Other than that, great idea. It's how PayPal started.
Without having the funds for injection/pressure molding, I haven't been able to find a good solution. Maybe there are cost effective services that would work like PCB potting or overmolding.
One service that I found that looks promising is Cavist:
But I haven't gone down this route or found someone that has. I might do this later on.
[1] https://www.aliexpress.com/item/1-pcs-szomk-white-small-usb-...
http://www.digikey.com/product-detail/en/bud-industries/USB-...
it looks rather cute! see: https://blog.adafruit.com/2011/03/04/part-finder-friday-clea...
board respin required...either position the button so you squeeze the enclosure to press the button (it flexes a bit), or drill a small hole (use a jig to get the drill bit in the right location
enclosure co's will also customize/drill holes for you but its probably easier for you to just diy!
I've seen people do things like this at TechShop. They carve a positive mold out of maybe a dense wood. Then use that to make an negative mold out of some pourable plastic like RTV. Then insert the device, pour in epoxy, and wait for it to cure. The negative molds wear out fast, but you can make more from the positives. There are lots of plastic options and books on this stuff. People use these processes to turn out stuff to sell on Etsy. All this is do-able, but usually messy.
Still, struggling through the process to have an MVP to show resellers is worth the trouble. If you get a big order, you can go out to Cavist or someone like them and have them produce in volume.
You might even be able to get away with not cutting out a hole for the button, as it could be activated through the flexible tubing.
http://runawaybrainz.blogspot.co.uk/2012/04/audio-crystal-cm...
But don't send the job to China, or your device will be copied, cheaper.
Polycase might be a good place to start once you sell out. They sell generic cases and will quote you on modifications to their existing USB case.
After that (if you continue to sell out), you're probably a real business. Keep the domestic machine running and hop over to China to explore driving costs down. Probably explore what type of software/service might complement your hardware to drive recurring revenue. Create custom single unit packaging and bulk delivery packaging for consumer selling and business selling.
Btw, all U2F services allow you to fall back to phone 2FA if you're on an unsupported device.
Especially the button, which makes it very hard for a remote attacker to get anything from the U2F token.
How many apps are on your phone? How secure is the software stack? Kernel? Hardware? Drivers? If android, how good is your manufacturer + cell provider at distributing the latest updates? Can you prove that an app can't see the screen and send a touch event?
Also generally it's faster to hit the single button on a U2F widget than it is to do anything with a smartphone.
>Well, of course there are always tradeoffs. The biggest one right now is that Google Chrome is the only major browser that supports U2F.
>Because it requires browser support to act as an intermediary between the website and the security key, you can only use it if the browser supports it.
>Mobile is also an issue, as they don't have USB ports!
>Some YubiKeys support U2F via wireless NFC, but support for this in mobile phones is very limited at the moment.
It look like it's a dev board, the kind of thing I'd get on SparkFun or whatever, but I get the impression it's a consumer product. Do I plug it into my computer, and it runs software? Do I press the button, then it blinks out a password via LED at me? Does it connect via bluetooth to.. something? Who writes the local software? You? Google? Me?
I love your write-up and I dig your hustle, but I think the final 10% "polish" is the missing piece here! Good luck!
Yubico has a good explanation:
https://www.yubico.com/products/yubikey-hardware/fido-u2f-se...
It's the same as any other U2F token. You register it with a service that supports U2F (Google, Github, Duo, etc.) and then present the token and press the button upon logging in later.
No software or drivers needed. It's an HID device so all normal operating systems will support it.
"It's the same as any other U2F token" is meaningless to a rather significant proportion of humanity.
Unlike the OTP token you're describing, a U2F device is effectively stateless. And unlike an OTP token, its signing mechanism is resistant to phishing. Finally, a U2F device is not a HID keyboard, contrary to your other comment on this page. But it is a HID-compliant device.
You should pursue this product -- you have huge possibilities here.
You heard of a company called Security Dynamics? They invented the little token with ever-changing 6-digit numbers that you have to enter to login to your remote office computer. You probably know it today as the RSA SecurID[1]. They created a billion-dollar market and made the founders fabulously rich.
I know that there are other U2F products out there, but you can make yours unique, different in some way, or targeted to different market. Or just compete as an alternative to the larger companies making U2F keys (which are not really that large yet anyway).
Surely continuing this product is better than the "working in government" job you're seeking.
[1] https://upload.wikimedia.org/wikipedia/commons/3/33/RSA-Secu...
I think there's a lot of neat improvements you can make on 2FA products for different markets. But it's kind of at the point where if I wanted to continue working on a better 2FA token, I would have to get funding and do it full time. Although it's always tempting, I'm not sure I want to "cash out" of school and regular life just yet.
