
Arduino FIDO2 Authenticator - snakeye
https://en.ovcharov.me/2020/06/29/uru-card-arduino-fido2-authenticator/
======
StavrosK
This is pretty cool, and being able to make a FIDO2 device that I can just
keep at home next to the PC is pretty appealing. I already have a Yubikey in
my keychain for carrying with me, but the keychain isn't at my desk, so having
a second one would be pretty great.

It would be amazing if this supported FIDO2 resident mode, it could store
thousands of credentials (Yubikeys can only do 25 non-thousand credentials).

~~~
archi42
Not sure if applicable to your use-case, but I'm using a HyperFIDO Mini[1].
Much cheaper than the Yubikey, and the form factor is also nice for just
keeping it in a (reachable by hand) USB port. Though I carry mine on the
keychain (and have an older, bigger one at home as a backup).

[1]
[https://hypersecu.com/tmp/products/hyperfido](https://hypersecu.com/tmp/products/hyperfido)

~~~
gruez
That's surprisingly cheap, less than $10 for a token. Any downsides?

~~~
ChrisSD
No FIDO2 so it won't work with everything. No NFC.

~~~
StavrosK
Oh, it's just U2F? You want FIDO2 with resident key support to get the really
nice OpenSSH workflow (plug the key in to a new computer, run ssh-add -k, now
you can SSH to all your computers).

~~~
alias_neo
Can I do this with a Yubikey?

Last time I tried there were a few, more complex commands than this. Could I
use a udev rule to add my SSH keys as the device is plugged so I don't have to
run anything?

I think I was using PIV last time.

~~~
StavrosK
Yes you can, SSH 8.3ish uses FIDO2 and doesn't do anything Yubikey-specific.
That means you don't have to bother with all the agent stuff, and it works
with any dirt-cheap FIDO2 key.

EDIT: I'm going to post a writeup tomorrow detailing how to do this, because
it's wonderful and super secure.

~~~
alias_neo
Thanks, going to look into it more tonight, see if I can get a 5C setup.

~~~
StavrosK
It is literally just the two commands, I can send them to you when I'm at the
pc. I have a 5C too.

~~~
alias_neo
That'd be great, thanks. I'll have to do a follow up to my blog post: [SSH
2-Factor's First
Factor]([https://2byt.es/post/totp2/](https://2byt.es/post/totp2/)) once I've
had a play.

------
brian_herman
Be careful with the bluetooth implementation.

[https://www.theverge.com/2019/5/15/18625028/google-titan-
sec...](https://www.theverge.com/2019/5/15/18625028/google-titan-security-
keys-bluetooth-vulnerability-replacement-free)

[https://nakedsecurity.sophos.com/2019/05/17/google-
recalls-t...](https://nakedsecurity.sophos.com/2019/05/17/google-recalls-
titan-bluetooth-keys-after-finding-security-flaw/)

edit: formatting

~~~
snakeye
Yes, I have seen this recently. Google is so unsatisfied with BLE in FIDO2 so
they removed support for it from the Chrome browser.

~~~
mtgx
Yubico has said from the very beginning that they will stick to NFC because
Bluetooth is not secure.

Bluetooth is a 3000+ pages spec that's a mess and will likely always remain a
mess. Maybe it's time for something better?

~~~
snakeye
I'm using a bluetooth keyboard and I type my passwords in plain text. I don't
think that public key sent over bluetooth is less secure. So it's a very
tricky topic and I think it's more about corporate insterests that actual
security.

~~~
StavrosK
Is Bluetooth not encrypted? It would be disastrous if just anyone could read
what your Bluetooth keyboard is sending.

~~~
snakeye
It is encrypted with MITM protection. That's why I do not believe in severe
security issues in BLE. There can be problems with particular implementations,
but in general it should not be less secure that typing password on a
keyboard.

~~~
alias_neo
Your keyboard very likely isn't using BLE (Bluetooth Low-Energy). The issue
appears specific to BLE which behaves differently than Bluetooth X (4.0, 4.1,
5.0, etc) "proper" and has a different security profile.

~~~
arcticbull
Just so we're on the same page, "Bluetooth X" was discontinued at 3.0 -- it's
now named "Classic Bluetooth."

Bluetooth 4.0 (4.1, 4.2, 5.0, 5.1) are almost exclusively the artist formerly
known as Bluetooth LE. LE is a totally different standard than classic
Bluetooth, and was developed by Nokia ("Wibree") and dropped on the desk of
the SIG with a big thud. Nokia told the SIG this was Bluetooth now, and they
adopted it as "LE" and it forms the core of all version of Bluetooth 4.0 and
later.

4.0 and later specs include "LE", "Classic" and "High-Speed". It's very
unlikely developers are building for Classic mode anymore, that protocol is an
utter nightmare. I don't know anyone building High-Speed devices.

