
Designing and Producing 2FA tokens to Sell on Amazon - conorpp
https://conorpp.com/2016/09/23/designing-and-producing-2fa-tokens-to-sell-on-amazon/
======
Animats
Case. Must have case. A bare board is not a consumer product. Consider just
dipping the thing in Plasti-Dip, without submerging the connector. For a
better feel, put the button on the solder side side, and put a thin piece of
plastic U-channel sized to fit the board over the component side to give it a
flat surface. Then Plasti-Dip. No custom injection molding, and the user can
still push the button through the Plasti-Dip.

Other than that, great idea. It's how PayPal started.

~~~
conorpp
I agree. The problem is trying to do this at scale. I don't want to do it
myself as it would be too time consuming and messy.

Without having the funds for injection/pressure molding, I haven't been able
to find a good solution. Maybe there are cost effective services that would
work like PCB potting or overmolding.

One service that I found that looks promising is Cavist:

[http://cavist.com/](http://cavist.com/)

But I haven't gone down this route or found someone that has. I might do this
later on.

~~~
Animats
Here's an option. There are companies in China which sell standard enclosures
for USB plug-in devices. They'll even throw in a color of your choice and a
sticker. You'd have to redesign your board to fit their case, but that may be
a lot easier than dealing with encapsulation.[1]

[1] [https://www.aliexpress.com/item/1-pcs-szomk-white-small-
usb-...](https://www.aliexpress.com/item/1-pcs-szomk-white-small-usb-flesh-
drive-enclosure-80-32-12mm-electronic-USB-card-outer/32454070479.html)

~~~
makomk
The problem is that the U2F specification requires users to approve
authentication requests by pressing a button and none of the existing
enclosures have a space for one. Entirely coincidentally, the company behind
it (Yubico) already had a design with a button because their original second-
factor proposal had no other way of knowing you want to authenticate. It's a
little pointless on U2F but the spec requires it.

~~~
cjfont
You could quickly drill a small hole in each case, in order to fit a tall
button like this one:

[https://www.sparkfun.com/products/8605](https://www.sparkfun.com/products/8605)

Also, there's some U2F devices that trigger the approval simply when they are
plugged in.

------
alister
> _I am not actually concerned with financial success or growth. The nice
> thing about this project is I can just let it sit and I don’t need to
> maintain anything – leaving me time to move on to the next project._

You should pursue this product -- you have _huge_ possibilities here.

You heard of a company called Security Dynamics? They invented the little
token with ever-changing 6-digit numbers that you have to enter to login to
your remote office computer. You probably know it today as the RSA SecurID[1].
They created a billion-dollar market and made the founders fabulously rich.

I know that there are other U2F products out there, but you can make yours
unique, different in some way, or targeted to different market. Or just
compete as an alternative to the larger companies making U2F keys (which are
not really that large yet anyway).

Surely continuing this product is better than the "working in government" job
you're seeking.

[1] [https://upload.wikimedia.org/wikipedia/commons/3/33/RSA-
Secu...](https://upload.wikimedia.org/wikipedia/commons/3/33/RSA-SecurID-
Tokens.jpg)

~~~
conorpp
Thanks! I didn't know about Security Dynamics.

I think there's a lot of neat improvements you can make on 2FA products for
different markets. But it's kind of at the point where if I wanted to continue
working on a better 2FA token, I would have to get funding and do it full
time. Although it's always tempting, I'm not sure I want to "cash out" of
school and regular life just yet.

Also if I don't work in government I'd be in a lot of debt to pay back school.
So that's an additional hurdle.

~~~
mikekij
Great work, Connor. I have spent considerable time thinking about the federal
student loan forgiveness you're referring to. I'd love to share. Email me at
mike at medcrypt dot co if you're interested.

~~~
mikekij
Why is a comment offering help for someone else battling massive student loan
debt getting down-voted?

