Interested in using hardware security keys to log into online services more securely? Well, now you can make your own from scratch, thanks to an open-source project that Google announced last week.
Google has released an open-source implementation called OpenSK. It’s a piece of firmware that you can install on a USB dongle of your own, turning it into a usable FIDO or U2F key.
FIDO is a standard for secure online access via a browser that goes beyond passwords. There are three modern flavours of it: Universal Second Factor (U2F), Universal Authentication Factor (UAF), and FIDO2.
UAF handles biometric authentication, while U2F lets people authenticate themselves using hardware keys that you can plug into a USB port or tap on a reader. That works as an extra layer on top of your regular password.
FIDO2 does away with passwords altogether while using a hardware key by using an authentication protocol called WebAuthn. This uses the digital token on your security key to log straight into a compatible online service.
To date, Yubikey and Google have both been popular providers of FIDO-compatible keys, but they’ve done so using their own proprietary hardware and software. Google hopes that by releasing an open-source version of FIDO firmware, it will accelerate broader adoption of the standard.
Google has designed the OpenSK firmware to work on a Nordic dongle, which is a small uncased board with a USB connector on it. It handles all the communication channels supported by FIDO2, including not just USB but wireless ones like Bluetooth Low Energy (BLE), and near-field communications (NFC). That means you could use a Nordic chip flashed with OpenSK as a wireless security key if you like.
As an open-source project, there are some caveats that make this more of a research project than an official alternative to manufactured security keys for board hackers. For one thing, Google has only tested the firmware with two Nordic boards: the nRF52840-DK and the nRF52840-dongle. There’s no reason you couldn’t try it on other boards, but there’s little certainty that it’ll work. Also, while Google tested the firmware against CTAP 2.0, which is a protocol that’s part of FIDO2 that enables digital keys to work with a browser, the FIDO Alliance hasn’t certified OpenSK, which means it can’t call the project FIDO Certified.