Also if I don't work in government I'd be in a lot of debt to pay back school. So that's an additional hurdle.
I actually have a new batch of prototypes and I'm just putting the finishing touches on my e-commerce code (I'm using Stripe and Easypost rather than Amazon). The plan is to finish that tonight and start taking orders again on Monday.
Care to explain why would I want one?
Thanks!
Of course, it doens't actually do most of those things yet (working on getting the bugs out of the U2F code right now) which is why right now it's just a toy for hackers and devs. But the apps are coming.
Edit: Can I also use this as 2FA for SSH/Desktop login on my Arch install? I've never done 2FA but I've always wanted to.
If this stores GPG, then you could do SSH as well. Edit: Reading the comments, looks like it only does core U2F, so no SSH for sure. I'm not sure if there is a U2F module for PAM yet.
The OP key looks pretty barebones I wouldn't expect it to generate/store/use ssh or pgp private keys. That's more like a yubi key 4 or similar more expensive widgets that are basically smartcards and/or HSMs.
There is a U2F pam module that can allow you to use a U2F widget for screen unlock, login, sudo and the like. If you are worried about the U2F dying/being stolen/lost then you could always authorize more than one U2F widget and keep one in a safe place.
I've been toying with the idea of buying a dock for my thinkpad and using it as my main system retiring my current low-powered desktop as a server.
My main concern is that, since I keep important docs on my system, I'd now be carrying them with me. Doing 2FA for harddrive decryption and system login would be amazing for me since then I'd be able to know that even if my computer is stolen the "attacker" won't really have the means to login.
"This item does not ship to Australia"
<sad face>
https://www.stavros.io/posts/making-gsm-board/
Conor, can you detail how the assembly is done a bit? I've made a few boards with KiCAD but I have no idea how to go from bare PCB to assembled PCB, especially for such low cost as yours.
I went to PCBcart but counting all the items on my board was a hassle, and I got a cost of $38 per board for a run of ten, which sounds too expensive. Besides that, how do you even export the BOM from KiCAD? It doesn't come with a plugin by default.
A few details or a post on how to go from PCB design to assembled board would be very useful, at least to me.
Assembly depends on the service you end up using. For PCBCart, I think I just ended up filling out their template BOM manually. Not much of a hassle since I only have 8 parts. I just had to match the component references on the PCB to the BOM, count the number of pins, provide part number, etc. They figured everything else out, just a question or two on part polarities.
Yeah getting boards assembled for small volumes will likely not be cost effective. You can mess around with online quote tools to get an ideal if it'd be worth it or not. Using parts with pins that extend out from the package (rather than underneath) will always be more cost effective. Less pins is cheaper too.
Huge thank you to Conor for building this whole thing and open sourcing it and even providing links to pre-fab PCB's. Incredible work. Also the PCB's look really cool.
I think I'll buy a few to go along with the one I just made.. :)
You will have to test for solder bridges between pins, and maybe use some solder wick to get any excess out.
It's not super fast, but it's absolutely doable with an hour or two of practice. Solder paste and a heat gun is the next step up, which I find more difficult to get right (I'm bad at applying the paste).
Is getting the 2 day shipping a function of just price of the item or something else?
I wonder because the most direct competitor
https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00...
gets the 2 day shipping and is only a few $'s more.
The difference between $8-10 is nothing really, if I was shopping for one of these and saw yours for the same price I would buy it because I like the exposed/no case design (and I think a lot of the "early adopter" people buying these tokens for personal use would be the same). So maybe you should bump the price up a bit.
[0] https://www.yubico.com/products/yubikey-hardware/yubikey4/
Since it is USB based, it should technically go through USB-IF interoperability testing, if he wants to use the USB logo. Though actually it looks like he has a VID/PID allocated from SiLabs for this, which is already way better than a lot of inexpensive USB products.
FIDO U2F also has a $10k certification process to allow you to use the FIDO logo. I don't think it's worth pursuing for me.
Something like: http://www.mgchemicals.com/products/conformal-coatings/acryl...
It also waterproofs the board too, which is a bit more useful.
Cool.
Still, cool.
Best of luck, hope you make your money back and get a nice kicker in the end to fund a few late night college parties.
Your imposter syndrome is showing! Designing and building a tool like this and selling it qualifies you as an entrepreneur.
Get a low-cost marketing channel going (or improve your margins to make other marketing options feasible) and see how far you can run with this.
Thanks for the interesting read.
You might also want to add some keywords like "fido usb yubikey" to your product page too.
One thing to note, on your site https://u2fzero.com/ there's around 50 line break tags at the bottom. Shows an entire screen of white space for me :|
Edit: For auth on a phone / small device, could you make a version with a miniusb plug?
Just pondering - did you disable JTAG on these devices before distributing them?
