I don't see any mention of smartcard/PGP features (or rsa4096), which makes this a non-starter for me. Sometimes the extra cost is associated with extra features.
We're working on it, it's been the top feature request. We didn't want to over promise in the Kickstarter, but we support firmware upgrade, so it'll be easy to add as soon as it's ready.
Does the 'solo tap' require additional software on an Android device? For example, would this work with LineageOS or does it require some google blob crap?
FIDO2 is standardized and backward compatible with U2F, so any browser (or app) with this support should work. Specifically, they should support CTAP1/2 over NFC (or USB). I asked in the team, we're not really familiar with LineageOS, but we'll try to do some tests.
Thanks for the response. LineageOS is just a fork of AOSP, and doesn't ship any google blobs that you would find in the android images from google and most manufacturers.
Looks awesome. One thing though regarding iOS - I hope Apple don't just open up NFC more, but implement FIDO2 (CTAP2 and Webauthn) utilizing the secure enclave on the device with Face ID. I don't know enough about it, but surely it should be possible and it would make for a great user experience if they did!
If any FIDO experts are reading this, two technical questions:
1. Is there anything in the standard about proving to the server that you have a genuine FIDO device that meets certain standards, and not say a piece of software that is merely pretending to be a hardware security module? If so, I presume the Solo will come with whatever certification / digital signature is required?
2. My understanding of FIDO (v1) is that the only function a device has to offer is authentication through digital signature, so a FIDO v1 device is no use as an extra authentication factor to unlock a password manager without "cloud" support (such as pwsafe) as it doesn't provide you with anything that a hacker couldn't work around - as opposed to a token that stores a cryptographic key and releases it when you press the button (which you can set up a yubikey to do). Is this correct, and does FIDO2 change this situation?
> Is there anything in the standard about proving to the server that you have a genuine FIDO device
Yes. When registering a credential you can request[1] attestation information. Generally this will come in the form of an X.509 certificate[2] per batch of 100,000 devices which is signed by the manufacturer and which signs the generated key.
FIDO is planning on running a central registry[3] of devices which should include their certifications and manufacturer public keys etc.
For more details, see [4].
> My understanding of FIDO (v1) is that the only function a device has to offer is authentication through digital signature.
That's correct: CTAP1 just signs things. You can prove to a remote service that the credential is in live use right now because it signs over a server-provided nonce to show freshness, but that's all.
With CTAP2, devices can store keys themselves and they can provide a random oracle (i.e. HMAC) for unlocking locally encrypted data[5]. FIDO2 devices can also require a PIN to be provided before keys are released. (Or have a local fingerprint reader, although I don't know of any such devices yet.)
1. Yes, it's called attestation, and you can read more here [1]. For example recently Amazon launched support for U2F only allowing some yubikeys.
1b. Solo will have its own attestation certificate, so you'd be able to say I wan't/don't want to accept Solo. I believe this will be more valuable to enterprise/closed environments that publicly available services, but of course an option.
2. FIDO2 and "1" (U2F) work pretty much the same. The device signs a challenge together with the hostname of the website you're visiting. There's no release of any key material. Yubikes, other than FIDO2/U2F, support other protocols including OpenPGP or SSH, but this is kind of a different story. Makes sense?
Why would I choose this over the Yubikey, or even Google's offering? And I didn't see on the kickstarter (I may have missed it), where are these being produced? I know people were not interested in Google's because they were being made in China.
Yubico is also a very open company. What is closed today is the industry of secure processors, and this is what we hope we can change.
Plus, with more and more open source, we can expect more and more adoption of the standard. Ten years ago there was spam, now it's gone. Now there's phishing, maybe in a few years it'll be gone too.
Thank you for the feedback - Just to clarify, stretch goals won't touch hardware/security, just special offers that everybody can benefit from. Examples more colors, free upgrade to usb-c.
"By having singed code we can offer firmware upgrade, to release new features such as OpenPGP ..."
