Case. Must have case. A bare board is not a consumer product. Consider just dipping the thing in Plasti-Dip, without submerging the connector. For a better feel, put the button on the solder side side, and put a thin piece of plastic U-channel sized to fit the board over the component side to give it a flat surface. Then Plasti-Dip. No custom injection molding, and the user can still push the button through the Plasti-Dip.
Other than that, great idea. It's how PayPal started.
I agree. The problem is trying to do this at scale. I don't want to do it myself as it would be too time consuming and messy.
Without having the funds for injection/pressure molding, I haven't been able to find a good solution. Maybe there are cost effective services that would work like PCB potting or overmolding.
One service that I found that looks promising is Cavist:
Here's an option. There are companies in China which sell standard enclosures for USB plug-in devices. They'll even throw in a color of your choice and a sticker. You'd have to redesign your board to fit their case, but that may be a lot easier than dealing with encapsulation.[1]
The problem is that the U2F specification requires users to approve authentication requests by pressing a button and none of the existing enclosures have a space for one. Entirely coincidentally, the company behind it (Yubico) already had a design with a button because their original second-factor proposal had no other way of knowing you want to authenticate. It's a little pointless on U2F but the spec requires it.
board respin required...either position the button so you squeeze the enclosure to press the button (it flexes a bit), or drill a small hole (use a jig to get the drill bit in the right location
enclosure co's will also customize/drill holes for you but its probably easier for you to just diy!
Oh, nice solution. I thought he'd have to order USB device enclosures from China, but these are from Bud Industries in Ohio, the classic maker of electronic enclosures for 80 years, and orderable from Digi-Key. (That means the parts will be good quality and they will show up on time.) Get a custom sticker printed, and you'll have a good MVP.
Good idea, but I see ads in that sector saying "Molds start at $4990".
I've seen people do things like this at TechShop. They carve a positive mold out of maybe a dense wood. Then use that to make an negative mold out of some pourable plastic like RTV. Then insert the device, pour in epoxy, and wait for it to cure. The negative molds wear out fast, but you can make more from the positives. There are lots of plastic options and books on this stuff. People use these processes to turn out stuff to sell on Etsy. All this is do-able, but usually messy.
Still, struggling through the process to have an MVP to show resellers is worth the trouble. If you get a big order, you can go out to Cavist or someone like them and have them produce in volume.
One super cheap idea that might be worth considering: clear shrink tubing. You could put whole trays of them at a time in your oven, just make sure the tubing is the right length and lined up right.
You might even be able to get away with not cutting out a hole for the button, as it could be activated through the flexible tubing.
Look for someone who's already encapsulated USB devices. They might be able to reuse an existing mold. That business is all tooling cost; per-unit cost is tiny.
But don't send the job to China, or your device will be copied, cheaper.
Honestly I think you're fine right now. Think of this initial run as a market test. If you end up selling out your entire stock, tell friends and family that you need a small loan and work with someone domestic to get your enclosure done.
Polycase might be a good place to start once you sell out. They sell generic cases and will quote you on modifications to their existing USB case.
After that (if you continue to sell out), you're probably a real business. Keep the domestic machine running and hop over to China to explore driving costs down. Probably explore what type of software/service might complement your hardware to drive recurring revenue. Create custom single unit packaging and bulk delivery packaging for consumer selling and business selling.
+1 on the case being a must have. I'll put some shrink tube over the ones I just ordered to keep them from getting banged up. Looking forward to trying it out in a few days.
It's serious, but there's the possibility that Plasti-Dip might get into the interior of the button and insulate it so it doesn't work. You need sealed buttons. Some surface-mount buttons are sealed.[1] Many are not. I was thinking more from the point of view of what simple manufacturing step could the maker add to package the thing. Shrink-tube sounds good, although it might hold the button down if shrunk too hard.
The sealed switches sound like good idea for the plastic dip.
I've done the heat shrink before with good success. If the button gets depressed by the tubing a quick cut with a craft / xacto knife around the button works well.
I'm not trying to make it water proof, just survive being banged around by all the pens / keys / USB / cables / power blocks / change / assorted other detritus that lives in the pockets of my computer bag.
