I’d like to bring up the suggestion of SoloKeys again for Hardware Security Keys, which was on the GH Discuss forum before the move here to Discourse:
I’d like to suggest SoloKeys for the MFA page as another option under the “Hardware Security Keys” section.
SoloKey devices use open source software (on GitHub) and hardware, though I don’t know too much about the hardware part or how it compares to Nitrokey.
I haven’t seen any mention of it on Pull Request 862 yet. Also, SoloKeys was mentioned in the discussions a while back, but this seems to have fallen to the wayside.
Some background (so others don’t have to start research from scratch)
SoloKeys devices from the older but currently available Solo 1 line seem to be most similar to the older but currently available Nitrokey FIDO2 hardware security devices.
Upcoming SoloKeys devices in the Solo V2/Solo 2 line (unless you already knew about SoloKeys) seem to be most similar to the Nitrokey 3 line. Currently, the Nitrokey 3 products are in pre-order status (for the USB-A and USB-C variants).
As stated in a SoloKeys announcement from February 2021, SoloKeys and Nitrokey are competitor-collaborators because both companies use Trussed, the same open source cryptography framework.
SoloKeys doesn’t seem to get a lot of attention, because SoloKeys only makes hardware security keys (so far). On the other hand, Nitrokey is more well known because it sells other products, such as the Qubes Certified NitroPad X230 and T430 and the NitroPhone 1 and 2/2 Pro (which are preinstalled GrapheneOS devices on the Pixel 4a and Pixel 6/6 Pro, respectively, with various options for removing the microphones, sensors, and cameras).
Other consideration: shipping availability
I originally wanted the Nitrokey FIDO2 but accidentally bought the Nitrokey Pro 2 (which can be used for unlocking the computer upon boot, like in the Insurgo PrivacyBeast X230) in late summer 2021. However, long story short I remembered in a video about passwordless account logins (it’s a bit idealistic) that SoloKeys is a good alternative to Nitrokey devices (since shipping was €50 or more via only UPS due to German COVID mail restrictions in early fall 2021).
Basically, if you’re in the U.S. or close to North America, then SoloKeys is more sensible regarding shipping - while those in the EU should consider Nitrokey for similar reasoning. However, both SoloKeys and Nitrokey will ultimately ship internationally. Having 1 more recommendation for hardware-based MFA alongside YubiKey and Nitrokey could help readers regarding availability.
I’m wondering if there’s any progress on suggesting SoloKeys since then.
SoloKey 2 isn’t generally available yet, and SoloKey 1 is USB-A only, and doesn’t have the best build quality IMHO. I don’t think we should be recommending products that are pre-order only, so I’m going to mark this as waiting and we can revisit it when SK2 is available in stores.
A note relating to build quality and availability , i had been looking into buying a Nitrokey as recommended on privacyguides website. But after some research into their support and forums i found that a lot of users are complaining about nfc not working on their 3A models with pixel and samsung phones (refer their forum thread issues 1 , 2 (infact their support themselves say it won’t work with samsung SE models).
Some even complained of their keys being bricked and had to replace them.
Even a gui application for updating firmware and otp handling is not ready (only wip till now).
nitrokey 3c is on pre-order ( since nfc working with the 3A is not a guarantee , then buying 3c would be the only practical thing.)
My request is to atleast consider adding these drawbacks to the recommendation on website to the current list of drawbacks as it may affect buying decision.
SoloKeys 2 started to be sold in summer of 2023 in its store - but at first the only options were the “Limited Edition” SoloKey 2 devices with glitter in the epoxy covering the microcontroller used (USB-A and USB-C, the latter is now sold out).
However, by fall 2023, the “normal” non-glitter SoloKey devices also publicly became widely available through the official site IIRC (USB-A and USB-C).
These do seem to be widely available again, but they’re kind of ridiculously expensive IMO…
We’d have to remove our price criteria to include these, but I think they are our only open-source option if we merge PR 2592. Worth another look for sure.
Open-source doesn’t matter that much in here because good keys need to have a secure element, which will always be proprietary.
