Security key to protect Gmail, Twitter, GitHub. Open, improved NFC, water resistant, reversible USB. | Check out 'Solo V2 - Safety Net Against Phishing' on Indiegogo.
Read the original article
Comments
I see it supports firmware updates, and I see nothing about whether it uses an actual hardened secure element chip. I’m not convinced I would trust this device.
There’s a reason Yubikeys can’t be updated, and it’s not to sell more Yubikeys.
Yes to both.
We do support firmware upgrade, unlike other security keys. For example in 2020 we patched a couple security issues, while Yubico, Google Titan and Feitian all recalled keys. Specs and thus firmware are getting bigger and more complex, so we believe that updates are the only way to maintain security in the long run.
We do not use a secure element, unlike other keys. This is not a statement, it’s just a fact. If you want an open product, there’s no “secure element” available that doesn’t require an nda. We hope that our work (we’re not alone in this) will motivate manufacturer to release secure elements with less obscurity around them.
By conorpp 2021-01-041:46 To add to this, we would like to be able to run open source & update-able code and leverage EAL certified secure elements. Chips like the SE050 have recently come on the market and will likely end up on our products eventually.
Define "trust". Or more appropriately "threat model".
My biggest problem is not the key.
My biggest problem is the fact that I can't easily roll keys out in a startup with 5 people and not become the customer service IT person handling security problems every day.
Solve THAT problem and I'll pay a monthly fee for your service.
Here’s my threat model: attacker gets physical access to the key for five minutes. They should not be able to break future uses of that same key without causing very obvious failures. If installing malicious firmware were to wipe the key, that would help some.
By bsder 2021-01-042:22 > Here’s my threat model: attacker gets physical access to the key for five minutes.
That threat is so far off the typical path that it can't even see civilization anymore.
However, simply encasing the key in acrylic would solve your use case.
These keys are meant to solve the typical remote attacks like phishing--and they do that extremely well.
They also are quite good at stopping the: "Someone stole my laptop and now has access to everything." If the key is on your keychain, that scenario is stopped cold.
These keys are not really meant to solve one-to-one attacks by determined adversaries. And, to be fair, such an adversary is going to compromise your OpSec LONG before he tries to compromise your key.
I can't tell what is supposed to be new in v2.
The only things I see are 10x faster NFC, and "reversible", whatever that means.
Does reversible mean you can plug it in without looking, because there is no upside-down?
It is far from clear what the NFC feature actually does. Does it mean it doesn't need to be plugged into the USB port to work? Uses passive components, or draws enough power from NFC to operate?
I know that v1 (or, anyway, Somu) supported only ECDSA keys, not ED25519, and only one key per physical device. Is that changed?
New in V2:
- More secure microcontroller supporting secure boot, PUF, flash encryption, etc.
- Firmware rewritten in rust.
- Much more robust and durable construction.
- Touch buttons, reversible USB-A, USB-C
NFC is passively operated similar to other authenticators and is more reliable.
ED255 is supported in V2!
By labawi 2021-01-051:18 If ED works with ssh, I'm very interested and I'll buy a few as long as price isn't outrageous - I don't mind supporting development. I have a couple of somu, but ed25519 didn't seem to pan out (haven't tried).
Personally, I would prefer flush mount and/or tactile buttons, but NBD.
Hope they will be available on other than kickstarter, as I never got it to work, with all their tracking and what-not.
Did I guess right what "reversible" means? Maybe the page should actually say, so readers are not obliged to guess. My first thought was that it had USB-C on one end and USB-A on the other. But studying the pics did not confirm that.
Does it support installing more than one key?
Reversible refers to the plug. USB-C is of course reversible, and USB-A also is.
There’s no constrain on the number of keys. You can use 1 device with unlimited sites, both v1 and v2, because keys are generated on-the-fly and not stored.
(There’s a limit on number of resident keys, and we supported 50 in v1, while for example yubikeys support 25. So far these are rarely used, if ever.)
I have a Somu. The docs I have found say it can only store one resident key. Is it particularly limited, vs. the Solo v1?
By ecesena 2021-01-0519:42 No, it's incorrect. Do you have a link so we can fix?
Somu can store 50 resident keys exactly like Solo v1, as it has exactly the same MCU. In both there's a single master secret that's used to derive the (non-resident) keys. That's the only thing that's unique.
By lambda_obrien 2021-01-040:32 NFC is for phones usually.
By omnifischer 2021-01-0414:28 Seems that the GIF image showing plugging into a macbook pro shows that either the USB or socket in mac is angled. Pleae make a different video.
54726637-0-gif-9.gif
(happy owner of solo1)