Seems good, let these guys sell it as cheap as they can. If you want a coat buy Sugru when you order this thing, and have your case in any colour and shape.
> I am not actually concerned with financial success or growth. The nice thing about this project is I can just let it sit and I don’t need to maintain anything – leaving me time to move on to the next project.
You should pursue this product -- you have huge possibilities here.
You heard of a company called Security Dynamics? They invented the little token with ever-changing 6-digit numbers that you have to enter to login to your remote office computer. You probably know it today as the RSA SecurID[1]. They created a billion-dollar market and made the founders fabulously rich.
I know that there are other U2F products out there, but you can make yours unique, different in some way, or targeted to different market. Or just compete as an alternative to the larger companies making U2F keys (which are not really that large yet anyway).
Surely continuing this product is better than the "working in government" job you're seeking.
I think there's a lot of neat improvements you can make on 2FA products for different markets. But it's kind of at the point where if I wanted to continue working on a better 2FA token, I would have to get funding and do it full time. Although it's always tempting, I'm not sure I want to "cash out" of school and regular life just yet.
Also if I don't work in government I'd be in a lot of debt to pay back school. So that's an additional hurdle.
I think you're being very sensible about this. As the parent poster says, you need to have a distinguishing feature if you want to turn this into a product to compete with e.g. Yubikey. But as a resume/CV for getting you a job? It's fantastic. Bring it to interviews. Show it to people at trade shows. Get an embedded systems or electronics job. Profit.
Great work, Connor. I have spent considerable time thinking about the federal student loan forgiveness you're referring to. I'd love to share. Email me at mike at medcrypt dot co if you're interested.
Honestly, you probably got downvoted because federal student loan forgiveness (which I didn't see Conor mention anywhere) sounds an awful lot like like spam and off-topic. However, your email with 'crypt' in it seems that you're at least partly on topic and your addressing the OP by first name shows that at least you're not a bot (or perhaps a very smart bot) :) I upvoted you for the benefit of the doubt anyway.
Thanks. Definitely not a bot. Although if we are all living in a simulation, I guess my counsiousness could be resulting from a hacked CCTV cpu. Difficult to disprove.
Also, Connor mentioned in a comment that he needs to work for a government agency due to a student loan / grant situation. Should have responded there I guess.
Looks good. Consider applying a conformal coating at the end. It will provide a lot of protection from general handling and riding around on a keychain, and preserve the 'raw PCB' look.
Conformal coating also has the bonus advantage that it fluoresces and looks awesome under UV light (and sometimes even just from the UV from sunlight).
It also waterproofs the board too, which is a bit more useful.
Conor, can you detail how the assembly is done a bit? I've made a few boards with KiCAD but I have no idea how to go from bare PCB to assembled PCB, especially for such low cost as yours.
I went to PCBcart but counting all the items on my board was a hassle, and I got a cost of $38 per board for a run of ten, which sounds too expensive. Besides that, how do you even export the BOM from KiCAD? It doesn't come with a plugin by default.
A few details or a post on how to go from PCB design to assembled board would be very useful, at least to me.
Assembly depends on the service you end up using. For PCBCart, I think I just ended up filling out their template BOM manually. Not much of a hassle since I only have 8 parts. I just had to match the component references on the PCB to the BOM, count the number of pins, provide part number, etc. They figured everything else out, just a question or two on part polarities.
Yeah getting boards assembled for small volumes will likely not be cost effective. You can mess around with online quote tools to get an ideal if it'd be worth it or not. Using parts with pins that extend out from the package (rather than underneath) will always be more cost effective. Less pins is cheaper too.
At the risk of sounding like a complete schmuck - how do I actually use this?
It look like it's a dev board, the kind of thing I'd get on SparkFun or whatever, but I get the impression it's a consumer product. Do I plug it into my computer, and it runs software? Do I press the button, then it blinks out a password via LED at me? Does it connect via bluetooth to.. something? Who writes the local software? You? Google? Me?
I love your write-up and I dig your hustle, but I think the final 10% "polish" is the missing piece here! Good luck!
It's the same as any other U2F token. You register it with a service that supports U2F (Google, Github, Duo, etc.) and then present the token and press the button upon logging in later.