I read this as they don't support OpenPGP yet, but they do say "256 KB of memory to support hardened crypto implementations and OpenPGP" so I'd guess it's on the to-do list.
Right now the killer feature of yubikeys for me is the fact that they're waterproof and have no physical buttons to wear out, making them effectively indestructible on my keychain.
I'm still waiting for another manufacturer to even come close to the physical design of yubikeys.
For the button we explicitly wanted to do something different because some people like the physical feedback.
But being open, you can take the design, change the button to be a touch sensor, and make your own. If anyone does it, please keep us posted, we want to support you!
Looks good, but the form factor of the Yubikey Nano is much nicer for laptops. Once it's in, you just leave it in there, and you don't need to worry about knocking/bending/snapping it.
I could see one of these living in my desktop, but then I'd choose a Yubikey over it again for the OpenPGP support.
I'm already using a separate Yubikey with my phone over NFC. I'm pretty sure that wont work when I get my librem 5 though. I don't even think that's coming with NFC. But my new option for Librem will probably end up being another Yubikey instead of this. Specifically the 4C Nano, as I will hopefully be able to stick it in the phones USB-C port and let it live there whilst it's not charging.
So, looks good, but not for me. Hopefully you're a success and are able to bring out some different form factors at some point in the future.
You only have to leave the key in by choice. For example, I use my Solo to authenticate login for google. But, I only need it on login....which really doesn't happen very often from my laptop. So, I am not leaving my key embedded in my laptop, which presents a problem if you actually have your laptop lifted at Starbucks!
Yeah, I choose to leave it in there, so I don't have to think about it. For me, that's the thing that finally switched using 2FA from being a burden, to neutral.
I have multiple Yubikeys, and fall back to TOTP on my phone and watch, so if my laptop is lifted, I will care about the financial/inconvenience loss of the laptop, but not the Yubikey.
That's a shame, since this one is announcing the kickstarter, and those weren't. And there was obvious interest, as well as interesting discussion, on this post.
Actually, we've received a clarification. 1) fundraisers are excluded from Show HN, it's in the FAQ, and sorry I missed that. 2) the community is generally sensitive to being marketed, and as much as we were enjoying the discussion, others flagged/reported this post.
"Note that to reflash a regular Solo key you have to connect via the debug interface, as for security reasons our firmware only allows signed code upgrade"
Which debug interface is this? JTAG? Something else?
We're planning to release the Solo for Hackers "unlocked", meaning we'll disable the check for signed upgrade, so it'll be easier to flash also via usb.
46 comments
[ 3.6 ms ] story [ 1145 ms ] threadSeems this is also a lot cheaper than a yubikey while also being fairly hackable.
Great job <3
And the support we've received is beyond any expectation, we reached the goal in 19 minutes!
Looks like NFC support may be coming as well https://bugs.webkit.org/show_bug.cgi?id=188624
https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-...
1. Is there anything in the standard about proving to the server that you have a genuine FIDO device that meets certain standards, and not say a piece of software that is merely pretending to be a hardware security module? If so, I presume the Solo will come with whatever certification / digital signature is required?
2. My understanding of FIDO (v1) is that the only function a device has to offer is authentication through digital signature, so a FIDO v1 device is no use as an extra authentication factor to unlock a password manager without "cloud" support (such as pwsafe) as it doesn't provide you with anything that a hacker couldn't work around - as opposed to a token that stores a cryptographic key and releases it when you press the button (which you can set up a yubikey to do). Is this correct, and does FIDO2 change this situation?
Yes. When registering a credential you can request[1] attestation information. Generally this will come in the form of an X.509 certificate[2] per batch of 100,000 devices which is signed by the manufacturer and which signs the generated key.
FIDO is planning on running a central registry[3] of devices which should include their certifications and manufacturer public keys etc.
For more details, see [4].
> My understanding of FIDO (v1) is that the only function a device has to offer is authentication through digital signature.
That's correct: CTAP1 just signs things. You can prove to a remote service that the credential is in live use right now because it signs over a server-provided nonce to show freshness, but that's all.
