Burn a Physical Security Key to Access Your Google Accounts?Securely
Rubens Zimbres, Ph.D.
ML Engineer, Gen AI, Sec+, Google Developer Expert in AI/ML ^ Google Cloud
In this article I will explain how to build your own physical security key using a nRF 52840 Dongle from Nordic to securely access your Google/Google Cloud accounts. There are many ways you can get 2FA, Two-Factor Authentication, for instance by confirming your login on your phone. However, if the phone is stolen or hacked, you may have a problem.
Since 2018 Google offers the Titan Security Key, seen below. In fact I tried to setup my key in 2019, but documentation was still lacking some info and I failed. The Titan Security Key is a phishing-resistant two-factor authentication (2FA) device that help protect high-value users, works with popular devices, browsers, and a growing set of apps that support FIDO standards and it is built with a hardware chip (with firmware engineered by Google) to verify integrity of the key. These keys are only available at Austria, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US. However, I’m from Brazil and these keys are not available at Google Store.
So, I will show how you can build your own security key from scratch. The first step is buying your dongle. In my case, I used the nRF 52840 Dongle, from Nordic Semiconductor seen below. The price is less than 25 USD dollars. As you will see in the end of this article, buy TWO dongles, you need to have a backup.
I did this setup on Linux, but Windows is also supported. In Ubuntu, we download and install the nRF Connect for Desktop, available at https://www.nordicsemi.com/Software-and-Tools/Development-Tools/nRF-Connect-for-desktop. Start it by running:
./nrfconnect-3.11.1-x86_64.appimage
Then, in Apps, install Getting Started Assistant, we will install some python libraries:
sudo apt-get install git
sudo apt-get install wget
sudo apt-get install libncurses5
sudo apt-get install cmake
sudo apt-get install ninja-build
sudo apt-get install gperf
sudo apt-get install ccache
sudo apt-get install dfu-util
[ $(apt-cache show device-tree-compiler | grep '^Version: .*$' | grep -Po '(\d.\d.\d+)' | sed 's/\.//g') -ge '146' ] && sudo apt-get install device-tree-compiler || (wget https://mirrors.kernel.org/ubuntu/pool/main/d/device-tree-compiler/device-tree-compiler_1.4.7-1_amd64.deb && sudo dpkg -i device-tree-compiler_1.4.7-1_amd64.deb)
sudo apt-get install python3-pip
sudo apt-get install python3-wheel
sudo apt-get install xz-utils
sudo apt-get install file
sudo apt-get install make
sudo apt-get install gcc-multilib
Then, create a directory, get a file and export the path:
mkdir ${HOME}/gn && cd ${HOME}/gn
wget -O gn.zip https://chrome-infra-packages.appspot.com/dl/gn/gn/linux-amd64/+/latest
unzip gn.zip
rm gn.zip
echo 'export PATH=${HOME}/gn:"$PATH"' >> ${HOME}/.bashrc
source ${HOME}/.bashrc
After that, we install west with Python pip:
pip3 install --user west
Then, we will clone GitHub repositories and install additional Python dependencies:
mkdir ncs
cd ncs
west init -m https://github.com/nrfconnect/sdk-nrf
west update
west zephyr-export
pip3 install --user -r zephyr/scripts/requirements.txt
pip3 install --user -r nrf/scripts/requirements.txt
pip3 install --user -r bootloader/mcuboot/scripts/requirements.txt
Then, we will also download the JLink_Linux_V770_x86_64.deb, available at https://www.segger.com/downloads/jlink/ and?…:
sudo dpkg -i ./JLink_Linux_V770_x86_64.deb
Insert the nRF52840 Dongle in a USB port on your computer. Check if it is being recognized by running lsusb. The status light (LD2) starts pulsing red, indicating that the Dongle is powered up and is in bootloader mode.
Now let’s go to OpenSK GitHub page:
“In order to compile and flash a working OpenSK firmware, you will need the following:
pip3 install nrfutil
python3 -m pip install pip
pip install nrfutil
python3 -m pip install nrfutil
git clone https://github.com/google/OpenSK.git
cd OpenSK
Rustup is the most critical part, and can be installed with this command:
wget https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init
sudo chmod a+x ./rustup-init
./rustup-init
Test the installation:
cargo new hello_world
In the tutorials they tell you to run this line of code but it didn’t work for me
sudo curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
You can also use snap. Snap says it can break your system but I took the risk:
sudo snap install rustup --classic
One last trick: find the file Cargo.toml, and remove the line resolver = ‘1’ and add a line cargo-features = [“resolver”], otherwise the setup won’t be able to fetch the file from the source.
领英推荐
Now, still at OpenSK folder, run:
./setup.sh
Additionally on Linux, you need to install a udev rule file to allow non-root users to interact with OpenSK devices:
sudo cp rules.d/55-opensk.rules /etc/udev/rules.d/
sudo udevadm control --reload
Last, if you want to use U2F or attestation, configure the certificate:
./tools/configure.py \
--certificate=crypto_data/opensk_cert.pem \
--private-key=crypto_data/opensk.key
For additional info on cryptographic material, access:
Good, now we may burn the dongle ????????????????????
./deploy.py --board=nrf52840_dongle_dfu --opensk --programmer=nordicdfu
You see, Insert the dongle and switch it to DFU mode by keeping the white button pressed while inserting. Press Enter.
Done. As long as I can remember, when you successfuly burn the dongle, the green light appears:
If you did a mistake in the middle of the way, it won’t burn properly, then you have to reset the dongle, at the silver button, as seen below:
Now we will test the Security Key. Go to: https://webauthn.io/
Enter you username, insert the Security Key in the USB and click Login. At this time, green and blue light will blink, one at each time, and it’s your time to physically press the white button to confirm Login.
You will get this webpage and the dongle light will shut off:
Now, time to Login at Google:
Remove the dongle. You will have to Enroll your Security Key at https://myaccount.google.com/signinoptions/two-step-verification?flow=sk&opendialog=addsk?. Enter your password and choose USB:
Press Forward, insert the dongle, click the white button and you are done?!
Now you can get rid of less safe 2FAs (Two-factor Authentications). For more info about Using a Security Key for 2-Step Verification, access here.
You can also be part of the Google’s Advanced Protection Program, which safeguards users with high visibility and sensitive information, like whistleblowers and journalists from targeted online attacks. New protections are automatically added to defend against today’s wide range of threats.
The program is free and you can access the features here. Google recommends to use their key - Google Titan Security Key, or use any FIDO? compliant security key, to enroll. They recommend two — one as your main key, and one as a back-up.
Happy Hacking !