, then we'll proceed with assembly, testing, etc.

Conservatively I'd say we'll start shipping around Sep/Oct. But for sure there'll be some "limited edition" tokens in circulation before.

link
StavrosK 2182 days ago
That's good news, thanks! Do you know how many resident keys you're going to end up storing? I'm really suffering with the Yubikey's 25, I'm going to write a post on SSH auth with FIDO2 and would like to be able to recommend SoloKeys.
link
ecesena 2182 days ago
With the current Solo we have 256kB of flash so we sort of arbitrarily reserved space for 50 RKs, but you can prob tweak the firmware if you need.

With the next gen of Solo we have 2MB of flash, so assume virtually unlimited RKs, at least given the number of sites that currently support them.

(note: double checking w/ the team for correctness)

link
StavrosK 2182 days ago
That's really exciting, thanks. I'm kind of banking on FIDO2 RK becoming the standard on the web, so I really want a key that can support thousands of sites. I might be customizing the firmware (AFAIK it's in Rust), and I'm really hoping I can get one of the preview devices to help testing.
link
snakeye 2182 days ago
Thank you! I will definitely take a look at your CTAP implementation!
link
antoinealb 2182 days ago
What I am doing, and I find it to work really well is to have a yubikey nano (https://www.yubico.com/product/yubikey-5-nano) in one of the front USB ports of my PC case. Super easy to reach and takes no room at all.
link
sbr464 2182 days ago
Awesome project.

I have the USB-C version mounted under my desk with a USB-C extension cable. Works well.

https://www.amazon.com/Faracent-Extension-Charging-Nintendo-...

https://www.yubico.com/product/yubikey-5c-nano

link
StavrosK 2182 days ago
I don't want to pay $50 for another Yubikey when I have a box full of $4 ESP32s, though.
link
_8j50 2182 days ago
Weld it into an anvil to prevent tampering while you are away!
link
d33lio 2182 days ago
Haha, I was thinking of a 50lb block of epoxy resin cast around the device, with metal rods protruding down to the touch sensors.
link
mNovak 2182 days ago
The couple dozen keys storage limit definitely feels limiting if this ever supposed to be commonly used. Is anyone using the resident mode which OP mentions?
link
StavrosK 2182 days ago
I am, and yes, it's definitely limiting. I wouldn't buy a Yubikey because of that, I'm very excited about the new Solo keys that should be coming out soon, those will probably support thousands of keys.
link
mikecoles 2182 days ago
Would the Krypton Authenticator be of any help to you?

It works through an app on your phone.

https://krypt.co/

link
StavrosK 2182 days ago
I had used this for a while, the problem I had was that I change phones much more often than I change hardware keys, so I had to change every key on every site every year or so, which was too tedious.
link
seppin 2182 days ago
What is the case against using a bluetooth-linked 2fa from your phone the way Google Advanced Security does?
link
snakeye 2182 days ago
Thank you! I'm looking for a simple and convenient solution as well.
link
StavrosK 2182 days ago
I have opened a few issues in your repo, I want to try this out but there's very little documentation. I know I can probably just `pio build -t upload`, but I'm not sure about the schematics.
link
snakeye 2182 days ago
Oh, right, need some documentation there as well.

In general you can try the project with ESP32 development board and upload the firmware using `pio run -t upload -t monitor`

Then you need to pair the Bluetooth device. Afterwards you should be able to see connection requests in the serial monitor when you start authentication.

The actual authentication commands are not implemented yet, so it will not go further. Sorry :(

link
StavrosK 2182 days ago
Ah, I see, thanks. I will watch the project and hopefully will use it when it's finished, thanks!
link