46 comments

[ 3.6 ms ] story [ 1145 ms ] thread
That's great to see that this is going kickstarter, I'll throw in something for a solo key later.

Seems this is also a lot cheaper than a yubikey while also being fairly hackable.

Great job <3

Thank you so much! It's been an adventure... it's incredibly exciting to be live.

And the support we've received is beyond any expectation, we reached the goal in 19 minutes!

I don't see any mention of smartcard/PGP features (or rsa4096), which makes this a non-starter for me. Sometimes the extra cost is associated with extra features.
We're working on it, it's been the top feature request. We didn't want to over promise in the Kickstarter, but we support firmware upgrade, so it'll be easy to add as soon as it's ready.
already pledged! Was looking forward to it! Keep up!
pledged 50! looking forward to seeing a little openPGP on this guy!
Does the 'solo tap' require additional software on an Android device? For example, would this work with LineageOS or does it require some google blob crap?
FIDO2 is standardized and backward compatible with U2F, so any browser (or app) with this support should work. Specifically, they should support CTAP1/2 over NFC (or USB). I asked in the team, we're not really familiar with LineageOS, but we'll try to do some tests.
Thanks for the response. LineageOS is just a fork of AOSP, and doesn't ship any google blobs that you would find in the android images from google and most manufacturers.
Awesome! Pledged
Looks awesome. One thing though regarding iOS - I hope Apple don't just open up NFC more, but implement FIDO2 (CTAP2 and Webauthn) utilizing the secure enclave on the device with Face ID. I don't know enough about it, but surely it should be possible and it would make for a great user experience if they did!
If any FIDO experts are reading this, two technical questions:

1. Is there anything in the standard about proving to the server that you have a genuine FIDO device that meets certain standards, and not say a piece of software that is merely pretending to be a hardware security module? If so, I presume the Solo will come with whatever certification / digital signature is required?

2. My understanding of FIDO (v1) is that the only function a device has to offer is authentication through digital signature, so a FIDO v1 device is no use as an extra authentication factor to unlock a password manager without "cloud" support (such as pwsafe) as it doesn't provide you with anything that a hacker couldn't work around - as opposed to a token that stores a cryptographic key and releases it when you press the button (which you can set up a yubikey to do). Is this correct, and does FIDO2 change this situation?

From looking at the design docs, Solo doesn't use the ARM TrustZone, yet, so it can't validate firmware.
> Is there anything in the standard about proving to the server that you have a genuine FIDO device

Yes. When registering a credential you can request[1] attestation information. Generally this will come in the form of an X.509 certificate[2] per batch of 100,000 devices which is signed by the manufacturer and which signs the generated key.

FIDO is planning on running a central registry[3] of devices which should include their certifications and manufacturer public keys etc.

For more details, see [4].

> My understanding of FIDO (v1) is that the only function a device has to offer is authentication through digital signature.

That's correct: CTAP1 just signs things. You can prove to a remote service that the credential is in live use right now because it signs over a server-provided nonce to show freshness, but that's all.

With CTAP2, devices can store keys themselves and they can provide a random oracle (i.e. HMAC) for unlocking locally encrypted data[5]. FIDO2 devices can also require a PIN to be provided before keys are released. (Or have a local fingerprint reader, although I don't know of any such devices yet.)

[1] https://www.w3.org/TR/webauthn/#attestation-convey [2] https://www.w3.org/TR/webauthn/#fido-u2f-attestation [3] https://fidoalliance.org/mds/ [4] https://www.imperialviolet.org/2018/03/27/webauthn.html#atte... [5] https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-cl...

1. Yes, it's called attestation, and you can read more here [1]. For example recently Amazon launched support for U2F only allowing some yubikeys.

1b. Solo will have its own attestation certificate, so you'd be able to say I wan't/don't want to accept Solo. I believe this will be more valuable to enterprise/closed environments that publicly available services, but of course an option.

2. FIDO2 and "1" (U2F) work pretty much the same. The device signs a challenge together with the hostname of the website you're visiting. There's no release of any key material. Yubikes, other than FIDO2/U2F, support other protocols including OpenPGP or SSH, but this is kind of a different story. Makes sense?

[1] https://fidoalliance.org/fido-technotes-the-truth-about-atte...

Makes sense, thanks - and congratulations on how the kickstarter is going so far!

Is Solo going to support the HMAC extension that @agl talked about below?

Why would I choose this over the Yubikey, or even Google's offering? And I didn't see on the kickstarter (I may have missed it), where are these being produced? I know people were not interested in Google's because they were being made in China.
I think "open source" is the key selling point, along with being able to hack on the hardware and reflash the firmware.

