The author, Connor Patrick's personal site has a "looking for work" page[1]. It reads:<p><pre><code> I want to work on projects that do good.
I don’t want to work on projects regarding surveilance
or the weaking of existing cryptosystems.
</code></pre>
Way to go Connor!<p>[1]: <a href="https://conorpp.com/work/" rel="nofollow">https://conorpp.com/work/</a>
My barrier to entry with a lot of DIY hardware projects was an incorrect assumption that it was difficult/expensive to get PCBs made. Looking into this, I found the blog of the guy running this project and he had some experience with various cheap PCB vendors, with stencils going as low as $18. [1]<p>[1]: <a href="https://conorpp.com/2016/03/13/my-experience-with-dirtypcbscom/" rel="nofollow">https://conorpp.com/2016/03/13/my-experience-with-dirtypcbsc...</a>
Two comments on the circuit:<p>1. If you're willing to add two more diodes, you can make the USB connector two-sided so that it can plug in either way. See <a href="http://electronics.stackexchange.com/questions/209941/two-sided-connectorless-usb-on-a-pcb" rel="nofollow">http://electronics.stackexchange.com/questions/209941/two-si...</a> for explanation.<p>2. The ALPS SKQGAKE010 (<a href="http://www.mouser.com/search/ProductDetail.aspx?R=0virtualkey0virtualkeySKQGAKE010" rel="nofollow">http://www.mouser.com/search/ProductDetail.aspx?R=0virtualke...</a>) is inexpensive and popular. It looks like it's lower-profile than the button used in the current design, which means it'd be more likely to survive for a long time in a pants pocket, jangling along with a bunch of keys.
I just hope the keys are not his home/office keys. Please do not secure the access to your digital life with an U2F token and break the security of your <i>real</i> life by putting a picture of your keys in the open...
Linux users should use cross-vendor U2F support rather than hardcoding device ids into the udev rules:<p><a href="https://github.com/amluto/u2f-hidraw-policy" rel="nofollow">https://github.com/amluto/u2f-hidraw-policy</a>
I'm curious about the following statement in the README:<p><i>> The token is durable enough to survive on a key chain for years, even after going through the wash.</i><p>On the other hand, the token is shown as "naked electronics", without a husk.<p>Is that really sufficient for such a device? Does it really withstand (mineral) water, mechanical stress (key chain), let alone the combination of both (washing)?
Haven't tried it yet, but there is this for smartcards. Not sure if it will work with blank java cards, I mean they provide the cap file and source.<p><a href="https://github.com/LedgerHQ/ledger-u2f-javacard" rel="nofollow">https://github.com/LedgerHQ/ledger-u2f-javacard</a>
Nice! I initially wanted to build a similar device using just an ATtiny85 that speaks USB using USBtiny [1] or V-USB [2]. It would be low-cost but also not secure. Using a crypto processor like the ATECC508A is obviously a saner choice.<p>[1] <a href="http://dicks.home.xs4all.nl/avr/usbtiny/" rel="nofollow">http://dicks.home.xs4all.nl/avr/usbtiny/</a>
[2] <a href="https://www.obdev.at/products/vusb/index.html" rel="nofollow">https://www.obdev.at/products/vusb/index.html</a>
This project is awesome, but I'd be worried about my hand brushing up against all that lead every day for years. Or am I being too paranoid? In any case, easily solved with some casting epoxy.
U2F seems great. I've just started using it and am looking for a device. Maybe now I'll build my own! His article on accelerating a program with hardware was a great read too. <a href="https://conorpp.com/2015/12/16/how-to-accelerate-a-program-with-hardware/" rel="nofollow">https://conorpp.com/2015/12/16/how-to-accelerate-a-program-w...</a>
Here is a shared Mouser project list with the eight parts: <a href="http://www.mouser.com/ProjectManager/ProjectDetail.aspx?AccessID=ec674f0a7f" rel="nofollow">http://www.mouser.com/ProjectManager/ProjectDetail.aspx?Acce...</a><p>I haven't carefully checked that the part numbers are equivalent. If you find an error, please let me know.
The programmer link is not working.<p>> The page isn't redirecting properly<p><a href="http://www.digikey.com/product-detail/en/silicon-labs/DEBUGADPTR1-USB/336-1182-ND/807653" rel="nofollow">http://www.digikey.com/product-detail/en/silicon-labs/DEBUGA...</a>
Is there anything written on why this is a valid choice for improving op-sec versus going with a commercial offering?<p>Open source made from parts seems like it would be very much under your own control. But it is also... <i>bespoke</i>. Which raises a different threat model, doesn't it?
As far as I understood the U2F standard, the dongles need a FIDO-issued manufacturer key. Do sites accepting U2F just not check that the corresponding signature is present?