
FIDO2 security key company publishes results of internal security audit - conorpp
https://blog.doyensec.com/2020/02/19/solokeys-audit.html
======
StavrosK
I see a lot of confusion in this thread (warranted, because it's a confusing
subject), and I want to clarify a few things:

U2F is the old standard, it is only meant be used as a second factor.

WebAuthn is the new standard, it has different modes for usage as a second
factor, first factor and single factor (usernameless). Only the usernameless
mode requires state on the client side.

Usernameless strikes me as the holy grail of authentication, where we don't
need to remember any usernames or passwords (or even have them), but I haven't
seen any websites that support usernameless authentication, other than demo
ones and my own.

If you want to see what a usernameless flow looks like, you can visit
[https://www.deadmansswitch.net/](https://www.deadmansswitch.net/). You have
to log in with an email link first, and then associate your FIDO2 credential
with it. You don't need a hardware key, for example on phones you can use your
fingerprint reader and it will work fine.

The problem with hardware keys, and which is not mentioned anywhere, is that
because usernameless requires storage on the key, Yubikeys only support a
maximum of 25 sites you can authenticate with.

In order to further my goal of some day ditching password managers, I also
made a Django library for usernameless logins which you can use today on your
Django sites:

[https://pypi.org/project/django-webauthin/](https://pypi.org/project/django-
webauthin/)

~~~
subleq
When I try to create an account, I get an error message:

> Your security key can't be used with this site

> www.deadmansswitch.net may require a newer or different kind of security key

This is with a Yubico Security Key 2 which I thought supported FIDO2.

~~~
StavrosK
You can't create an account with a key on that site, you can only use it to
log in after you associate it to the site.

------
talkingtab
I am probably wrong, but I think Fido2 keys should be ubiquitous. They provide
a hardened solution for some security situations, certainly they could be a
good 2nd factor or 3rd, and hopefully they could reduce the password madness
we have. Yubico appears focused on the enterprise and high end users resulting
in higher prices. Solokeys seems more focused on individual users with lower
prices.

Disclaimer I have two Yubico keys, and two Solokeys and they all work for me,
but I don't need the extra functionality of the more expensive Yubico keys.

~~~
pooloo1
Don't get me wrong I love the idea of physical/hardware security; however,
isn't the reason it is so effective right now because it is not mainstream?

~~~
tptacek
Go on...?

~~~
pooloo1
Having a few vaults with security guards is a great deterrence as the reward
is little for the high risk. Having many vaults with security guards draws a
bit more attention...

~~~
rsnor
I’m having trouble understanding what you’re saying.

You’d think we’d be better off even with the higher attention, were it to
exist, because the level of attention going into making FIDO2 as secure as
possible would scale with its userbase. Same with any other security solution
being implemented.

------
toastal
I have two OnlyKeys I backup against the other to handle the lack of ubiquity
of FIDO2. So many places are still only using SMS, but as an alternative, have
built proprietary, in-app authentication systems that can't be audited. I had
a phone break, and I wanted to purchase a new phone online to have it ship
when I returned; and I couldn't access my remote work paycheck transfer (in-
app), I couldn't log into my bank (SMS + in a different country so not the
same SIM), and I couldn't log into the more popular online shopping (SMS).

Auth needs to be able to be decoupled from phones. With the OnlyKey, I've
stored the important TOTP keys as well like my email as well as password for
my password manager. Being as 'dumb' as they are, I've had it go through the
wash still working fine.

~~~
cuu508
If your bank is in EU, you can ask them to look into this EU regulation about
strong authentication methods:

[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...](https://eur-
lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R0389)

> Dynamic linking is possible through the generation of authentication codes
> which is subject to a set of strict security requirements. To remain
> technologically neutral a specific technology for the implementation of
> authentication codes should not be required. Therefore authentication codes
> should be based on solutions such as generating and validating one-time
> passwords, digital signatures or other cryptographically underpinned
> validity assertions using keys or cryptographic material stored in the
> authentication elements, as long as the security requirements are fulfilled.

My bank (Swedbank Latvia) used this regulation as a pretext for removing
authentication via passwords + code cards. They didn't do too well on the
"technologically neutral" part though – you now have to use proprietary
software or hardware to authenticate :-/

------
zackify
Excited to see an open source hardware key solution on the market to compete
with yubico.

I’ve been working on my own saas app to handle authentication for any app
using the web authentication framework.

hoping we start seeing more options to login using only hardware (plus pin to
be extra safe) on all websites.

~~~
ecesena
To date, the core of our firmware is also used by NitroKey [1], Signet HC [2]
and OnlyKey [3]. We did a pretty significant refactor [4] to make the lib even
easier to use as part of our MOSS award [5].