I'm 5/5 happy with my current yubikeys, but I'm also really glad that there's competition in this area and not a monoculture.

I'm also 5/5 happy with my yubikeys!

Yubico is also a very open company. What is closed today is the industry of secure processors, and this is what we hope we can change.

Plus, with more and more open source, we can expect more and more adoption of the standard. Ten years ago there was spam, now it's gone. Now there's phishing, maybe in a few years it'll be gone too.

Openness? Price? Colors? NFC+USB-C? I guess it depends, we're just offering more choice.

For the production. The ST processor is fabricated in Europe. The PCBs are assembled in China. The programming and testing is done in the US.

Solo has some sexual connotation that’s difficult to justify. Too late to change it I guess?
"Solo" is also a term used in music and the last name of a popular science fiction character. Should those be changed too?
$200K - Hidden Surprise!

I'm not sure how much I like an open source security appliance coming with a "hidden surprise".

Thank you for the feedback - Just to clarify, stretch goals won't touch hardware/security, just special offers that everybody can benefit from. Examples more colors, free upgrade to usb-c.
Congrats for launching!

The kickstarter page mentions that Solo supports U2F and Fido2. What else does it support?

Is it like the Yubico "security key" with just U2F and fido2 or does it support OTP, OpenPGP, Smart cards, PKCS11? How long are the keys it stores?

Oh, and if it doesn't support some or any of that stuff, is it a software or a hardware limitation?

"By having singed code we can offer firmware upgrade, to release new features such as OpenPGP ..."

I read this as they don't support OpenPGP yet, but they do say "256 KB of memory to support hardened crypto implementations and OpenPGP" so I'd guess it's on the to-do list.

Yes, correct. Top feature request so far. We're just really busy with the Kickstarter now, so we can't commit on a date yet.
Right now the killer feature of yubikeys for me is the fact that they're waterproof and have no physical buttons to wear out, making them effectively indestructible on my keychain.

I'm still waiting for another manufacturer to even come close to the physical design of yubikeys.

For the button we explicitly wanted to do something different because some people like the physical feedback.

But being open, you can take the design, change the button to be a touch sensor, and make your own. If anyone does it, please keep us posted, we want to support you!

Looks good, but the form factor of the Yubikey Nano is much nicer for laptops. Once it's in, you just leave it in there, and you don't need to worry about knocking/bending/snapping it.

I could see one of these living in my desktop, but then I'd choose a Yubikey over it again for the OpenPGP support.

I'm already using a separate Yubikey with my phone over NFC. I'm pretty sure that wont work when I get my librem 5 though. I don't even think that's coming with NFC. But my new option for Librem will probably end up being another Yubikey instead of this. Specifically the 4C Nano, as I will hopefully be able to stick it in the phones USB-C port and let it live there whilst it's not charging.

So, looks good, but not for me. Hopefully you're a success and are able to bring out some different form factors at some point in the future.

You only have to leave the key in by choice. For example, I use my Solo to authenticate login for google. But, I only need it on login....which really doesn't happen very often from my laptop. So, I am not leaving my key embedded in my laptop, which presents a problem if you actually have your laptop lifted at Starbucks!
Yeah, I choose to leave it in there, so I don't have to think about it. For me, that's the thing that finally switched using 2FA from being a burden, to neutral.

I have multiple Yubikeys, and fall back to TOTP on my phone and watch, so if my laptop is lifted, I will care about the financial/inconvenience loss of the laptop, but not the Yubikey.

We've removed “Show HN” on account of a previous one:

https://news.ycombinator.com/item?id=18035079

also discussed here:

https://news.ycombinator.com/item?id=17778262

I’ve originally put Show because this is the product, the previous was the firmware, but ok.

Did you also apply a penalty? We jumped from #4 to #50, and we have more votes, comments, and are newer than nyt currently in fp.

That's a shame, since this one is announcing the kickstarter, and those weren't. And there was obvious interest, as well as interesting discussion, on this post.
Actually, we've received a clarification. 1) fundraisers are excluded from Show HN, it's in the FAQ, and sorry I missed that. 2) the community is generally sensitive to being marketed, and as much as we were enjoying the discussion, others flagged/reported this post.

Everything considered, this is a fair decision.

I'm really excited to see this project. Looking forward to receiving my two Solo Tap keys!

P.S. OpenPGP is a must for me. Hope to see update for that soon.

"Note that to reflash a regular Solo key you have to connect via the debug interface, as for security reasons our firmware only allows signed code upgrade"

Which debug interface is this? JTAG? Something else?