
Solo – Open-source FIDO2 security key - ecesena
https://www.kickstarter.com/projects/conorpatrick/solo-the-first-open-source-fido2-security-key-usb
======
red_admiral
If any FIDO experts are reading this, two technical questions:

1\. Is there anything in the standard about proving to the server that you
have a genuine FIDO device that meets certain standards, and not say a piece
of software that is merely pretending to be a hardware security module? If so,
I presume the Solo will come with whatever certification / digital signature
is required?

2\. My understanding of FIDO (v1) is that the only function a device has to
offer is authentication through digital signature, so a FIDO v1 device is no
use as an extra authentication factor to unlock a password manager without
"cloud" support (such as pwsafe) as it doesn't provide you with anything that
a hacker couldn't work around - as opposed to a token that stores a
cryptographic key and releases it when you press the button (which you can set
up a yubikey to do). Is this correct, and does FIDO2 change this situation?

~~~
ecesena
1\. Yes, it's called attestation, and you can read more here [1]. For example
recently Amazon launched support for U2F only allowing some yubikeys.

1b. Solo will have its own attestation certificate, so you'd be able to say I
wan't/don't want to accept Solo. I believe this will be more valuable to
enterprise/closed environments that publicly available services, but of course
an option.

2\. FIDO2 and "1" (U2F) work pretty much the same. The device signs a
challenge together with the hostname of the website you're visiting. There's
no release of any key material. Yubikes, other than FIDO2/U2F, support other
protocols including OpenPGP or SSH, but this is kind of a different story.
Makes sense?

[1] [https://fidoalliance.org/fido-technotes-the-truth-about-
atte...](https://fidoalliance.org/fido-technotes-the-truth-about-attestation/)

~~~
red_admiral
Makes sense, thanks - and congratulations on how the kickstarter is going so
far!

Is Solo going to support the HMAC extension that @agl talked about below?

------
zaarn
That's great to see that this is going kickstarter, I'll throw in something
for a solo key later.

Seems this is also a lot cheaper than a yubikey while also being fairly
hackable.

Great job <3

~~~
tanderson92
I don't see any mention of smartcard/PGP features (or rsa4096), which makes
this a non-starter for me. Sometimes the extra cost is associated with extra
features.

~~~
ecesena
We're working on it, it's been the top feature request. We didn't want to over
promise in the Kickstarter, but we support firmware upgrade, so it'll be easy
to add as soon as it's ready.

~~~
tanderson92
Thanks! That’s awesome to hear.

------
ecesena
For those interested, this is the open source code:
[https://github.com/SoloKeysSec/solo](https://github.com/SoloKeysSec/solo)

------
jxcl
Right now the killer feature of yubikeys for me is the fact that they're
waterproof and have no physical buttons to wear out, making them effectively
indestructible on my keychain.

I'm still waiting for another manufacturer to even come close to the physical
design of yubikeys.

~~~
ecesena
For the button we explicitly wanted to do something different because some
people like the physical feedback.

But being open, you can take the design, change the button to be a touch
sensor, and make your own. If anyone does it, please keep us posted, we want
to support you!

------
Bedon292
Why would I choose this over the Yubikey, or even Google's offering? And I
didn't see on the kickstarter (I may have missed it), where are these being
produced? I know people were not interested in Google's because they were
being made in China.

~~~
red_admiral
I think "open source" is the key selling point, along with being able to hack
on the hardware and reflash the firmware.

I'm 5/5 happy with my current yubikeys, but I'm also really glad that there's
competition in this area and not a monoculture.

~~~
ecesena
I'm also 5/5 happy with my yubikeys!

Yubico is also a very open company. What is closed today is the industry of
secure processors, and this is what we hope we can change.

Plus, with more and more open source, we can expect more and more adoption of
the standard. Ten years ago there was spam, now it's gone. Now there's
phishing, maybe in a few years it'll be gone too.

------
subway
_$200K - Hidden Surprise!_

I'm not sure how much I like an open source security appliance coming with a
"hidden surprise".

~~~
ecesena
Thank you for the feedback - Just to clarify, stretch goals won't touch
hardware/security, just special offers that everybody can benefit from.
Examples more colors, free upgrade to usb-c.

------
sctb
We've removed “Show HN” on account of a previous one:

[https://news.ycombinator.com/item?id=18035079](https://news.ycombinator.com/item?id=18035079)

also discussed here:

[https://news.ycombinator.com/item?id=17778262](https://news.ycombinator.com/item?id=17778262)

~~~
itp
That's a shame, since this one is announcing the kickstarter, and those
weren't. And there was obvious interest, as well as interesting discussion, on
this post.

~~~
ecesena
Actually, we've received a clarification. 1) fundraisers are excluded from
Show HN, it's in the FAQ, and sorry I missed that. 2) the community is
generally sensitive to being marketed, and as much as we were enjoying the
discussion, others flagged/reported this post.

Everything considered, this is a fair decision.

------
maltalex
Congrats for launching!

The kickstarter page mentions that Solo supports U2F and Fido2. What else does
it support?

Is it like the Yubico "security key" with just U2F and fido2 or does it
support OTP, OpenPGP, Smart cards, PKCS11? How long are the keys it stores?

Oh, and if it doesn't support some or any of that stuff, is it a software or a
hardware limitation?

