DiceKeys Aim to Bring Some Physical Entropy and Security to Open Source Two-Factor Authentication

The idea of generating cryptographic keys by rolling dice isn't new — but the DiceKeys project takes the concept to a new level, combining physical dice with a smart app that makes key generation and entry a cinch.

Computers are, traditionally, not great at being random — which isn't good news when it comes to security. One approach to solving this problem is to inject randomness into the system from an external source: A webcam pointing at lava lamps is far from the strangest example, and diceware remains a popular approach to generating passphrases and passwords.

DiceKeys takes the diceware concept and extends it. "DiceKeys are backup security keys with 196 bits of security made of 25 custom dice and a rugged holder," the project's creators explain, "built to last a lifetime. DiceKeys can be read by most any phone, tablet, or computer. Or, you can use your own eyes to read each face by its: letter, which identifies the die; digit, which identifies the face of the die, and; orientation (rotation) of the face relative to the box."

"The lines and dots are error-correction codes. Each line contains a redundant encoding of the letter and digit on the face of the die. Our algorithms use them to orient and double check the letter and digit."

Reading the dice by eye is one approach; another is to use the open-source DiceKeys app on any device with a modern browser and a camera. "Our API allows apps and services to derive their own private secrets from your DiceKey without those apps seeing the key itself," the creators note. "Our reference implementation runs in most modern web browsers, allowing it to work on an incredibly diverse range of devices. While built with web-based technologies (TypeScript & WebAssembly), it runs entirely locally on your device. We are also developing Android and iOS versions to provide a richer experience on those devices."

The DiceKeys project also ties in to a pair of FIDO2-compatible two-factor authentication (2FA) dongles dubbed the Somu and the Solo Tap — the latter adding NFC support as well as a choice of USB Type-A or Type-C connectivity. "SoloKeys are open source FIDO2 security keys for two-factor authentication and passwordless login," the team explains. "Put them together and you get a FIDO2 SoloKey key that you can seed from your DiceKey, and replace with a cryptographically-identical should you break it or lose it."

The DiceKeys project is funding production via Crowd Supply, with rewards starting at $22 for a DiceKeys set and $50 for a DiceKeys set with choice of SoloKey accessory. All source code, meanwhile, is publicly available on the DiceKeys and SoloKeys GitHub repositories.