OpenSK VS tillitis-key1

https://github.com/google/OpenSK works, it runs on something like this $15 board. Could do with a case though.

https://www.nordicsemi.com/About-us/BuyOnline?search_token=n...

There are a huge number of other vendors supporting Webauthn apart from Yubikey. (From the top of my head Nitrokey, Solo, Tomu, Mooltipass, Ledger, Trezor, Google Titan, OnlyKey, Token2).

You could also use the system TPM (https://github.com/psanford/tpm-fido).

A brief search didn't yield any FIDO2 software-only solutions for Linux, but I see no reason why in principle you couldn't implement it (perhaps interfacing https://github.com/google/OpenSK through hidg - similar projects do exist for U2F).

Cloudflare does, using a security key not found in the FIDO Metadata Service will unfortunately not work. This precludes the use of any hacker-friendly solution (making your own).

> Supported: All security keys found in the FIDO Metadata Service 3.0, unless they have been revoked for security reasons.

https://support.cloudflare.com/hc/en-us/articles/44068890480...

Attestation keys, as they're currently used, aren't very "privacy friendly" and it's much worse for those who wish to create their own key.

> Usually, the attestation private key is shared between a batch of at least 100,000 security keys of the same model. If you build your own OpenSK, your private key is unique to you. This makes you identifiable across registrations: Two websites could collaborate to track if registrations were attested with the same key material. If you use OpenSK beyond experimentation, please consider carefully if you want to take this privacy risk.

https://github.com/google/OpenSK/blob/f2496a8e6d71a4e8388849...

There are a number of FOSS solutions.

- https://github.com/google/OpenSK <- DIY solution

- https://solokeys.com/

- https://www.nitrokey.com/

The issue with any FOSS solution is that FIDO requires an attestation private key which is shared between a batch of at least 100,000 security keys. Using a DIY or cli app (application running on the host) solution will likely mean you'll be generating that private key yourself, this makes you identifiable across registrations.

I'm not sure what you're replying to--this scheme is much closer to self-signed X509 client certs, not FIDO. But regarding FIDO, it does not prevent user-controlled hardware; it's up to RPs to choose if they require specific device manufacturers or not.

In my experience, the vast majority of (consumer) RPs do not require specific batch attestation, which is why you can make your own FIDO key: https://github.com/google/OpenSK.

I am under the impression support for attestation was controversial in FIDO--it's clearly useful for enterprise scenarios (e.g. where an enterprise requires some silly certification like FIPS: https://support.yubico.com/hc/en-us/articles/360016614760-Ac...), but there's always the risk that consumer-facing RPs require it for no good reason.

My employer requires FIPS certification due to FedRAMP; I'd be interested in how you would propose to change FIDO such that--as now--I can use a single key for work and for all my consumer needs while eliminating attestation.

Having a look at their documented threat model: https://github.com/tillitis/tillitis-key1/blob/main/doc/thre...

I love this particular detail, listed under Assumptions:

> The end user is not an attacker. The end user at least doesn't knowingly aid the attacker in attacks on their device.

I love this, it's exactly what I want from a HSM device. However, sadly, most vendors today deploy TPMs in such a way that the end-user is an attacker (see: Google SafetyNet) - and the TKey is kinda incompatible with that, I suppose.

I'm not sure if they are publicly available yet by tillitis may be what you're looking for.

No, not yet. Physical attacks are out of scope for the TKey1, even if we have some mechanisms in play which try to extend the time and effort required to perform a successful evil maid-attack extracting the Unique Device Secret (UDS). See the threat model for the release:

https://github.com/tillitis/tillitis-key1/blob/main/doc/thre...

The current casing is fairly tamper evident (it will break), but we do not yet use real, tamper evident sealing. We are looking at tamper sealing for future versions. And ways to further protect against physical attacks.

Mullvad VPN has announced that they are working on the "Tillitis"[1] key and it looks like it's releasing pretty soon (2023-03-23).

From the website:

>The TKey™ is a new kind of USB security key inspired by measured boot and DICE.

>TKey™s design encourages developers to experiment with new security key applications and models in a way that makes adoption easier and less risky forend-users.

>TKey™ is and always will be open source hardware and software. Schematics, PCB design and FPGA design source as well as all software source code can be found on GitHub.

[1]: https://www.tillitis.se/ -- also "tillit" is Swedish for "trust"

Given a suitable app, the Tillitis Key 1 works as a RNG. I have written a first version, and will release one in the public app repository in a week or so.

https://github.com/tillitis/tillitis-key1

https://github.com/tillitis/tillitis-key1-apps

No, the integrity is within the device. You load the small (64k) apps onto the key and the content of the apps with the unique key for the device can be used by the app to perform cryptography and their integrity can be audited. This is similar to JavaCard with cryptographic integrity of the applets. Read more at: https://github.com/tillitis/tillitis-key1/blob/main/doc/syst...