Google has announced the launch of a new experimental project named “OpenSK”, which concerns the development of affordable yet fully-featured open source security keys. FIDO (Fast IDentity Online) keys are hardware tools that are compatible with the “FIDO Alliance” standard, and which are meant to help the user authenticate safely and securely. This is done by connecting the keys onto the system’s ports instead of relying on SMS-based two-factor authentication steps. Thus, they are far more secure than any other authentication method, and the de-facto choice of people who want to secure crypto-wallets, their email communications, and their online accounts in general.
OpenSK is an open-source implementation that is written in Rust, and which supports both the FIDO U2F and the more recent FIDO2 standard. The goal of the project is to accelerate the adoption of these physical keys by making them more accessible to the wider audience, cheaper to make, and more versatile than the solutions which are offered by the various vendors. For this reason, the project has selected the NRF52840 Dongle by Nordic as the first hardware platform to receive the OpenSK firmware, since it costs only between $9.5 and $19 to acquire, depending on where you’re based at.
The particular hardware platform comes with no functionality compromises whatsoever, as it supports Bluetooth LE, USB, NFC, and a dedicated hardware crypto core. This is important as the FIDO2 protocol supports these communication protocols. Moreover, supporting all data transfer methods is crucial in an experimental hardware platform. Finally, there’s already a custom 3D-printable case available on Thingiverse, so that people can print it out and carry the key around safely. Of course, while regular people can grab the firmware and flash it into the key, OpenSK is meant to be used by researchers who are ready to experiment at this point.
Remember, physical FIDO keys like the Yubikeys and the Google Titan are getting all the attention lately as they are the next step in account security. The iOS 13.3 brought support for them in Safari, Android 7.0 and later got certified according to the FIDO2 standard, Android phones received the ability to act as 2SV keys, and more recently, iPhones received the same treatment in relation to Google Account authentication in iOS. That said, if you care about the security of your accounts and online presence in general, you should consider getting a FIDO key, or to set up your smartphone to serve as a physical two-step verification tool.