Two years after debuting his first open-source two-factor-authentication (2FA) USB security key at the 2017 Shmoocon hacker conference, former graduate student and present-day entrepreneur Conor Patrick showed off his latest creation, the Solo security key, at this past weekend's Shmoocon in Washington, D.C.
Like its predecessor, the Solo key is cheap to buy at $20, and you can build one yourself instead if you choose — all the hardware instructions and software are posted online.
The new Solo key supports the new FIDO2 standard as well as the older U2F standard, comes in a USB-C variant as well as in the traditional USB-A format and has a soft plastic shell to cover the electronics. (The original key, the U2F Zero, had an exposed circuit board.)
There's also a Solo key with unlocked software so that hackers can tinker with it. A version with NFC wireless support, the Solo Tap, is on the way and will interact with Android phones.
Security keys are used as a second factor in two-factor authentication protocols, and are even more secure than temporary codes sent via SMS text message.
For example, you can set up security keys in Google, and when you log into Google from a new computer for the first time, you can plug the security key into the computer's USB port to verify who you are. (You'll still have to enter a password first, but the FIDO2 standard means you might not have to soon.)
Either USB-A or the USB-C versions of the Solo Key should work with any online service that supports U2F or FIDO2, including Google, Facebook, Dropbox and the Dashlane and Keeper password managers.
However, the Solo key won't work with LastPass, as that password manager supports only Yubico's proprietary Yubikey security keys. Nor is it likely that the upcoming Solo Tap will work with iOS, which does not support NFC to the same degree as Android.
(iOS devices already work with the Bluetooth-based Titan security keyfobs sold by Feitian and Google, and a Yubikey out later this year will have a Lightning plug to work with iPhones and iPads.)
The USB-A version of the Solo key costs $20, and at the moment it has pretty much the same capabilities as Yubico's identically priced, basic blue Security Key (which not a Yubikey, as it uses only open standards).
But Patrick said the Solo key will get firmware updates to extend its capabilities into other authentication formats such as one-time passwords, static passwords and smart cards, which most Yubikeys already support.
The USB-C Solo key sells for $25, and there's no direct competitor to it yet. Yubico's Yubikey 4 series includes USB-C models, but they don't support FIDO2. The Yubikey 5 series does support FIDO2 and has USB-C variants, but they cost at least twice as much as the USB-C Solo due to Yubico's proprietary software.
We were given a Solo Key to play with at Patrick's presentation, and had no trouble adding it as a second security key on a Google account. The only slight hiccup was when Chrome asked permission to examine the key's software; after permission was granted, everything went smoothly. Later, we used the Solo key to log into a new laptop, and everything worked without a hitch.
Photo credits: Tom's Guide