How to Make Your Own Two-Factor Authentication Key

WASHINGTON — You don't need to spend $40 or $50 to get a two-factor authentication (2FA) USB key to help you log into web accounts. Instead, you can build one yourself, or, failing that, buy one for $8 on Amazon.

The U2F Zero key. Credit: Conor Patrick/ConorCoThe U2F Zero key. Credit: Conor Patrick/ConorCo

That's what Virginia Tech graduate student Conor Patrick, who related his experiences here today (Jan. 13) at the ShmooCon hacker conference, discovered when he set out to build his own 2FA key. He figured out how to program and produce the keys cheaply, and he has put all his methods and software online for anyone to use.

Even better, Patrick is selling the key, which he calls U2F Zero, for $8 on Amazon. That's less than half what Yubico, the most popular brand of 2FA USB key, sells its cheapest model for.

MORE: Best Password Managers

2FA keys are yet another way to implement two-factor authentication. Instead of waiting for a numeric code to be texted to your phone when you log into Google or Dropbox from a new computer, you simply plug the key into a USB port on your computer. Boom! The new computer is verified.

2FA keys may come into greater use soon, as the National Institute for Standards and Technology in July 2016 warned against using text-message-based two-factor authentication. (It's too easy to spoof or to intercept a text message.)

So Yubico and other makers of 2FA USB keys hope their devices catch on, and Patrick showed that these indispensable security devices can be produced cheaply and fairly easily.

Patrick's token key uses the Universal 2nd Factor (U2F) standard, an open standard developed by Google and Yubico and now managed by the FIDO (Fast Identity Online) Alliance, a consortium of companies that includes American Express, Intel, Lenovo and PayPal among its members.

Patrick located cheap USB printed circuit boards and central processing chips in China, and wrote much of the software himself. We'll spare you the technical details, which you can read on Patrick's blog. If you're technically-minded, go to GitHub for his instructions on how to make your own 2FA USB keys.

Create a new thread in the Antivirus / Security / Privacy forum about this subject
This thread is closed for comments
1 comment
    Your comment
  • Bill S0
    If security is what someone is really concerned about, is buying a gadget filled with binary by someone at a hacker conference with a chip made in China and there is no way in the world that anyone can really really know exactly what a USB device actually does in the moment it is plugged in... giving us that warm feeling of confidence in security? Is even buying "direct from Yubico" and assuming your package didn't get switched with another one during transit by some contractor riding in a big brown truck working for a three letter agency or the local authorities or the equivalent of some GeekSquad employee who gets paid $500 every time he substitutes a "special" key... giving us that warm feeling of confidence in security? Please correct me if I am wrong, but I believe the last couple of times I've pressed for an answer that I have been told there is actually no way for a user to really be able to certify the security of the key that they are holding in their hand.