Google's OpenSK lets you BYOSK – burn your own security key

Now there's no excuse

Google demonstrates the OpenSK dongle (from promotional video)
Google demonstrates the OpenSK dongle (from promotional video)

OpenSK, a new open-source project from Google, lets folk make their own security key for less than £10.

You flash the OpenSK firmware on a Nordic dongle – and voila. The USB dongle includes the nRF52840 SoC (32-bit Arm Cortex-M4), supports Bluetooth Low Energy and NFC (Near Field Communication), as well as a user-programmable button. If you have a 3D printer to hand, you can also print a suitable enclosure.

The Nordic dongle with a 3D-printed case

The Nordic dongle with a 3D-printed case

Google offers its own Titan security key for two-factor authentication (2FA) with FIDO U2F and using this or an alternative device goes a long way to protect an account from unauthorised access or takeover. The same keys can be used on other internet sites including AWS and GitHub – but probably not at your banking site.

OpenSK is coded in Rust and runs on TockOS, an embedded operating system designed for "mutually distrustful applications" and also written in Rust. Google's Elie Bursztein, security & anti-abuse research lead, and Jean-Michel Picod, software engineer, said: "Rust's strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks."

The purpose of OpenSK is not to enable geeks to get DIY security keys but rather to encourage use "by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption". There is also a caution that "this release should be considered as an experimental research project to be used for testing and research purposes".

Any form of 2FA is much better than nothing, but dedicated security keys have advantages over alternatives like text messages, since phone numbers can be hijacked. Sometimes the phone number can also be used for account recovery, making it a weak link despite its popularity.

You can find the code for OpenSK here. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration


Keep Reading

Google halts Chrome, Chrome OS releases to avoid shipping flawed code, prioritizes security fixes amid coronavirus crunch

Updated COVID-19 raises risk of software bugs due to staff schedule shifts
Road at night image via Shutterstock

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

Google security engineer says she was fired for daring to remind Googlers they do indeed have labor rights

Web giant claims she broke rules with pro-union popup code – fellow techies reckon that's rubbish
A new option for enterprise G Suite customers: enforcing FIDO U2F security keys

Google shores up G Suite against hapless users in the enterprise: App whitelist, physical security keys, and more

Notable omission from list of trusted stuff? Microsoft Outlook
Google's Play Store is the only official source for Android applications

Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android

Except one – a 'your phone is now my phone' bug reported months ago and still not fixed
A bug in the code

GitHub gobbles biz used by NASA, Google, etc to search code for bugs and security holes in Mars rovers, apps...

Semmle's flaw-finding queries can be shared and used on multiple projects
Baking cookies

Google warns devs as it tightens Chrome cookie security: Stuff will break if you're not clued up

You'll have to tag those for cross-site use from February
Sad Android

Android users, if you could pause your COVID-19 panic buying for one minute to install these critical security fixes, that would be great

MediaTek chipset flaw already exploited in the wild

Biting the hand that feeds IT © 1998–2020