With CTAP2, devices can store keys themselves and they can provide a random oracle (i.e. HMAC) for unlocking locally encrypted data[5]. FIDO2 devices can also require a PIN to be provided before keys are released. (Or have a local fingerprint reader, although I don't know of any such devices yet.)
[1] https://www.w3.org/TR/webauthn/#attestation-convey [2] https://www.w3.org/TR/webauthn/#fido-u2f-attestation [3] https://fidoalliance.org/mds/ [4] https://www.imperialviolet.org/2018/03/27/webauthn.html#atte... [5] https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-cl...
A FIDO2 device with fingerprint reader was supposedly launched at RSA 2018 [1][2].
[1] https://mobileidworld.com/fido2-compliant-usb-key-fingerprin...
[2] https://www.slideshare.net/FIDOAlliance/fido-kwg-tech-semina...
But I couldn't find where to buy it.
1b. Solo will have its own attestation certificate, so you'd be able to say I wan't/don't want to accept Solo. I believe this will be more valuable to enterprise/closed environments that publicly available services, but of course an option.
2. FIDO2 and "1" (U2F) work pretty much the same. The device signs a challenge together with the hostname of the website you're visiting. There's no release of any key material. Yubikes, other than FIDO2/U2F, support other protocols including OpenPGP or SSH, but this is kind of a different story. Makes sense?
[1] https://fidoalliance.org/fido-technotes-the-truth-about-atte...
Is Solo going to support the HMAC extension that @agl talked about below?
I'm 5/5 happy with my current yubikeys, but I'm also really glad that there's competition in this area and not a monoculture.
Yubico is also a very open company. What is closed today is the industry of secure processors, and this is what we hope we can change.
Plus, with more and more open source, we can expect more and more adoption of the standard. Ten years ago there was spam, now it's gone. Now there's phishing, maybe in a few years it'll be gone too.
For the production. The ST processor is fabricated in Europe. The PCBs are assembled in China. The programming and testing is done in the US.
I'm not sure how much I like an open source security appliance coming with a "hidden surprise".
The kickstarter page mentions that Solo supports U2F and Fido2. What else does it support?
Is it like the Yubico "security key" with just U2F and fido2 or does it support OTP, OpenPGP, Smart cards, PKCS11? How long are the keys it stores?
Oh, and if it doesn't support some or any of that stuff, is it a software or a hardware limitation?
I read this as they don't support OpenPGP yet, but they do say "256 KB of memory to support hardened crypto implementations and OpenPGP" so I'd guess it's on the to-do list.
I'm still waiting for another manufacturer to even come close to the physical design of yubikeys.
But being open, you can take the design, change the button to be a touch sensor, and make your own. If anyone does it, please keep us posted, we want to support you!
I could see one of these living in my desktop, but then I'd choose a Yubikey over it again for the OpenPGP support.
I'm already using a separate Yubikey with my phone over NFC. I'm pretty sure that wont work when I get my librem 5 though. I don't even think that's coming with NFC. But my new option for Librem will probably end up being another Yubikey instead of this. Specifically the 4C Nano, as I will hopefully be able to stick it in the phones USB-C port and let it live there whilst it's not charging.
So, looks good, but not for me. Hopefully you're a success and are able to bring out some different form factors at some point in the future.
I have multiple Yubikeys, and fall back to TOTP on my phone and watch, so if my laptop is lifted, I will care about the financial/inconvenience loss of the laptop, but not the Yubikey.
https://news.ycombinator.com/item?id=18035079
also discussed here:
https://news.ycombinator.com/item?id=17778262
Did you also apply a penalty? We jumped from #4 to #50, and we have more votes, comments, and are newer than nyt currently in fp.
Everything considered, this is a fair decision.
P.S. OpenPGP is a must for me. Hope to see update for that soon.
Which debug interface is this? JTAG? Something else?
We're planning to release the Solo for Hackers "unlocked", meaning we'll disable the check for signed upgrade, so it'll be easier to flash also via usb.