This Open-Source Security Key Helps You Ditch Software Authenticators

Illustration for article titled This Open-Source Security Key Helps You Ditch Software Authenticators
Photo: John Biggs/Gizmodo

Accidentally deleting your Google Authenticator app is a nightmare. The app, which generates one-time codes for many websites, is usually your key to many major email services, including Gmail, domain name services like Namecheap, and even banking services. If you forget to move these codes over to a new phone when you upgrade, for example, you’re sunk.

Advertisement

That’s why open-source USB-A and USB-C keys, like the popular YubiKeys, are so important. To use them, you plug them in and connect them to applicable services by pressing an on-board button.

The SoloKey 2 is one such device, created by Conor Patrick, a college student-turned-hardware builder. Patrick has posted the source code for all to see and he’s crowdfunding the SoloKey 2 for $34—that’s about $20 less than a YubiKey. He’s raised $400,000 and the product is set to ship this September.

“I started working on this in college and never stopped,” Patrick told Gizmodo. “I assembled a team for the second generation to make the first Solo, and we funded ourselves off of Kickstarter. But Solo was missing a lot of improvements needed to allow us to make enterprise sales. We’ve worked hard to make Solo 2 and believe this product can be a strong authenticator for everyone. We’ve been bootstrapping this from the beginning.”

Illustration for article titled This Open-Source Security Key Helps You Ditch Software Authenticators
Photo: John Biggs/Gizmodo

The SoloKeys work with most major two-factor authentication setups, including FIDO2/WebAuthn, and you can use it with Google products, Facebook, Dropbox, Okta, and Microsoft accounts.

Patrick sent us two early versions of the hardware to test out, and they worked. The SoloKey 2 only works with Chrome currently, so you’ll probably still have to create a one-time code if you’re mainly using Safari, but for everyone else, it’s a lower-cost alternative to pricey security keys. I was able to connect it to my Github account instantly by simply inserting the key and touching the sides to activate it.

Advertisement

Devices like the SoloKey are invisible until you absolutely need them. As someone who has often forgotten to move over 2FA authentication keys during an upgrade, having a backup like this is a real godsend. It may look boring, but this little key could be a lifesaver.

John Biggs is a writer from Ohio who lives in Brooklyn. He likes books, watches, and his dog. He is the Editor-in-Chief of Gizmodo. Signal: +16468270591 Telegram: @johnbiggs

DISCUSSION

lostcreds
Lost credentials again

1. Google Authenticator makes it really easy to transfer the shared secret to another phone these days. Or if you trust Authy, that stores your (encrypted, they claim) that on their server.

2. While the source code is open source, is there any way to verify that’s what is being flashed onto the microcontroller? FWIW I’m not that paranoid, but if you

3. Google has OpenSK if you really want to roll your own.

4. If you lose or damage this, you’ll need your Authenticator app, so you better have it backed up

5. What’s with these devices? Why do they expose the copper traces? I’d feel so much better about them if there’s a cover over that.

6. Their FAQ says they work with Firefox, Safari, Edge and Opera as well.