Say "Hello" to OpenSK

If a website or service offers it, you should should definitely be using two-factor authentication (2FA) to log on. Most of the major sites these days, like Google, Twitter, Facebook, and Apple’s iCloud provide some form of 2FA.

Now two-authentication is exactly what you might expect. To log into a site or service, you have to verify you’re the account owner in two separate ways. The first will almost always be by entering your password, yet the second method range from a temporary code sent to your phone via SMS, or using an authenticator app that generates a time-based one-time password (TOTP). However there is a less common, but generally more secure method, and that is using a hardware key.

For myself, I use Yubikey, as they do both a USB-C key, and another with an Apple Lightning connector. But recently, there have been a number of open source efforts to build keys, like the Somu and Solo keys.

Announced earlier today by Google, OpenSK joins these open source offerings. However unlike the projects we’ve seen to date, OpenSK is source code only. A FIDO2 authenticator implementation written in Rust as a Tock OS application, that supports both FIDO U2F and FIDO2 standards. OpenSK has been tested on the Nordic nRF52840 Dongle, but should be easily ported to other hardware.

“With this early release of OpenSK, you can make your own developer key by flashing the OpenSK firmware on a Nordic chip dongle. In addition to being affordable, we chose Nordic as initial reference hardware because it supports all major transport protocols mentioned by FIDO2: NFC, Bluetooth Low Energy, USB, and a dedicated hardware crypto core. To protect and carry your key, we are also providing a custom, 3D-printable case that works on a variety of printers.”

Today’s release is an interesting move by Google. Their authenticator app is also, at least partially, also open source although the open source code has diverged from the version Google publishes to the App Stores. That code forms the basis of a lot of TOTP implementations, it’s certainly the code I used when I had to implement TOTP on iOS some years back. So you have to wonder whether this code will get use in a similar fashion.

However be warned, Google says that the current release is ‘research quality.’

“We’re currently still in the process on making the Arm® CryptoCell-310 embedded in the Nordic nRF52840 chip work to get hardware-accelerated cryptography. In the meantime we implemented the required cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and AES256) in Rust as a placeholder. Those implementations are research-quality code and haven’t been reviewed. They don’t provide constant-time guarantees and are not designed to be resistant against side-channel attacks.”

Data breaches that leak your password information are very common. So no matter what type of 2FA authentication is offered by sites you use, even if it’s ‘only’ a one time password via SMS—which many security experts would criticise due to the possibility of SIM hijacking—you should use it. Because any second factor gives you more security than none at all. The best advice right now is to use a password manager, coupled with a hardware key for 2FA. Today’s software release by Google should make that just a little bit easier.