~~~
jamiesonbecker
Honestly, you probably got downvoted because federal student loan forgiveness
(which I didn't see Conor mention anywhere) sounds an awful lot like like spam
and off-topic. However, your email with 'crypt' in it seems that you're at
least partly on topic and your addressing the OP by first name shows that at
least you're not a bot (or perhaps a very smart bot) :) I upvoted you for the
benefit of the doubt anyway.

~~~
mikekij
Thanks. Definitely not a bot. Although if we are all living in a simulation, I
guess my counsiousness could be resulting from a hacked CCTV cpu. Difficult to
disprove.

------
kbaker
Looks good. Consider applying a conformal coating at the end. It will provide
a lot of protection from general handling and riding around on a keychain, and
preserve the 'raw PCB' look.

Something like: [http://www.mgchemicals.com/products/conformal-
coatings/acryl...](http://www.mgchemicals.com/products/conformal-
coatings/acrylic-conformal-coating-419c)

~~~
toomanybeersies
Conformal coating also has the bonus advantage that it fluoresces and looks
awesome under UV light (and sometimes even just from the UV from sunlight).

It also waterproofs the board too, which is a bit more useful.

------
StavrosK
This is fantastic, very useful stuff. I literally just finished writing a
similar post:

[https://www.stavros.io/posts/making-gsm-
board/](https://www.stavros.io/posts/making-gsm-board/)

Conor, can you detail how the assembly is done a bit? I've made a few boards
with KiCAD but I have no idea how to go from bare PCB to assembled PCB,
especially for such low cost as yours.

I went to PCBcart but counting all the items on my board was a hassle, and I
got a cost of $38 per board for a run of ten, which sounds too expensive.
Besides that, how do you even export the BOM from KiCAD? It doesn't come with
a plugin by default.

A few details or a post on how to go from PCB design to assembled board would
be very useful, at least to me.

~~~
conorpp
Thank you!

Assembly depends on the service you end up using. For PCBCart, I think I just
ended up filling out their template BOM manually. Not much of a hassle since I
only have 8 parts. I just had to match the component references on the PCB to
the BOM, count the number of pins, provide part number, etc. They figured
everything else out, just a question or two on part polarities.

Yeah getting boards assembled for small volumes will likely not be cost
effective. You can mess around with online quote tools to get an ideal if it'd
be worth it or not. Using parts with pins that extend out from the package
(rather than underneath) will always be more cost effective. Less pins is
cheaper too.

~~~
StavrosK
Ah, thanks for the info!

------
Mizza
At the risk of sounding like a complete schmuck - how do I actually use this?

It look like it's a dev board, the kind of thing I'd get on SparkFun or
whatever, but I get the impression it's a consumer product. Do I plug it into
my computer, and it runs software? Do I press the button, then it blinks out a
password via LED at me? Does it connect via bluetooth to.. something? Who
writes the local software? You? Google? Me?

I love your write-up and I dig your hustle, but I think the final 10% "polish"
is the missing piece here! Good luck!

~~~
conorpp
Haha good question.

Yubico has a good explanation:

[https://www.yubico.com/products/yubikey-
hardware/fido-u2f-se...](https://www.yubico.com/products/yubikey-
hardware/fido-u2f-security-key/)

It's the same as any other U2F token. You register it with a service that
supports U2F (Google, Github, Duo, etc.) and then present the token and press
the button upon logging in later.

No software or drivers needed. It's an HID device so all normal operating
systems will support it.

~~~
rattray
Ummm... can you please include an explanation on your website that makes sense
to non-developers who haven't heard of either Yubico or U2F before?

"It's the same as any other U2F token" is meaningless to a rather significant
proportion of humanity.

~~~
rattray
Could I use this if I want to access apps on my Android phone?