Hopefully we'll see even more products -and thus user adoption- of
fido2/webauthn.

If anyone is reading, has a hardware project and would like to add fido2
functionality, please reach out!

[1] [https://shop.nitrokey.com/shop/product/nitrokey-
fido2-55](https://shop.nitrokey.com/shop/product/nitrokey-fido2-55)

[2] [https://www.crowdsupply.com/nth-dimension/signet-high-
capaci...](https://www.crowdsupply.com/nth-dimension/signet-high-capacity)

[3] [https://crp.to/2019/10/onlykey-beta8-release-
announcement/](https://crp.to/2019/10/onlykey-beta8-release-announcement/)

[4]
[https://github.com/solokeys/solo/pull/344](https://github.com/solokeys/solo/pull/344)

[5] [https://medium.com/solokeyssec/solokeys-achieves-
fido2-certi...](https://medium.com/solokeyssec/solokeys-achieves-
fido2-certification-thanks-to-mozilla-4c9ea52c05dd)

------
ShakataGaNai
I got a Solokey as part of the Kickstarter and love em. USB-C + NFC in one
device.

The one thing I'd love out of a security key is the ability to set up a
"Twinned Pair". So I can have one key on my keychain that I use everyday and
one I keep in my safe in case something happens to the primary. Yes, I know
some services support multiple security keys - but setting up two is more work
and not all services do support two.

~~~
girvo
I definitely would like the requirement to allow multiple keys to be a part of
the standard. Allowing it at the key level seems dangerous to me, perhaps, in
allowing an attacker to perhaps "clone" someone's key that hasn't setup a pair
yet, though of course I'm sure there's mitigations for that if it was
seriously proposed!

I have two Yubikeys, one in a safe and one on my person. It saved my butt when
I lost access to the one on my person for a few days!

~~~
arianvanp
The fido2 protocol involves a counter that allows the server to detect cloning
of a device :)

------
ghostpepper
Who is this company and why would I buy a key from them instead of Yubico?

~~~
roblabla
SoloKeys appear to use open source firmware, whereas Yubico's firmware is
closed source since the Yubikey 4 I believe. Other than that, they seem about
the same. SoloKeys is a lot younger and missing a couple of Yubikey Neo's
bigger features (like PGP support).

~~~
ecesena
OpenPGP is arriving, will be available via firmware upgrade.

[https://github.com/solokeys/openpgp](https://github.com/solokeys/openpgp)

~~~
XMPPwocky
Note that for a PGP key, the idea of using cheap microcontrollers is
_significantly_ worse.

U2F/FIDO2, sure, whatever- the worst failure state there is "your account is
only secured by a password", and more likely attacks require physical access.
I could post the secrets off the security key I use for my Google account
right now and...eh, I'd probably be fine.

PGP? Ohohohoh. Now we're talking about long-term keys and non-forward-secure
crypto.

If I leak your keys _once_ \- say, through power analysis, glitching,
whatever- I can decrypt everything that has ever been encrypted for that key,
and everything that ever will be. Compromise is total. Grab the device while
it's unlocked, or use a camera, keylogger, or shoulder-surf to get your PIN-
or just crack it, decrypting the encrypted keyblobs from flash ... the only
thing protecting you is a barely-above-popcorn Cortex-M.

At that point, just use the fTPM in your CPU. Otherwise... hardened hardware
is _much_ more important for PGP.

If I had to design a PGP key storage mechanism, I'd probably use a reasonably
well-known, well-tested "secure microprocessor"\- or a 'TPM-on-a-chip'
connected to an untrusted microcontroller (which would be basically just an
adapter/protocol translato...hm, no, plaintext would still go across its bus,
right? Forget the gpgcard spec right now, might do some link encryption, but
that would be good and it's GPG so it probably doesn't. Yeah, no, I think you
need the full stack on one die- or else open to attacks like replacing the
untrusted microcontroller with one that logs all plaintexts it sees (and...is
gpgcard challenge-response? Gotta be ...but if not, can log the pin
too...anyways, ignore this aside))

Anyways, a secure microcontroller- hardware crypto engine so the
microcontroller code never sees raw key material, hardware rate
limiting/lockout if possible, reasonable secure boot, maybe even disable
firmware upgrades entirely, self-zeroizes if you sneeze at the wrong time,
etc. Attacks are still possible, but the cost goes WAY up- at least past the
six figure mark, hopefully.

I'd also ban all use of RSA private keys- too easy to mess up generation, and
especially since we're "secure hardware" now which means, apparently, we can't
generate primes too good. No, EC keys exclusively.

Anyways ...a commodity STM32 is fine for fido2. Not great, but it's fine.

It's almost a nonstarter for PGP, and honestly any PGP support needs a _giant_
warning label that it shouldn't be relied on to protect against physical
attacks.

