How to Make Your Own Two-Factor Authentication Key
WASHINGTON — You don't need to spend $40 or $50 to get a two-factor authentication (2FA) USB key to help you log into web accounts. Instead, you can build one yourself, or, failing that, buy one for $8 on Amazon.
The U2F Zero key. Credit: Conor Patrick/ConorCo
That's what Virginia Tech graduate student Conor Patrick, who related his experiences here today (Jan. 13) at the ShmooCon hacker conference, discovered when he set out to build his own 2FA key. He figured out how to program and produce the keys cheaply, and he has put all his methods and software online for anyone to use.
Even better, Patrick is selling the key, which he calls U2F Zero, for $8 on Amazon. That's less than half what Yubico, the most popular brand of 2FA USB key, sells its cheapest model for.
[UPDATE: Patrick has a new key with updated standards that you can build yourself or buy for $20.]
MORE: Best Password Managers
2FA keys are yet another way to implement two-factor authentication. Instead of waiting for a numeric code to be texted to your phone when you log into Google or Dropbox from a new computer, you simply plug the key into a USB port on your computer. Boom! The new computer is verified.
2FA keys may come into greater use soon, as the National Institute for Standards and Technology in July 2016 warned against using text-message-based two-factor authentication. (It's too easy to spoof or to intercept a text message.)
So Yubico and other makers of 2FA USB keys hope their devices catch on, and Patrick showed that these indispensable security devices can be produced cheaply and fairly easily.
Patrick's token key uses the Universal 2nd Factor (U2F) standard, an open standard developed by Google and Yubico and now managed by the FIDO (Fast Identity Online) Alliance, a consortium of companies that includes American Express, Intel, Lenovo and PayPal among its members.
Patrick located cheap USB printed circuit boards and central processing chips in China, and wrote much of the software himself. We'll spare you the technical details, which you can read on Patrick's blog. If you're technically-minded, go to GitHub for his instructions on how to make your own 2FA USB keys.