Google Introduces the OpenSK Project to Help Anyone Build Their Own Security Keys for 2FA

If you are interested in the latest cybersecurity developments, you must have been familiar with two-factor authentication for quite some time now. On the other hand, if you haven’t heard of it yet, you can fill that gap by checking out our entry about this authentication method here.

We are not going to cover the fundamental aspects of this authentication method in this description because our goal is to tell you more about Google’s OpenSK, and how Google encourages open-source development of two-factor authentication with security keys. This is clearly a new development on the cybersecurity landscape, but to sum it all up in one sentence, we can say that Google announced an open-source security key implementation that supports FIDO U2F and FIDO2 standards. Sounds a bit like Greek, doesn’t it? Let’s take one term at a time and see what the fuss is all about then.

What is FIDO?

FIDO is an industry association launched in 2013. The purpose of the association is to develop authentication standards across different platforms. Authentication method development is necessary in order to reduce reliance on passwords. Multiple companies are members of the FIDO Alliance. Some of the prominent names include Google, Bank of America, Alibaba Group, Amazon, NTT DoCoMo, and others.

The point of FIDO is that it really works on developing two-factor authentication with security keys. The alliance creates security protocols that are applied by its members. These protocols use public key cryptography that can provide stronger authentication.

Let’s say a company registers for an online service. The user’s device will then create a new security key pair. The private key stays with the device, and the public key gets registered with the online service. So, whenever the user is about to access the service, their device proves that it has the private key. There are multiple ways to unlock the private key. Depending on the authentication methods that the device can offer, the user might need to swipe their finger, enter a PIN code, use voice recognition, press a button, or insert a hardware authentication device.

Google OpenSK makes use of one of those authentication methods – the hardware security keys. Since it meets the FIDO authentication standards, the open-source project can be used by multiple websites. To put it simply, everyone can make use of the same mold to create their unique keys. Now, how does Google expect people to go around it?

Google OpenSK’s Nordic Dongle

To implement this open-source project, Google has chosen a Nordic chip dongle. What is a Nordic dongle? Well, a dongle is a small piece of hardware that helps you connect two devices. For example, you probably use USB dongles every single day to connect your phone to your computer. Or maybe you’re using a Bluetooth mouse that is connected to your laptop via a Bluetooth dongle. Either way, dongles often have additional functionalities. Thus, they can easily function as security tokens.

Nordic dongle refers to USB dongles developed by NORDIC Semiconductor. The reason Google OpenSK employs these devices it that Nordic dongles are affordable, and they meet the FIDO criteria.

Google OpenSK

The official blog post by Google says that they’re pushing this new open-source platform because they hope “it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.”

How does Google OpenSK work? The project gives users the firmware they can use to develop their own developer key. For that, users need to flash the OpenSK firmware on the aforementioned Nordic chip dongle. If that were not enough, Google also offers a custom 3D-printable case that can protect the dongle and make it easy to carry it around. According to Google, the case works on a variety of 3D-printers.

It should be pointed out, however, that Google OpenSK is still mostly an experimental research project. Yes, it is possible to create your own personal FIDO authentication key, but your development endeavors are still part of testing and research that should help everyone improve authentication methods in the future.

Just like the Nordic dongles were chosen for their affordability, the Rust programming language was chosen for the OpenSK project because it has strong memory safety, and its clean OS abstractions make it less vulnerable to various attacks. The project runs on the TockOS operating system that is designed to run multiple applications on low-memory and low-power microcontrollers (which is what a hardware security key is). Also, Google says that this operating system allows keeping the security key applet, the drivers, and kernel within the dongle separate. Keeping the key elements separate increases the overall safety of a security key.

We do realize that for a regular user, creating their own security keys and dabbing at programming might not be an everyday thing. However, the fact that Google creates an open-source project for something like two-factor authentication shows just how important authentication is in general. Also, it proves that everyone with a stake in cybersecurity is working towards ensuring a safer environment for everyone.

Also, an open-source project means that every single developer can have an input in this quest towards safe authentication. As Google claims in their blog post, they hope that “OpenSK over time will bring innovative features, stronger embedded crypto, and encourage widespread adoption of trusted phishing-resistant tokens and a passwordless web.

Before any of that happens, of course, we are still strongly reliant on a mix of authentication methods, including passwords, two-factor authentication, and others. And passwords are that weak link in the authentication chain that you have to take seriously.

It’s the one thing that you can easily manage yourself. Not to mention that there are multiple tools out there like Cyclonis Password Manager that can help you create and store strong passwords for multiple accounts. Forget the days when you were recycling your passwords on a regular basis. Until projects like Google OpenSK result in easy and affordable passwordless authentication methods, serious and responsible attitude towards our personal passwords is the way to go.

April 1, 2020

Leave a Reply