U2F keys can be purchased online for the price of a cup of coffee. They’re being touted as the next best thing in online security authentication.

How do you know that the key that arrives at your doorstep is unique and doesn’t produce predictable or known output?

There’s plenty of opportunities for this to occur with online repositories with source code and build instructions.

Price of manufacturing is so low that anyone can make a key for a couple of dollars. Sending out the same key to everyone seems like a viable attack vector for anyone who wants to spend some effort into getting access to places protected by a U2F key.

Why, or how, do you trust such a key?

The recent XZ experience shows us that the long game is clearly not an issue for some of this activity.

  • lud@lemm.ee
    link
    fedilink
    arrow-up
    13
    ·
    7 months ago

    Where do you get a key for the price of a cup of coffee? The ones I found are quite expensive.

  • lemmyreader@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    7 months ago

    Interesting question. No answer, but I’d buy a few of these keys, and see whether they act different.

  • ArcaneSlime@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    1
    ·
    7 months ago

    Idk, but I just picked up a flipper 0 and installed some custom firmware and there’s a u2f app on it. I was wondering what that was, so thanks for the info, but to your question maybe that could be a solution (idk how that app works yet though, maybe not).