~~~
homero
It's a keyboard so otg will work

------
VeXocide
If a coating of plasti-dip is an option check whether it's possible to add
glitter to it as tamper-proofing, similar to
[https://www.wired.com/2013/12/better-data-security-nail-
poli...](https://www.wired.com/2013/12/better-data-security-nail-polish/)

------
lisper
I am doing something similar but much more powerful and versatile (and more
expensive):

[https://sc4.us/hsm/index.html](https://sc4.us/hsm/index.html)

I actually have a new batch of prototypes and I'm just putting the finishing
touches on my e-commerce code (I'm using Stripe and Easypost rather than
Amazon). The plan is to finish that tonight and start taking orders again on
Monday.

~~~
NetStrikeForce
I had a look at the link, but I don't know yet what are the use cases for your
device.

Care to explain why would I want one?

Thanks!

~~~
lisper
Think of it as an Arduino for security. I can be programmed to act like a U2F
token, a bitcoin wallet, secure storage for ssh keys, etc. A future version
will have a second USB port so it can turn a regular USB thumb drive into an
encrypted drive, act as a "USB condom" between your computer and a suspect USB
device, or turn a regular keyboard into a smart keyboard that can generate and
play back secure passwords. Because it has local I/O (a display and two
buttons) it can do all of these things while remaining secure against an
adversary that pwns the machine it is plugged in to. And because it uses stock
hardware and is user-programmable you can be fairly confident that it doesn't
have any back doors built in to it.

Of course, it doens't actually _do_ most of those things yet (working on
getting the bugs out of the U2F code right now) which is why right now it's
just a toy for hackers and devs. But the apps are coming.

~~~
NetStrikeForce
Sounds awesome. I would personally use some of these if it was fairly easy to
setup.

Keep us posted on your progress please ;)

~~~
lisper
The manual is pretty detailed. You can read it and decide for yourself if you
think it's easy or not.

[https://sc4.us/hsm/manual.html](https://sc4.us/hsm/manual.html)

Personally I think it's pretty easy by DIY standards.

Will definitely keep HN posted as things progress. You can also sign up for
our mailing list to be sure not to miss an update.

------
mmorris
_I 'm by no means an entrepreneur but I'd like to keep trying to be one._

Your imposter syndrome is showing! Designing and building a tool like this and
selling it qualifies you as an entrepreneur.

Get a low-cost marketing channel going (or improve your margins to make other
marketing options feasible) and see how far you can run with this.

Thanks for the interesting read.

------
rattray
Looks like it's basically this:
[https://www.amazon.com/Yubico-Y-123-FIDO-U2F-Security/dp/B00...](https://www.amazon.com/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8)
but $8 instead of $18, open-source, and far more "stylish".

Cool.

~~~
rattray
Hmm, this product may be more practical if you're okay with closed source for
this purpose:
[https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00...](https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00WIX4JMC/)

Still, cool.

------
jamiesonbecker
I started soldering one of these one night (ordered enough parts for 9 of
them) and realized that these things are really, REALLY tiny. Even with a
magnifying glass, it's hard to even tell where the pins are, but I got about
half of it soldered.. looking forward to the other half. :)

Huge thank you to Conor for building this whole thing and open sourcing it and
even providing links to pre-fab PCB's. Incredible work. Also the PCB's look
really cool.

I think I'll buy a few to go along with the one I just made.. :)

~~~
StavrosK
You hand-soldered a QSOP package? How did you manage that? :)

~~~
mcpherrinm
It's not too hard if you have a proper PCB with solder resist. The surface
tension of the solder causes it too glob onto your part's pins and the pads
below them. The solder resist is really key here, or else it's essentially
impossible.

You will have to test for solder bridges between pins, and maybe use some
solder wick to get any excess out.

It's not super fast, but it's absolutely doable with an hour or two of
practice. Solder paste and a heat gun is the next step up, which I find more
difficult to get right (I'm bad at applying the paste).

