Last month, Google unveiled a new open-source project called OpenSK. It’s part of a bid to inch the needle forward in the battle to move beyond the password.
OpenSK provides downloadable firmware that you can flash onto a USB dongle. It creates a security key that complies with the FIDO2 standard.
FIDO2 comes from the industry-backed FIDO Alliance. Standing for Fast IDentity Online, the Alliance was formed to create specifications that would make logging into online services over the internet more secure, especially those from mobile devices.
There are three specifications under the FIDO standard. The first, the Universal Authentication Framework (UAF), lets people log in using builetrics like fingerprints. The second, Universal Second Factor (U2F), let people log on using a hardware key in addition to their password. You could plug the key into a reader, or tap it on an NFC reader. Finally, there's FIDO2, which uses a protocol called Web Authentication (WebAuthn). This passes the digital key stored on the hardware token directly to the online service, which if it supports the protocol will use it to log you in, no password required.
The likes of Google and Yubikey (which between then created U2F) already sell hardware-based security keys that support FIDO2. Google's OpenSK makes the software available to far more people to tinker with.
A business wouldn’t and shouldn’t use this new project to create cheap security keys for its employees. You'd have to buy dongles online (it's designed for two specific pieces of hardware from Nordic Semiconductor) and then you'd have to flash the firmware onto the dongle, which doesn't even come with a case (Google provides the plans for you to 3D print your own).
What Google has done with this implementation is lend more support to the protocol by giving hackers and makers the chance to tinker with the standard and develop their own products and services based on it. That means we’re likely to see more online services supporting FIDO2 and more hardware products taking advantage of it.
That's important, because we need something like FIDO2 to get us beyond passwords. At a time when over two-thirds of passwords are still peoples’ names, and the most common name used as a password is “George,”, something like FIDO isn't just a nice-to-have; it's crucial to stop the onslaught of credential stuffing attacks continuing.