A couple of weeks ago, I met with my friend Starbeamrainbowlabs to work on Freeside Linux Labs, a set of small introductory lessons to Linux for new students at the University. During the meeting, Starbeam pulled out what looked like a USB stick. I didn't take much notice but it soon became apparent that the USB wasn't a normal usb device.
"What's that?" I inquired.
"It's a Solo" Starbeam replied before giving me a demonstration of it's abilities.
As Starbeam demonstrated Solo and explained more about the Kickstarter (video above) and team behind it (they've created a similar project before - "U2F Zero"), my nerd sense started tingling. As an opensource enthusiast, the thought of having a security key which wasn't tied to any one proprietary provider just seemed like the perfect fit. Of course, there are other security keys but the issue is that proprietary standards usually lead to closed ecosystems or protocols as happened in the 80s/90s, which ultimately is bad for end users, and more expensive too.
Not only that, but I'd had 'password review', '2fa review' and 'encryption review' on my to-do list for some time. I don't think my security is 'bad' per say, but it could definitely be improved and Solo seemed to fit with my security plan, my ethos and the cyber security certification I'm moving towards. Winner all round.
After completing more study on Solokeys and FIDO2 protocol, I ordered Solo Tap - the security key with NFC, meaning it can simply be tapped on a phone to authenticate.
I ordered directly from the Solokeys website, despite third party vendors being available in Europe. I encountered some package tracking trouble during delivery, but the team at Solokeys followed up within a couple of hours, responding with an exact location.
A few days later, my Solo Tap arrived with a few silicon cases and some 'quick start' resources which inferred that Solo should effectively work out of the box which it did, baring a bit of setup on Linux and some configuration on Firefox which are my personal preferences and nothing to do with Solo.
Here's what I needed to do before using the key:
- Check for and get updates for the hardware via https://update.solokeys.com
- As I was running Linux on my laptop, I had to get the udev rules, see instructions here.
- Enable U2F in Firefox by typing "about:config" in the address bar, searching for u2f and then ensuring u2f is enabled.
After those three tasks were out of the way, I could move onto making my accounts safer with a security key. This works in the same way as two-factor authentication, but instead of texting a mobile number or getting an email, the user must authenticate a public key against a secret key. The secret key is unique in every Solo and cannot be duplicated or forcibly removed meaning that only the person with the Solo can authenticate, regardless of whether the public key is leaked.
A good use case for such authentication would be in a heavy data protection environment, say for example, an accountants or solicitors office. Each employee would be issued a Solo which could be managed by the I.T department or authentication system, such as Exchange. As the employees would have to authenticate with their Solo to access computer systems, for example via Windows Hello, it would be easier to trace who had access to data at the time of a breach and find holes in the system. Solo would also create accountability within the team because nobody would be able to deny having made errors.
Solo is quite cheap to, costing around £15 for the USB only version. In the UK, this may work out very well for businesses - especially those applying for Cyber Essentials certification because they would be able to demonstrate multi-layered authentication methods which ensure accountability within their business.
My Solo Tap is for personal use and I can say that I'm definitely enjoying ridin' Solo. If you'd like to read about Starbeamrainbowlabs experiences with Solo, check out their post.