Security news that informs and inspires

Hardware Security Keys Go Open Source With Solo

By

A small team of engineers is building a line of hardware security key that is completely open source and supports the new FIDO2 standard and can be used with mobile phones to provide strong two-factor authentication.

The effort started as an educational project for Conor Patrick, a hardware engineer, who wanted to see if he could build an affordable security key from scratch. He designed and built a key using commodity components and his own custom firmware. After building some prototypes, Patrick ordered a large batch of the tokens from a third-party provider and then programmed them himself with the firmware. He then set up shop of Amazon and began selling them as the U2F Zero tokens.

As the name might suggest, the tokens supported the FIDO Alliance U2F protocol for two-factor authentication, the same protocol that commercial hardware keys such as Yubico’s YubiKey support. The U2F protocol provides strong cryptographic foundation for 2FA and enables users to have one hardware key that can be used to authenticate to multiple different accounts and services. Patrick eventually sold out of his initial supply of the U2F Zero keys so he refined the design a little further and ordered more, which also sold well.

So Patrick decided to take the next step and develop a fully realized set of security keys for the general marketplace. Known as the Solo, there a couple of different versions of the key, but all of them use open source software and hardware designs. The line includes the Solo, which comes in both USB-A and USB-C versions, and the Solo Tap, an NFC-based key for use with mobile devices. Patrick and his collaborators set up a Kickstarter project for Solo, which the hopes of raising $5,000 to fund the manufacturing process. They met their goal in 20 minutes and so far have raised more than $50,000.

“We really wanted to make a good alternative to what’s out there. U2F is really critical,” Patrick said. “The ambitions were kind of low for the crowdfunding campaign. We just wanted to use it for the initial shipment.”

“We really wanted to make a good alternative to what’s out there."

Hardware security keys such as Solo, YubiKey, and Google’s Titan, are a much stronger alternative for 2FA than the more common method of sending one-time codes via SMS. Attackers can intercept SMS messages in a variety of ways and users also can fall prey to phishing attacks that compromise those codes. But hardware keys are resistant to phishing attacks.

Patrick said there were a couple of things that were high up on the list of priorities as the team developed the Solo design. First, they wanted the design to include open source software and hardware.

“We wanted to do it as open source so that people could reflash it themselves or fork the software or whatever they want to do,” Patrick said. “It’s really easy to reprogram over USB.”

Second, the team wanted to make a key that was usable with mobile devices. The NFC-enabled Solo Tap will accomplish that goal, though it will only work with Android devices because of the way that iOS handles NFC. For people who want to use a security key with iOS, Patrick said there is a bundle that includes a Solo and a SecureClick NFC-enabled key from OneSpan, which will work over Bluetooth, as well.

Patrick said the team plans to begin shipping the USB Solo keys some time in December, with hopes of shipping the NFC version in February.