How to Get a Better Two-Factor Authentication Key for $20
The people behind the first DIY USB security key have a new model that supports the latest two-factor authentication standards.
Two years after debuting his first open-source two-factor-authentication (2FA) USB security key at the 2017 Shmoocon hacker conference, former graduate student and present-day entrepreneur Conor Patrick showed off his latest creation, the Solo security key, at this past weekend's Shmoocon in Washington, D.C.
Like its predecessor, the Solo key is cheap to buy at $20, and you can build one yourself instead if you choose — all the hardware instructions and software are posted online.
The new Solo key supports the new FIDO2 standard as well as the older U2F standard, comes in a USB-C variant as well as in the traditional USB-A format and has a soft plastic shell to cover the electronics. (The original key, the U2F Zero, had an exposed circuit board.)
There's also a Solo key with unlocked software so that hackers can tinker with it. A version with NFC wireless support, the Solo Tap, is on the way and will interact with Android phones.
Patrick has also set up a company to manufacture and sell the Solo keys, and you can buy one directly from the company website as well as Amazon.
MORE: What Two-Factor Authentication (2FA) Is — And How to Enable It
Security keys are used as a second factor in two-factor authentication protocols, and are even more secure than temporary codes sent via SMS text message.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
For example, you can set up security keys in Google, and when you log into Google from a new computer for the first time, you can plug the security key into the computer's USB port to verify who you are. (You'll still have to enter a password first, but the FIDO2 standard means you might not have to soon.)
Either USB-A or the USB-C versions of the Solo Key should work with any online service that supports U2F or FIDO2, including Google, Facebook, Dropbox and the Dashlane and Keeper password managers.
However, the Solo key won't work with LastPass, as that password manager supports only Yubico's proprietary Yubikey security keys. Nor is it likely that the upcoming Solo Tap will work with iOS, which does not support NFC to the same degree as Android.
(iOS devices already work with the Bluetooth-based Titan security keyfobs sold by Feitian and Google, and a Yubikey out later this year will have a Lightning plug to work with iPhones and iPads.)
The USB-A version of the Solo key costs $20, and at the moment it has pretty much the same capabilities as Yubico's identically priced, basic blue Security Key (which not a Yubikey, as it uses only open standards).
But Patrick said the Solo key will get firmware updates to extend its capabilities into other authentication formats such as one-time passwords, static passwords and smart cards, which most Yubikeys already support.
The USB-C Solo key sells for $25, and there's no direct competitor to it yet. Yubico's Yubikey 4 series includes USB-C models, but they don't support FIDO2. The Yubikey 5 series does support FIDO2 and has USB-C variants, but they cost at least twice as much as the USB-C Solo due to Yubico's proprietary software.
We were given a Solo Key to play with at Patrick's presentation, and had no trouble adding it as a second security key on a Google account. The only slight hiccup was when Chrome asked permission to examine the key's software; after permission was granted, everything went smoothly. Later, we used the Solo key to log into a new laptop, and everything worked without a hitch.
Photo credits: Tom's Guide
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.