Skip to main content

Google’s OpenSK project lets you build your own security key, hopes to drive innovation

Google in recent years has been all-in on security keys from making its own Titan line to introducing ones integrated with your existing Android and iOS phones. To spur innovation, Google today launched OpenSK — an open-source project that lets developers build their own security keys.

OpenSK is an open-source implementation for security keys that supports FIDO U2F and FIDO2 standards. This two-factor authentication method is highly resistant to phishing attacks. When signing in to an online account, the key-shaped dongle or fob must be physically present to confirm that it’s really you.

By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.

The goal of this project is to “help advance and improve access to FIDO authenticator implementations,” including innovating on “usability and human factors” that might pose barriers to wider adoption.

Google is letting developers build their own security key by flashing the OpenSK firmware on an off-the-shelf Nordic chip dongle that costs $10. The hardware features NFC, Bluetooth Low Energy, and USB-A with a dedicated hardware crypto core. Google is also providing a custom, 3D-printable case to protect and carry the key.

Google notes how you can build a “fully functional FIDO authenticator” with OpenSK, but emphasizes that the experimental project is for “testing and research.”

Under the hood, OpenSK is written in Rust and runs on TockOS to provide better isolation and cleaner OS abstractions in support of security. Rust’s strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks. TockOS, with its sandboxed architecture, offers the isolation between the security key applet, the drivers, and kernel that is needed to build defense-in-depth. Our TockOS contributions, including our flash-friendly storage system and patches, have all been upstreamed to the TockOS repository.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: