This idea is interesting to me because hell making my own stuff is fun. I have access to quite a few usb keys already so technically I might have the material available. Also my threat model is pretty low so I’m interested in security mostly for fun.

Most methods I have found talk about making a key to secure a computer but I would really like to make something that would do WebAuthn.

There is a neat Git project that shows how to turn a few specific devices into 2FA code prompters/automatic fillers. But in my naive mind that falls short of what I would truly wish to be able to accomplish ie. Stock USB --> WebAuthn/Passkey device.

Has anybody seen anything on the subject?

  • @dngrayM
    link
    English
    4
    edit-2
    1 year ago

    Generally we’d say no, not really, and certainly not with the highest security.

    The whole point of a security key is that it is supposed to be impossible to extract the key material, that simply isn’t going to be the case for a DIY solution. They have shields, and light sensors to prevent decapping/forensic inspection.

    Recommend taking a look at this: https://duo.com/labs/research/microcontroller-firmware-recovery-using-invasive-analysis