I’ve wanted to try U2F and WebAuthN for a while now, preferably with dedicated hardware.

Solokeys are exactly that, but as opposed to most security keys, they are entirely open-source, both the software and the hardware !

So, after a few extra research (compatibility, security audits / known flaws, etc…), I finally ordered a few :

  • 1 USB-C with NFC (to be my main key)
  • 1 USB-C (to be my backup key)
  • 1 USB-A with NFC for each of my family members (that seemed like the safest choice for maximum compatibility for non-technical people)

First contact

Let’s try these beauties !

I was impatient to try them out, and didn’t even took time to read instructions.

Plugged it to a USB slot through a C-to-A (passive) adapter (yeah, I took USB-C models despite not having any on my laptop. I know !), opened my Firefox, connected to my Google Account settings, went to the security settings, followed the instructions… and guess what ? It just works™.

To be honest, I was genuinely surprised. I knew the support was supposed to be there, but I expected a number of things to go wrong.

Among other things :

  • Non-standard desktop environment (i3)
  • Heavily customized Firefox
  • Linux support in general

Next steps

The smoke-test being a shining success, let’s actually open the quick-start guide.

Mostly useless, to be honest, I was expecting some kind of full user-guide, but that was pretty empty. On the other hand, it worked out-of-the-box, so, well, in a way that’s fair to have a short quickstart page.

Let’s poke around through to the FAQ, a few interesting informations :

  • I was lucky to be running Fedora. It’s the only mainstream linux distro where it runs out-of-the-box. No big deal for the others though, just a udev rule to add, and packaged support is getting there. Got it working on ubuntu and manjaro in a few minutes just by following the linked instructions.
  • There’s a CLI package to do administration / maintenance, including upgrades. Let’s start with that.

Playing with the CLI and upgrading

The CLI was as trivial to install (just a pip3 command), and just worked.

Let’s start simple :

$ solo ls
:: Solos
XXXXXXXXXXXX: SoloKeys Solo 2.5.3
YYYYYYYYYYYY: SoloKeys Solo 2.3.0
Copy

(The Xs and Ys are actually hex IDs, I’m not sure if they are sensitive so I masked them).

Funny thing, they aren’t the same version despite arriving the same day. At least one of them definitely needs upgrading…

$ solo key update
Wrote temporary copy of firmware-3.1.1.json to /tmp/tmpuu88_p6j.json
sha256sums coincide: b9a8e6362f0ae9d04546a3e3c6bf9ebd83d1f426ad933a010cd50bb2098b6456
Switching into bootloader mode...
Could not switch into bootloader mode.  Please hold down the button for 2s while you plug token in.
$ solo key update
Not using FIDO2 interface.
Wrote temporary copy of firmware-3.1.1.json to /tmp/tmpq46qjpc5.json
sha256sums coincide: b9a8e6362f0ae9d04546a3e3c6bf9ebd83d1f426ad933a010cd50bb2098b6456
using signature version <=2.5.3
erasing firmware...
updated firmware 100%
time: 7.45 s
bootloader is verifying signature...
...pass!

Congratulations, your key was updated to the latest firmware version: 3.1.1
$ solo ls
:: Solos
209439A0384B: SoloKeys Solo 3.1.1

Ooh, major version !

Not sure what’s new but starting with an upgrade was probably a pretty good idea.

Poking around with the CLI, I noticed a few interesting things :

  • It provides access to the key hardware TRNG. Not that I really needed that, but since I got it, might as well use it !
  • It’s possible to set a pin, that is then required for some of the operations
  • The reset doesn’t require the PIN, and doesn’t downgrade the firmware.
$ solo key reset
Warning: Your credentials will be lost!!! Do you wish to continue? [y/N]: y
Press the button to confirm -- again, your credentials will be lost!!!
....aaaand they're gone
Copy

Ok, that was fun.

This all seems to work fine. Next step !

Android + Firefox support

This is the time when I get confused.

The documentation states that you need the Google Authenticator app, but I already have FreeOTP for these purposes, and not really eager to add another Google App…

So let’s bluff it. Because why not ?

So let’s add my keys to my GitHub account (Google is too tightly coupled to the Android ecosystem to be a reliable test), plug the key to my phone, try to log in … Well, bluffing was worth it !

Yeah, again. It just worked™, with a simple enough process to be used by basically anybody able to read.

Android key validation process Android key validation process Android key validation process Android key validation process Android key validation process Android key validation process

Ok ok, let’s try NFC. Surely, the app was just required for NFC, right ?

So let’s log out from GitHub, log in again, select NFC, allow turning on NFC in the process, tap the key to the back of the phone… GODDAMMIT, IT WORKS TOO !

Even better, the NFC was automatically turned back off.

Final hardware choice

I noticed the non-NFC model :

  • has a slightly longer plug (which allows plugging it to a phone despite the presence of a case)
  • is slightly less wide (which lets me plug it easily next to my VGA plug without touching it, that’s not the case with the NFC model)

For these reasons, I ended up deciding to carry the non-NFC key with me, and keep the NFC back home as a backup.

Conclusion

Well, I’m impressed.

Last time I checked, getting a security key to work on linux was painful, and phone support was basically a dream.

I’ll be looking into more advanced uses in the days to come, see what else I can do, and if difficulties arise. But at this point, I’m starting to wonder what could possibly go wrong.

In any case, I’m happy that I took one for each of my family members. Pretty confident they’ll be able to use them without any significant issues, at this point :)

That’s all for now, I guess I have a lot of websites to go enroll with those, now !