On January 30, 2020, Google announced it was creating OpenSK, an open source FIDO/U2F implementation, in the hopes of spurring broader research and implementation of the security technology.
Today, FIDO security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is trusted by a growing number of websites, including Google, social networks, cloud providers, and many others. To help advance and improve access to FIDO authenticator implementations, we are excited, following other open-source projects like Solo and Somu, to announce the release of OpenSK, an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.
Of course after I buy a half-dozen YubiKey 4 keys, the company goes and releases the YubiKey 5 series with FIDO2/WebAuthn support. 🙂
Single-Factor Authentication (Passwordless) with the YubiKey 5 Series – The YubiKey 5 security keys can be used alone for strong single-factor authentication, requiring no username or password to login — just tap or touch to authenticate.
Second-Factor Authentication with the YubiKey 5 Series – Used alongside a username and password, the YubiKey 5 series offers a strong second factor of authentication. This is the YubiKey integration that exists today with services like Google, Twitter, and Facebook, and it is most familiar to our users.
Multi-Factor Authentication (Passwordless + PIN + Touch) with the YubiKey 5 Series – The YubiKey 5 series can be used in conjunction with a PIN for user verification. In this case, the PIN unlocks the device locally and touch is still required for the YubiKey to perform the authentication.
Really looking forward to seeing what the uptake is on the passwordless single-factor authentication turns out to be, especially as Google’s recently released hardware authentication key also supports it.
I had some concerns about physical security with the passwordless authorization, but it appears that users can add a pin to the authentication keys in that setup if desired.