What matters is for the firmware to be upgradable, YubiKey’s non-upgradable firmware is an absolute joke.
Make sure that you receive the key with the latest firmware. I checked YubiKeys that are selling in my country and couldn’t find a clue on what version of firmware they have.
Pray that a new security vulnerability isn’t discovered in your YubiKey, if it’s, then pray that YubiKey will replace them for free. After that, go through all of your accounts and register the new keys.
If new features that you really need or want come out in a newer firmware, then be ready to pay up again.
I don’t agree this is an “absolute joke”. Adding options to update the firmware adds an attack factor that needs defence. The entire idea of the key is that it remains untouched and cannot be altered. It also is far cheaper to replace keys than the risk and security needed to fix firmware issues at least on larger scale. Most users will not be capable of doing an upgrade anyway.
When freitan’ key were pwned (A Side Journey to Titan - NinjaLab) I also had to replace the hardware in the past. There is no reason they should allow you to do replace it for free, unless it was recently sold I guess. You buy tech to the latest standards, with the best effort. Not a lifetime guarantee.
It does add a security risk but its also a matter of your threat model and convenience. If keys are for your grandma sure you don’t want her to bother about upgrades.
But for example you are in a corporate setup and you want your keys to be supported for considerable time like 3-5 yrs atleast without needing to replace them due to a security vulnerability found , then they would prefer an upgradable key.
I am not sure if its very “cheap” to replace keys you bought a year ago.
A modern smart phone (on which most store sensitive data) has support for 2-3 yrs of security patches and it uses a secure boot process for ensuring signed firmware is loaded , the same way a security key also has a secure boot process which is used to verify signed firmware.
Supply chain attacks can happen in both situations but you have to asses your threat model and make a decision.
i feel mobile OS security has gotten much bigger and mainstream to deal with real life scenarios/threats
Ledger, Trezor, and probably other crypto wallets have upgradable firmware. It requires multi-signature keys, which are stored in different locations and could be stored in HSMs. These devices store loads of cryptocurrency and are the best target for criminals.
Yubico’s excuse for not using the same strategy as Ledger and Trezor is:
We have government and defense organizations using our keys which makes for a much more complex threat model.
Then why not make a separate kind of YubiKey for governments and defense organizations? Or keep everything the same and let people choose between YubiKeys with upgradable and non upgradable firmware.
Governments and defense agencies can afford to replace their keys when they need or want to, let’s assume that the average consumer can too
Would you rather upgrade the firmware for your grandma’s key or buy them a new one and then register it for all of his accounts? I would rather do the first one.
If we are talking about phones, then let’s not forget that the firmware of the Titan M2 is upgradeable.
You’re using two famously insecure devices as an example here.
I got free replacements for my Google Titan security keys directly from Feitian actually, to give them some credit.
It’s like @ph00lt0 said, it adds attack surface that needs defense. For a mobile chip that can be easily updated through a standard upgrade process that already exists (in Android), the trade-off of having to create and maintain that secure update mechanism makes sense. For a product that is already feature-complete like a Yubikey 5, probably less so.
Note that despite Solokey and Nitrokey having upgradable firmware, new features are still added to new products. They didn’t (and probably couldn’t) add Nitrokey 3 features to the Nitrokey 2.
I think both options are valid, but the tamper-proof nature of Yubikeys is a feature, not a bug.
Sure for your organisation it would be minor expense depending upon what organisation you work in and how many employees are mandated to use a security key.
In my scenario it could be faster and easier to ask employees to upgrade the exisiting ones than first removing all the old ones and disrupting the workflow for days and weeks .
Also the security key could be treated as more of ease of use utility product (by not memorising weak passwords) and not necessarily need a government level security.
You might forget about the cost increase of the keys when needed support for that. They will need significant defences. Also, you need to provision tooling for the upgrades, let alone that that tooling also needs to be build and maintained. Shipping and a few pieces of hardware do not cost more than that. There is an argument to be made for sustainability perhaps, not for cost nor security.