~~~
jon-wood
If you're using solder paste the trick is to get a stencil along with your
PCB. It has holes where solder should be applied which you place over the PCB,
smear the whole lot with solder paste, and then drop the components into
place. You've now got solder exactly where you need it and nowhere else.

~~~
mcpherrinm
I find stencils hard to use ... I always end up smearing them when removing
the stencil.

Mind you, I have pretty minimal experience, so maybe I just need to try more
and get the hang of it. Unfortunately without owning a hot air gun or reflow
oven, I'll just keep avoiding bga parts and doing everything else with an
iron.

------
jerkstate
It seems like the price is too low, if your actual margin is only 25%. As a
customer I would also be concerned about how to carry it without damaging it,
given that there's no case. Do you have any recommendations?

You might also want to add some keywords like "fido usb yubikey" to your
product page too.

------
cavisne
Very cool, I love how this is an end to end FBA business with (it sounds like)
very little upfront cost.

Is getting the 2 day shipping a function of just price of the item or
something else?

I wonder because the most direct competitor

[https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00...](https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00WIX4JMC)

gets the 2 day shipping and is only a few $'s more.

The difference between $8-10 is nothing really, if I was shopping for one of
these and saw yours for the same price I would buy it because I _like_ the
exposed/no case design (and I think a lot of the "early adopter" people buying
these tokens for personal use would be the same). So maybe you should bump the
price up a bit.

~~~
joemi
Not really sure exactly what you mean, but unless I'm mistaken, all FBA items
have all shipping methods Amazon offers, since they're being shipped from
Amazon's warehouses just like all of Amazon's products.

~~~
cavisne
Right, maybe it's location based but from my account I see Prime (2 days) for
the linked product, and Prime (5 days) for the zero

~~~
ascorbic
It'll be location. I'm guessing these are just in one fulfilment center, so if
you're on the other coast you won't get 2 day.

------
sekasi
Really great writeup man, and for a good cause too. I've done something
remarkably similar but solely for myself, and it's great to see someone going
one step further.

Best of luck, hope you make your money back and get a nice kicker in the end
to fund a few late night college parties.

~~~
conorpp
Thank you!

------
gravypod
How hot does this get? If I just put this in a putty-epoxy will I "cook" it?

Edit: Can I also use this as 2FA for SSH/Desktop login on my Arch install?
I've never done 2FA but I've always wanted to.

~~~
captn3m0
For my yubikey, I've got a couple of scripts that kill and boot my i3lock when
I plug and unplug it. I haven't setup desktop login on it though, because that
would be too risky for me.

If this stores GPG, then you could do SSH as well. Edit: Reading the comments,
looks like it only does core U2F, so no SSH for sure. I'm not sure if there is
a U2F module for PAM yet.

~~~
sliken
Generally U2F widgets don't run code or have any extra functionality unless
they specifically mention it.

The OP key looks pretty barebones I wouldn't expect it to generate/store/use
ssh or pgp private keys. That's more like a yubi key 4 or similar more
expensive widgets that are basically smartcards and/or HSMs.

There is a U2F pam module that can allow you to use a U2F widget for screen
unlock, login, sudo and the like. If you are worried about the U2F dying/being
stolen/lost then you could always authorize more than one U2F widget and keep
one in a safe place.

------
frederikvs
Could use a comparison to e.g. a yubikey [0]. At this price, I can afford to
just order one and see what happens, but still it would be nice to know what
features I'm sacrificing for the cheaper price.

[0] [https://www.yubico.com/products/yubikey-
hardware/yubikey4/](https://www.yubico.com/products/yubikey-
hardware/yubikey4/)

~~~
jon-wood
You're sacrificing everything the Yubikey does beyond U2F. Yubikey can support
U2F, but also generates one time passwords, and appears as a smart card to
your operating system allowing you to keep PGP/SSH keys on it.

~~~
ascorbic
A better comparison is the Yubico Fido U2F key, which just does U2F.
[https://www.yubico.com/products/yubikey-
hardware/fido-u2f-se...](https://www.yubico.com/products/yubikey-
hardware/fido-u2f-security-key/)

------
trav4225
Interesting -- I (incorrectly?) assumed this would need to be approved by
several regulatory bodies in order to be legal to sell...