I'd be surprised if a new keyboard opted for anything other than LE. That's
just the kind of embedded system it was designed for.

~~~
alias_neo
Thanks for the clarification. That's interesting, I had wondered why I always
"felt" Bluetooth had gotten slower lately, but thought it was just me!

Perhaps you can clarify whether I was barking up the wrong tree in my original
comment; My understanding is that keyboards, HID devices in general, are
usually using something like "Classic mode" or perhaps even actual classic
Bluetooth (particularly cheaper/older hardware)

The security keys like the are using the "modern" type, which is a different
"spec". I don't know if it's using something like like (G)ATT, but it's not
the same spec/tech?

~~~
arcticbull
I'm not sure where the industry is at these days, to be honest. So as far as I
know all LE devices use the GATT profile (though I wonder about headphones).
The LE spec includes HOGP (HID over GATT Profile) which defines a set of
services and characteristics for LE HID devices. [1]

Older devices almost certainly use a Classic Bluetooth HID profile, but newer
devices like the Apple Magic Keyboard are LE HOGP devices. It uses much less
energy so IMO a battery-powered HID device would be pretty nutty to implement
using Classic Bluetooth in this day and age.

Interestingly there's no concept of "pairing" in LE devices, just "bonding"
(where previously derived keys are persisted and re-used as an optimization).
All LE peripherals operate in promiscuous mode by default and vendors have to
implement their own pairing system -- or piggyback off bonding.

[1] Warning PDF link:
[https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c...](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiJisHl4afqAhWXgnIEHR14DhUQFjABegQIBhAB&url=https%3A%2F%2Fwww.bluetooth.org%2Fdocman%2Fhandlers%2Fdownloaddoc.ashx%3Fdoc_id%3D245141&usg=AOvVaw2eTvnztUnfGJ1WtGtxTHs_)

------
indeyets
Not Arduino, but there is an open-source fingerprints reader for RPI:
[https://www.raspberrypi.org/blog/raspireader-fingerprint-
sca...](https://www.raspberrypi.org/blog/raspireader-fingerprint-scanner/)

Is it that much worse in smaller form-factor? NDA only?

~~~
snakeye
There is small UART biometric module
[https://www.digikey.com/products/en?keywords=2304-100018754-...](https://www.digikey.com/products/en?keywords=2304-100018754-ND)

The biggest downside - it's more that 3 times more expensive than the device I
have now.

------
nickik
Fantastic. I have been thinking that the best possible thing would be an
external device with a screen and a key pad input. This seems to be exactly
that.

You need the screen because the protocol includes the concept of an
authenticator with a screen, and that allows you to verify the information
even more compared to a yubikey or something like that.

~~~
snakeye
Thank you! :)

~~~
jrexilius
I love this project. right approach for the problem. Will pitch in on the
code.

------
dfox
Is it really necessary to use external ATECC508A with ESP32? I would not be
surprised if software implementation on ESP32 is actually faster.

~~~
snakeye
You can not extract private key from ATECC508A while it can be an issue with
custom key storage built on Arduino. The chip itself costs around one dollar
so why not?

------
TrueDuality
> But, wait, is it difficult to find a charger or power bank with Micro USB
> nowadays?

It's definitely trending that way IME...

~~~
alias_neo
I understood the point the article was trying to make here, but, actually,
it's become almost a nightmare to find a Micro USB cable in my home, so I had
to answer "yes".

Every time one breaks or gets tatty I bin it and don't replace, because,
really, the only thing I need it for is my PS4 controller and the baby
monitor. I've burned through a decade or so worth of them thrown in boxes and
drawers.

It gets really hard these days to find one when I need to charge my PS4
controller and the baby monitor needs charging at the same time.

While I'm on the go, I guarantee I don't have one. Phone, wife's phone,
Switch, tablet, power bank, laptop, earbuds, all USB-C charging. It's taking
me some time and careful purchasing choices to get to the point where I can
carry a single power brick to fast charge all the devices I carry with one
connector/cable, adding Micro USB back in would actually be an inconvenience.

~~~
snakeye
Nothing can stop us from making the same PCB but with USB Type C connector for
charging.

Actually I'm using it in my other device according to the exactly same
thoughts.

~~~
alias_neo
I've never tried hand soldering a USB-C SMT connector, expecting it to be
somewhat harder than Micro USB, is it reasonably doable with hot air?

~~~
snakeye
Oh, in fact it's much simpler than MicroUSB. There is special type of USB Type
C used for charging -
[https://en.ovcharov.me/uploads/2020/04/06/20200404_092055.jp...](https://en.ovcharov.me/uploads/2020/04/06/20200404_092055.jpg)

It has only six huge pads and can be soldered either with hot air or normal
soldering iron as a charm.

~~~
alias_neo
Oh, now this is a revelation, I had no idea!

P.S. the link has hotlink protection for anyone wanting to click; you'll need
to paste the link straight into your address bar

------
ex3ndr
Isn't there is a good option is to use wireless charging instead of USB one?

------
bendoerr
Can anyone explain or further expand on this statement

> plain C and ESP IDF are too difficult for the broad audience

My intuition is that most folks who hack on EPS32 and other microcontrollers
have no problem with these things.

~~~
snakeye
From my experience - most people say "Arduino is ok" but struggle working with
plain C.

As well keep in mind number of ready-made libraries for Arduino that can be
reused here almost out of the box.

