EYE on NPI – Authentrend FIDO Biometric Security Keys

This week's EYE ON NPI will be your loyal friend like a pet dog - it's Authentrend FIDO2 Biometric Security Keys (https://www.digikey.com/en/product-highlight/a/authentrend/fido-biometric-security-keys). These FIDO2 compatible USB dongles have an absolutely adorable built-in fingerprint sensor on the end, which means they have an additional layer of security in addition to ownership: you also need to have the matching fingerprints. This is great when you want to secure something with 2 or 3 factors (https://en.wikipedia.org/wiki/Multi-factor_authentication) and possibly without having to have folks remember or change passwords. Historically, authentication was done with just a username and password . But, as we've all learned, usernames and passwords can be guessed or stolen or hacked! Some folks have two-factor time-based code cards (https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-paypal), apps (https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DAndroid) or SMS messages which add "something you own" to the list. FIDO/U2F cards have been around as a USB-based authentication system for a bit, and they're slowly gaining traction through an open standard which makes it easy to integrate with web or desktop applications. (https://fidoalliance.org/fido2/) We're huge fans of moving all of your security risk to hardware like these, that abide by open standards - it's very hard to create a secure hardware device. Firmware, storage, even when encrypted, is not often crackable or glitchable (https://blog.securityinnovation.com/glitching-firmware-over-usb-using-facewhisperer). Using an external dongle gives you a hermetically sealed challenge-response system from a company that does only one thing. because the private keys are stored in the hardware, you don't have to store them on device in firmware. These come in a few different mechanical shapes and flavors, including USB A fingerprint key (https://www.digikey.com/en/products/detail/authentrend-technology-inc./ATKEY.PRO-TYPE-A/15761935), USB C fingerprint key (https://www.digikey.com/en/products/detail/authentrend-technology-inc./ATKEY.PRO-TYPE-C/15761936), and a keycard that has NFC, BLE and a USB-A flip-out (https://www.digikey.com/en/products/detail/authentrend-technology-inc./ATKEY.CARD/15761933) We were able to get our fingerprint entered into the dongle using Windows 10's key manager, then used the same dongle to add 3-factor authentication to our Google account. Of course you probably want to use it for non-website projects too! You can interface with the security dongle very easily using the python-fido2 library (https://github.com/Yubico/python-fido2), which means any embedded Linux/single board computer will be able to have trusted authentication added with USB. This could be a very inexpensive and fast way to add trusted authentication for your product without having to hire a cryptographer. There are plenty of Authentrend ATKEY.PRO TYPE-A (https://www.digikey.com/short/p3t50d14) in stock at Digi-Key right now, that's the one we've been using the most, but do check out the other variants as well, such as the USB C, if your computer has type C ports (https://www.digikey.com/short/p3t50d14). Order one for each user today, knowing that the FIDO2 standard will mean easy and trustworthy deployment for many years! See more at https://www.youtube.com/watch?v=11UfySDn7_I