In recent years, Google has been making its own Titan series to introducing security keys that can be integrated with existing Android and iOS smartphones. During this process, Google has been paying attention to the field of security keys. To stimulate innovation, Google today launched OpenSK Security Key. The key is an open-source code project that allows developers to build their own security keys.
OpenSK is an open-source implementation of security keys, supporting FIDO U2F and FIDO2 standards. This two-factor authentication method can effectively resist phishing attacks. When you log in to your online account, afterward, you must personally provide a key-shaped dongle or key fob to confirm your identity.
Opening OpenSK as a research platform, Google hopes that more researchers, security key makers and enthusiasts will use it. Google allows developers to build their own security keys by flashing OpenSK firmware on off-the-shelf Nordic chip dongles for $10. This process can be done as long as the hardware has NFC, along with Bluetooth low energy and a USB-A interface with a professional hardware encryption core.
Google offers customizable 3D printed protective sleeves. It also pointed out how to use OpenSK to build a “full-featured FIDO authenticator”. However, Google emphasized that the experimental project was used for “testing and research” as well.
Under the hood, OpenSK is written in Rust and runs on TockOS. Thus it provides better isolation, a more concise system abstraction, and, in summary, guaranteed security. Rust’s strong memory security and zero-cost abstraction make code less vulnerable to logic attacks. With its sandbox architecture, TockOS provides isolation of security keys between sub-applications, drivers, and the kernel. The latter is a requirement to build defense-in-depth.