I’m excited to announce that today we are releasing a new product, the Librem Key, a open hardware USB security token that runs free software and can act as an OpenPGP smart card and perform standard 2FA tasks you would expect from a similar security token.
More exciting, the Librem Key can integrate with our Heads tamper-evident boot to make detecting tampering incredibly easy–plug in the Librem Key and boot, and if it blinks green it’s good, if it blinks red, you’ve been tampered with.
The existing Nitrokey Pro v1 has different firmware than the Librem Key so it wouldn’t be able to do things like the Heads integration with the existing firmware. A lot of our plans outside of Heads would use standard GPG smartcard features though, so in theory you could use other OpenPGP smartcards.
Currently the Librem Key doesn’t support FIDO U2F–that requires a physical button and different firmware. FIDO U2F is typically a separate feature that you often don’t find on these more fully-featured security tokens that can handle GPG key generation etc. and typically vendors that sell them offer cheap $20 standalone keys that do just that one feature so it’s easier to hand them out to everyone in an enterprise, for instance.
All of the PIN-based settings and limitations are something you could tweak like with other OpenPGP smartcards using GPG tools. Here’s Debian’s OpenPGP smartcard guide: https://wiki.debian.org/Smartcards/OpenPGP
We are still working on our docs, but because we worked with Nitrokey on this device, a lot of the docs for the Nitrokey Pro will also apply to our Librem Key too as we are using the same open hardware and similar free software firmware.
You are right that USB-C would make the most sense and I’d like to see Librem Key use that down the road but it just wasn’t available at the time we started work on this. I imagine at some point in the future a new version of the Librem Key will feature USB-C.
It supports RSA 2048-4096 bit keys and the following 256-512 bit elliptic curves: NIST P-256, P-384, P-521
(secp256r1/prime256v1, secp384r1/ prime384v1, secp521r1/prime521v1), brainpoolP256r1, brainpoolP384r1, brainpoolP512r1.
It could still work, but you would have to remove/reinsert the key to confirm that you are present. An U2F key with a button saves you the trouble and the wear on the USB port. (I think they are rated for a large number of insertions, but still…)
A touch area, like Yubico use on their keys, would have a lower BOM cost than a push button and would also not wear out. Perhaps that solution is patented, though?
Also, U2F can use RFID at the transport layer, in which case you would tap the key to your phone/device. No button needed. Would be perfect on the LIbrem 5 (but there’s no on-chip RFID support on the i.MX8 IIRC, despite NXP being RFID pioneers ). Would be nice on the Librem laptops, too, but can’t remember seeing any laptop (any brand) with RFID.
I think Bluetooth (LE?) is supported, too, but I’m not 100% sure. That would need a button, though.
Except maybe the Yubikey 4, which does U2F in addition to GPG, OTP, and other stuff.
I’d like to add that a neat thing about U2F is that there is no shared secret between the key and the computer/phone/web service you authenticate to. It uses public key cryptography. Even if the data is stolen from the phone/computer/service the key as such is not compromised.
Not so with TOTP/HOTP… Whoever gets the shared secret from a file or database will be able to clone the key and in effect bypass the 2FA.
I have the impression that it is a bit of a chicken-and-egg situation, but some major players seem to offer U2F since quite some time. Like Dropbox, Lastpass, Bitwarden, Gitlab, Github, Google and Facebook. (I don’t care even for 1FA with some of those, but never mind )
Having a single 2FA key on my keyring for web sites, computers and my phone would be a dream…