Security keys and open source

Posted on 2025-02-19 by Gerhard

Security keys advertised everywhere as the solution for modern security and password problems and many open source projects welcome the new technology, but what about the security keys themselves? How open are security keys and the technology they are based on?

The FIDO Alliance

Many open source projects willingly implement the protocols and procedures behind those security keys. This might be because the protocol suite behind these devices, the FIDO standard, is an open standard. That means everyone can access the specification for the protocols involved. FIDO2, the current version of the FIDO standard, implements a number of protocols allowing secure authentication. Those protocols are specified by the FIDO Alliance which introduces itself on their home page as follows:

The FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation.

This open approach to protocols and standards allows everyone to read and implement the FIDO protocols. Of course, this is great to allow any open source developer to implement the standard without extra fees or other costs.

What is special about FIDO?

As the FIDO Alliance states, it wants to improve authentication by replacing passwords. Passwords have flaws that are not easy to fix. Generally speaking, a password is a shared secret. That means both the user and the server need to know the password. Even with best practices like storing only hashes of the password instead of the password itself, it is not impossible to find out the password, and this is not even mentioning the poor ability of many people to choose a proper password. Isn’t guessing weak passwords still a thing?

With the generally increasing amount of online accounts in our every day life, the demand for a more secure authentication method is increasing. The FIDO Alliance is trying to improve this. With the open approach and the fact that it can reduce the need for a shared secret, this is a welcome approach to many services and leads to a lot of adoption.

Hardware security keys

The most secure approach to FIDO based authentication are hardware security keys. With their special hardware design, they ensure any secret stored in them can never be retrieved. This is one of the key features of hardware security keys. There is a huge number of companies producing hardware security keys in all shapes and sizes. Here is a list of manufacturers which provided devices for us to test and deep dive into the interesting world of FIDO authentication.

Each of those manufacturers create their own devices, all with one thing in common. They are all FIDO compliant authenticators. Some have additional functionality that is related in one way or another to those of the FIDO authenticator. With this in common, all of them use some sort of Secure Element that stores the secret key and performs cryptographic operations without ever exposing the secret key to the connected device.

The openness of the hardware

The “Secure Elements” are physical components used from a range of chip manufacturers. Very many of them with very secretive practices. It is very hard to get details as many companies have to sign a so called Non-Disclosure Agreement (NDA). This agreement forbids them to talk about many aspects of the secure element component that they are using. This sometimes seems to go as far as not allowing companies to publish the security key’s firmware or accompanying software utilities as open source.

This is not an ideal situation as it does not allow security findings to be published openly. Secrecy like this is not helping the security, but actively hurts it. Vulnerability reports like the one from NinjaLab’s EUCLEAK are very rare because of this secrecy.

Ars Technica seems to have summarized the problematic situation in their article about the vulnerability quite well.

This cryptolibrary is highly confidential (even its API is secret, you need to sign an NDA with Infineon just to know the API). Nobody, but Infineon, knows the cryptolibrary details and notably its countermeasures choices.

Reports like these show the problem with the secure elements that provide the heart of most, if not all hardware security keys. Trezor’s Tropical Square describes the situation as well in what seems to be as much details as they are allowed to. Statements like the following makes one question the state of secure elements at this time:

We started to plan a responsible disclosure and reported these issues to the vendor. During the call with the management that followed, we learned the vendor will not communicate the vulnerabilities to their customers and we won’t be able to tell the world about these critical mistakes either, because of the NDA we were forced to sign to get the full documentation of the chip.

The openness of the firmware

As the firmware is often highly optimized to match the hardware or uses libraries from the secure element manufacturer, open-sourcing the firmware code can be difficult as well.

Even utilities for the security keys can be closed source for similar reasons but in general this is not as bad as the hardware situation. There are security key manufacturers that do provide utilities for their devices as open source. Most famously Yubikey, while their firmware is closed-source, their desktop utilities are open-source and available on Yubico’s Github repositories. Some of the utilities are not even Yubikey specific but can be used generically with many different security keys, if not all FIDO2 compatible ones.

Are there Open Security keys?

In short, yes, there are security keys that are open hardware as well as open-source. The number of manufacturers that managed to produce security keys in a fully open way is not huge, sadly.

SoloKeys, a manufacturer that started small with a FIDO U2F hardware security key name U2F Zero. Still, the FIDO2 security keys produced today are open hardware as well as having open-source firmware and desktop utilities. For more detail see the Solokey Github page as well as the Trussed website.

Nitrokey, a manufacturer of security keys as well as security and privacy focused smartphones, tablets and PC’s. The security key firmware is also available as open source and is based on the same Trussed firmware project as the one used in Solokeys. The Trussed firmware is developed in cooperation. Nitrokey’s firmware also includes many additional features (like the Password Safe and OpenPGP) that are not part of the base Trussed firmware.

OnlyKey, manufacturing security keys with a special twist. The firmware used is based on a crypto wallet. The crypto wallet Trezor is sharing the firmware as well as some of the utilities available for it.

Trezor, manufacturing crypto currency wallets capable of FIDO2 authenticator functionality. The firmware is developed as open source and can be found on Github.

Token2, a manufacturer of security keys, hardware TOTP devices and more. The firmware used in the PIN+ security keys is open sourced on Github.

Conclusion

It is concerning how much secrecy surrounds the secure elements used in the majority of security keys. This all paints a very concerning picture. Thankfully there are manufacturers that try to go in a different way even though it might not be easy.

Hardware security keys provide a much better security then the traditional passwords alone. Even with that, there is room to improve the open-ness around them.

Read more of my posts on my blog at https://blog.tinned-software.net/.

Related posts:

  1. What’s the fuss about FIDO
  2. FIDO2 security key management via commandline
  3. Harden SSH server settings
  4. Verifying SSH configuration with a scan
  5. Debug SSH Connection issue in key exchange
  6. Auditing Linux system security using lynis
  7. Secure authentication and how it changed over time
  8. Set the iLO password from Linux using hponcfg
This entry was posted in Security and tagged , , , . Bookmark the permalink.