~~~
red_admiral
"By having singed code we can offer firmware upgrade, to release new features
such as OpenPGP ..."

I read this as they don't support OpenPGP yet, but they do say "256 KB of
memory to support hardened crypto implementations and OpenPGP" so I'd guess
it's on the to-do list.

~~~
ecesena
Yes, correct. Top feature request so far. We're just really busy with the
Kickstarter now, so we can't commit on a date yet.

------
mike-cardwell
Looks good, but the form factor of the Yubikey Nano is much nicer for laptops.
Once it's in, you just leave it in there, and you don't need to worry about
knocking/bending/snapping it.

I could see one of these living in my desktop, but then I'd choose a Yubikey
over it again for the OpenPGP support.

I'm already using a separate Yubikey with my phone over NFC. I'm pretty sure
that wont work when I get my librem 5 though. I don't even think that's coming
with NFC. But my new option for Librem will probably end up being another
Yubikey instead of this. Specifically the 4C Nano, as I will hopefully be able
to stick it in the phones USB-C port and let it live there whilst it's not
charging.

So, looks good, but not for me. Hopefully you're a success and are able to
bring out some different form factors at some point in the future.

~~~
hoos97
You only have to leave the key in by choice. For example, I use my Solo to
authenticate login for google. But, I only need it on login....which really
doesn't happen very often from my laptop. So, I am not leaving my key embedded
in my laptop, which presents a problem if you actually have your laptop lifted
at Starbucks!

~~~
mike-cardwell
Yeah, I choose to leave it in there, so I don't have to think about it. For
me, that's the thing that finally switched using 2FA from being a burden, to
neutral.

I have multiple Yubikeys, and fall back to TOTP on my phone and watch, so if
my laptop is lifted, I will care about the financial/inconvenience loss of the
laptop, but not the Yubikey.

------
liuw
I'm really excited to see this project. Looking forward to receiving my two
Solo Tap keys!

P.S. OpenPGP is a must for me. Hope to see update for that soon.

------
madjam002
Looks awesome. One thing though regarding iOS - I hope Apple don't just open
up NFC more, but implement FIDO2 (CTAP2 and Webauthn) utilizing the secure
enclave on the device with Face ID. I don't know enough about it, but surely
it should be possible and it would make for a great user experience if they
did!

~~~
tstevens
They are implementing Webauthn in webkit (including iOS)
[https://bugs.webkit.org/show_bug.cgi?id=181943](https://bugs.webkit.org/show_bug.cgi?id=181943)

Looks like NFC support may be coming as well
[https://bugs.webkit.org/show_bug.cgi?id=188624](https://bugs.webkit.org/show_bug.cgi?id=188624)

~~~
madjam002
Oh wow I had no idea, I will be keeping an eye out for those! Thanks for the
links!

------
ac29
"Note that to reflash a regular Solo key you have to connect via the debug
interface, as for security reasons our firmware only allows signed code
upgrade"

Which debug interface is this? JTAG? Something else?

~~~
ecesena
Conor wrote a post about this: [https://conorpp.com/3d-printing-a-programming-
jig-and-embedd...](https://conorpp.com/3d-printing-a-programming-jig-and-
embedding-pogo-pins-using-eagle-and-fusion-360)

We're planning to release the Solo for Hackers "unlocked", meaning we'll
disable the check for signed upgrade, so it'll be easier to flash also via
usb.

------
craftyguy
Does the 'solo tap' require additional software on an Android device? For
example, would this work with LineageOS or does it require some google blob
crap?

~~~
ecesena
FIDO2 is standardized and backward compatible with U2F, so any browser (or
app) with this support should work. Specifically, they should support CTAP1/2
over NFC (or USB). I asked in the team, we're not really familiar with
LineageOS, but we'll try to do some tests.

~~~
craftyguy
Thanks for the response. LineageOS is just a fork of AOSP, and doesn't ship
any google blobs that you would find in the android images from google and
most manufacturers.

------
lhlmgr
already pledged! Was looking forward to it! Keep up!

------
nimbius
pledged 50! looking forward to seeing a little openPGP on this guy!

------
hiven
Awesome! Pledged

