Google's OpenSK lets you BYOSK – burn your own security key
Now there's no excuse
OpenSK, a new open-source project from Google, lets folk make their own security key for less than £10.
You flash the OpenSK firmware on a Nordic dongle – and voila. The USB dongle includes the nRF52840 SoC (32-bit Arm Cortex-M4), supports Bluetooth Low Energy and NFC (Near Field Communication), as well as a user-programmable button. If you have a 3D printer to hand, you can also print a suitable enclosure.
Google offers its own Titan security key for two-factor authentication (2FA) with FIDO U2F and using this or an alternative device goes a long way to protect an account from unauthorised access or takeover. The same keys can be used on other internet sites including AWS and GitHub – but probably not at your banking site.
OpenSK is coded in Rust and runs on TockOS, an embedded operating system designed for "mutually distrustful applications" and also written in Rust. Google's Elie Bursztein, security & anti-abuse research lead, and Jean-Michel Picod, software engineer, said: "Rust's strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks."
The purpose of OpenSK is not to enable geeks to get DIY security keys but rather to encourage use "by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption". There is also a caution that "this release should be considered as an experimental research project to be used for testing and research purposes".
Any form of 2FA is much better than nothing, but dedicated security keys have advantages over alternatives like text messages, since phone numbers can be hijacked. Sometimes the phone number can also be used for account recovery, making it a weak link despite its popularity.
You can find the code for OpenSK here. ®