~~~
kbaker
Well, _technically_ , since this device contains a clock, it should go through
FCC Part 15 Verification before being sold. However, the FCC doesn't really
have the budget to go after every board produced, you have to REALLY mess up
to get on their radar...

Since it is USB based, it should _technically_ go through USB-IF
interoperability testing, if he wants to use the USB logo. Though actually it
looks like he has a VID/PID allocated from SiLabs for this, which is already
way better than a lot of inexpensive USB products.

~~~
conorpp
Yeah I'm not sure about the legals and just figured it would be fine. I did
get a VID/PID from SiLabs which has already done USB certification for the
chip.

FIDO U2F also has a $10k certification process to allow you to use the FIDO
logo. I don't think it's worth pursuing for me.

~~~
kbaker
Though, if you can budget to go through FCC Verification testing (class B),
maybe around $1000-1500 depending on your test house, it can sometimes be
quite a useful learning experience for a board of moderate complexity. It is
surprising where RF leaks out of these days. For a device that is this simple,
it is probably fine. Officially, my opinion is that you should always have all
the proper certifications in place.

Unfortunately, the $10k U2F certification is not that unreasonable compared to
other similar certifications I have seen... As the fees don't just cover
interoperability testing, but also legal fees if the trademark or
specification must be defended.

------
thoughtpalette
I love this. Great article/read/product.

One thing to note, on your site [https://u2fzero.com/](https://u2fzero.com/)
there's around 50 line break tags at the bottom. Shows an entire screen of
white space for me :|

------
fragmede
Pricing things well is a dark art, but I think you could stand to raise the
price some.

------
mrgreenfur
Love it and want to buy one, can I buy direct from you? (I have a thing
against Amazon).

Edit: For auth on a phone / small device, could you make a version with a
miniusb plug?

------
danieltillett
I have a question about these tokens - what happens if they break? Are you
effectively locked out? Is it possible to have two identical tokens so that if
one breaks you can use the other?

~~~
craftkiller
You can often times have multiple different keys registered to a single
account. I have a yubikey nano stashed away as my backup key if the one on my
keychain breaks or is lost.

~~~
danieltillett
Thanks. I have quite a few services that only let me register one key. I
always worry that if I lose my phone (or break it) I am going to be locked
out.

~~~
lorenzhs
Are you sure? I think you might be confusing OTP codes (what you get from an
authenticator app on a phone) with U2F (a device like this that communicates
via USB or NFC). Most services I know of only support one OTP seed (you can
use it with multiple devices, though - just scan the QR code with all of them,
the entire secrets are encoded in it. Of course, this makes it very cumbersome
to add or remove a device, as you have to re-enrol all of them). But only
allowing one U2F token is a bad idea, as losing (or breaking, depending on
construction) it is very easy.

------
mrlambchop
Ordered 2 of - great write up.

Just pondering - did you disable JTAG on these devices before distributing
them?

------
taejo
BTW, Amazon seems to think they're storage devices, and is offering data
recovery plans.

------
akhilcacharya
I've been interested in building hardware-for-crypto too, great write up!

------
leetbulb
How cool, just ordered a few!

~~~
bigiain
I was going to:

"This item does not ship to Australia"

<sad face>

~~~
conorpp
I'm naive and didn't realize Amazon wouldn't ship internationally by default.
I just updated the listing to enable international shipping which should take
effect in a couple days. Thanks!

~~~
coffeecheque
Thanks heaps! It means a lot. Amazon is mostly a horrible place to shop for us
Australians.

Congrats on the write up/production too. Looking forward to ordering one ASAP.

------
happy-go-lucky
Isn't mobile phone 2FA more advantageous?

~~~
jnpatel
If you leave your U2F key in your laptop or PC, I find it to be much more
convenient than mobile 2FA. Just one tap and you're in... versus pulling out
your phone, unlocking, and typing in the code.

Btw, all U2F services allow you to fall back to phone 2FA if you're on an
unsupported device.

~~~
sliken
Better smartphone auth setups doesn't require typing in the code. Like Duo
Push.