~~~
danieldk
_If I leak your keys once- say, through power analysis, glitching, whatever- I
can decrypt everything that has ever been encrypted for that key, and
everything that ever will be._

Doesn't it depend on the threat model? If your thread model does not include
physical access compromise, then the commodity STM32 approach is quite ok
right? At least, in most cases it provides more security than storing the
private key on disk.

I do agree that given the low prices of secure elements it is surprising that
keys still don't use them. But that may depend on the lower-priced parts not
being fit for FIDO2 or OpenPGP (though the Nitrokey FIDO does use an
ATECC608A).

------
moooo99
Physical hardware seems like a promising replacement for passwords. But is
there any real adoption in consumer services right now? The only two services
I know that suppport Fido2 are Google and GitHub. Are there any other big
services I'm missing here?

~~~
ecesena
Microsoft supports passwordless login (you can try it out on outlook.com —
some ppl refer to this as username less).

Dropbox is also an early adopter.

Plus you have all the u2f that are back compat, including facebook, twitter,
aws, gitlab... (I may have confuse some u2f that already moved to webauthn, if
so, sorry).

Considering that webauthn was standardized last March and that ios still has
no in-app support, that’s a pretty good start, I think.

~~~
tialaramex
So the reason for the usernameless / passwordless distinction goes like this:

U2F was explicitly designed only as a second factor. ("Universal 2nd Factor")
but WebAuthn is not.

Even with U2F you could (it wasn't recommended) just not actually have
passwords. Use their second factor as your only factor. In this scenario the
user needs to provide their username (email address, whatever you're using)
because their FIDO token doesn't know who they are either -- it needs to be
presented with a cookie [which it gave the site when the user registered to
use this FIDO token], and you've probably got a database table mapping users
to cookies and public keys.

In FIDO2 the token is capable of handling resident credentials. No cookie,
resident credentials are permanently inside the token itself.

The massive downside of this is that obviously the token has finite storage
for such credentials, a Yubikey can store 25. Whereas for ordinary FIDO (all
the WebAuthn deployments I've seen outside Microsoft) there's no practical
limit.

The upside is that since the token has your credentials it can now do the
entire sign-in, no need for even a username so the login flow is much nicer.

Of course while convenient on its own that's arguably worse security - if a
bad guy steals your token they're in without even knowing your username, much
like the proximity card badges often used for site access. So the fix is that
a FIDO2 token in this mode can be (usually will be) set to require a PIN or
some other factor. This seems like we're back to passwords again, but it's
different because the extra factor is local to your device. Bad guys can't
steal PINs from devices in bulk or brute force them, they need to steal your
FIDO2 token and then brute force that somehow.

~~~
throw7
Is this right... so in FIDO2, the website only has to store the public key of
the token (which will get sent on registration/signup and mapped to a userid)?

~~~
tialaramex
Not _the_ public key, that would violates FIDO's design requirement forbidding
correlation. A key pair is minted during registration and the relying party
(web site) remembers that specific public key. The FIDO2 device remembers
which site it was and its corresponding private key.

That's why it needs storage for each such resident credential on the FIDO2
token.

------
dochtman
So I have a SoloKey. How do I check what firmware it is running? Is the
firmware upgraded automatically, or do I have to do something? The SoloKey
website from some quick skimming doesn't seem to have any information on the
topic.

~~~
Iolaum
Their github repository of their python command line tool should have all the
info you need.

[https://github.com/solokeys/solo-python](https://github.com/solokeys/solo-
python)

~~~
jniles
I just did an upgrade to a few keys a couple days ago using solo-python and it
was a breeze. Note that you might need to add the udev rules to your Linux
machine if they are not detected as explained here:
[https://docs.solokeys.dev/solo/udev/](https://docs.solokeys.dev/solo/udev/)

------
Jupe
Oh my... I saw FIDO2 and immediately (for some reason) thought it was a
resurgence of FidoNet:
[https://en.wikipedia.org/wiki/FidoNet](https://en.wikipedia.org/wiki/FidoNet)
and somehow someone built a new FidoNet with security and audits.

------
baybal2
I was wondering if there is any driverless USB smartcard that can speak GIDS?

The GIDS login for our sysadmin worked wonderfully, but the downside is the
reader.

~~~
ThePowerOfFuet
Have you tried PIV in place of GIDS?

~~~
baybal2
No

