Now you can make your own hardware security keys from scratch to use for authentication purposes, thanks to an open-source FIDO2 authenticator that Google announced recently.
Called OpenSK, it’s a piece of firmware implemented in Rust (a language known for security measures like memory safety) that you can install on a USB dongle of your own, turning it into a security key that can be used for authentication purposes. It also includes an OS called TockOS, which is sandboxed so that things happening in the firmware don’t affect the underlying kernel.
Moreover, Google hasn’t yet hooked up the cryptography code embedded in the hardware with its firmware. Instead, it uses Rust implementations of the required cryptographic algorithms. You can say it’s almost like the Solo Key, but what differentiates the two from each other, is that OpenSK is not yet suitable for everyday usage. Lacking FIDO certification, OpenSK is for research purposes only at the moment. Apart from researchers, security key manufacturers and enthusiasts can use it to help develop innovative features.
For those that don’t know what FIDO is, well, it’s a standard for secure online access via a browser that goes beyond passwords. There are three modern flavors of it:
- U2F
- UAF
- FIDO2
UAF (Universal Authentication Factor) handles biometric authentication, while U2F (Universal Second Factor) lets people authenticate themselves using hardware keys that you can plug into a USB port or tap on a reader. That works as an extra layer on top of your regular password.
FIDO2 does away with passwords altogether while enabling users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
If you cast a look at the top FIDO-compatible keys providers, you’ll find Yubikey and Google in it. However, these have been providing FIDO-compatible keys using their own proprietary hardware and software. By releasing an open-source version of FIDO firmware, Google hopes that it will accelerate broader adoption of the standard.
Now, that I’ve got you started let’s move onto how I created a security key using OpenSK.
Creating Your OpenSK Authenticator
Hardware
The first thing that you’ll need for creating your own security key is a piece of hardware to install OpenSK on. If you checkout OpenSK’s GitHub page you’ll find that it has been successfully tested on the following boards:
- Nordic nRF52840-DK (Development Kit)
- Nordic nRF52840-dongle (Non-Development Kit)
I went for the former one, however, you can go for the latter one if you want it totally depends on you. Although, if you do decide on the second one which is an actual USB dongle; then you’ll have to purchase various probes, adaptors, and cables so that you can flash the USB. So, think on it good. There’s no reason you couldn’t try it on other boards, but there’s little certainty that it’ll work.
Most of you or almost all of you like me wouldn’t know how to get started with the dev kit, well, don’t panic just go to the Nordic semiconductor website where you’ll find a neat little connect & test walkthrough that’ll get you up & running in no time. Even, if you do know how to get started with dev kit, I’ll still recommend that you run through this before you continue.
Environment (WSL vs. VirtualBox)
Although, I’m a window user, but I had to use a Linux distribution (Ubuntu 18.04 running on a VirtualBox VM), since, OpenSK installation instructions are targeted towards non-Windows users.
At, first I tried using Windows Subsystem for Linux (WSL); however, WSL lacks support for USB (libusb), which caught me out when it came time to flash my USB. I thought somebody said that WSL2 had USB support, but after joining the Windows Insider program and switching to WSL2, I still had no luck.
If it’s VM what you are using, then make sure that the USB device is available to the VM, after you plug it into the board’s JTAG port. Once you start the VM, you may need to unplug the USB and then plug it back in to make the VM realize that it is there.
JLinkExe
Once your environment can see the board then install JLinkExe and update the board’s firmware. Go here to get JLinkExe.
Once installed, run JLinkExe to have it update the firmware. You don’t have to give your boards name or any other kind of information; it will automatically find it.
You may need to sudo JLinkExe the first time around. This will result in your USB being disconnected from your environment. In VM, I could not get the USB to automatically become visible again, I constantly got an error. I finally succeeded by manually enabling the USB device in VM during the “Waiting for emulator to attach” step (Devices > USB > SEGGER J-Link).
With that all done, you can now move onto OpenSK specifics.
Preparing Your Environment with OpenSK
Ok, the first step is to download OpenSK from GitHub. It can be saved anywhere you want (it doesn’t go on the USB).
You can then run the setup script (./setup.sh), which will handle Git sub-modules and download & patch any required dependencies. There are some prerequisites, but if you want to be lazy, the script will soon tell you what you are missing.
Compiling OpenSK and Flashing Your Device
Now that the stage is set, you can now compile OpenSK and flash your device.
Using Your OpenSK Authenticator
Now that your authenticator is ready, you can remove the USB from the JTAG port and plug it into the development kit’s main USB port so that you can start using it. You can now test your new FIDO2 authenticator on sites such as fido.identityserver.com or webauthn.me.
The first time you use your security key, you’ll need to set a PIN. You’ll then use that PIN for future user verification challenges, providing multi-factor authentication from a single form-factor.
OpenSK as your Primary Security Key
It’s still early days for OpenSK. Strictly speaking, this is more for hardware hackers to experiment with than for producing certifiably secure hardware security keys, which is why Google was careful to use the term ‘developer key’ when it blogged about OpenSK.
If you want to use an open-source security key today, you can then either opt for the FIDO certified Solo Key or Somu (crowdfunded by CrowdSupply, it’s a tiny open-source security key that supported FIDO2). However, it is interesting to see Google entering the space, and I’m looking forward to seeing how the project progresses.