No software or drivers needed. It's an HID device so all normal operating systems will support it.
That's not correct. A U2F device cryptographically signs signed challenges with a key that never leaves the device. (Yes, it signs a signed challenge. That's not a typo.) The issuer of the challenge verifies both signatures to confirm that the user possesses the device and that the issuer genuinely issued the challenge embedded in the signed response.
Unlike the OTP token you're describing, a U2F device is effectively stateless. And unlike an OTP token, its signing mechanism is resistant to phishing. Finally, a U2F device is not a HID keyboard, contrary to your other comment on this page. But it is a HID-compliant device.
I actually have a new batch of prototypes and I'm just putting the finishing touches on my e-commerce code (I'm using Stripe and Easypost rather than Amazon). The plan is to finish that tonight and start taking orders again on Monday.
Think of it as an Arduino for security. I can be programmed to act like a U2F token, a bitcoin wallet, secure storage for ssh keys, etc. A future version will have a second USB port so it can turn a regular USB thumb drive into an encrypted drive, act as a "USB condom" between your computer and a suspect USB device, or turn a regular keyboard into a smart keyboard that can generate and play back secure passwords. Because it has local I/O (a display and two buttons) it can do all of these things while remaining secure against an adversary that pwns the machine it is plugged in to. And because it uses stock hardware and is user-programmable you can be fairly confident that it doesn't have any back doors built in to it.
Of course, it doens't actually do most of those things yet (working on getting the bugs out of the U2F code right now) which is why right now it's just a toy for hackers and devs. But the apps are coming.
I started soldering one of these one night (ordered enough parts for 9 of them) and realized that these things are really, REALLY tiny. Even with a magnifying glass, it's hard to even tell where the pins are, but I got about half of it soldered.. looking forward to the other half. :)
Huge thank you to Conor for building this whole thing and open sourcing it and even providing links to pre-fab PCB's. Incredible work. Also the PCB's look really cool.
I think I'll buy a few to go along with the one I just made.. :)
It's not too hard if you have a proper PCB with solder resist. The surface tension of the solder causes it too glob onto your part's pins and the pads below them. The solder resist is really key here, or else it's essentially impossible.
You will have to test for solder bridges between pins, and maybe use some solder wick to get any excess out.
It's not super fast, but it's absolutely doable with an hour or two of practice. Solder paste and a heat gun is the next step up, which I find more difficult to get right (I'm bad at applying the paste).
If you're using solder paste the trick is to get a stencil along with your PCB. It has holes where solder should be applied which you place over the PCB, smear the whole lot with solder paste, and then drop the components into place. You've now got solder exactly where you need it and nowhere else.
I find stencils hard to use ... I always end up smearing them when removing the stencil.
Mind you, I have pretty minimal experience, so maybe I just need to try more and get the hang of it. Unfortunately without owning a hot air gun or reflow oven, I'll just keep avoiding bga parts and doing everything else with an iron.
It seems like the price is too low, if your actual margin is only 25%. As a customer I would also be concerned about how to carry it without damaging it, given that there's no case. Do you have any recommendations?
You might also want to add some keywords like "fido usb yubikey" to your product page too.
gets the 2 day shipping and is only a few $'s more.
The difference between $8-10 is nothing really, if I was shopping for one of these and saw yours for the same price I would buy it because I like the exposed/no case design (and I think a lot of the "early adopter" people buying these tokens for personal use would be the same). So maybe you should bump the price up a bit.
Not really sure exactly what you mean, but unless I'm mistaken, all FBA items have all shipping methods Amazon offers, since they're being shipped from Amazon's warehouses just like all of Amazon's products.
Really great writeup man, and for a good cause too. I've done something remarkably similar but solely for myself, and it's great to see someone going one step further.
Best of luck, hope you make your money back and get a nice kicker in the end to fund a few late night college parties.
For my yubikey, I've got a couple of scripts that kill and boot my i3lock when I plug and unplug it. I haven't setup desktop login on it though, because that would be too risky for me.
If this stores GPG, then you could do SSH as well. Edit: Reading the comments, looks like it only does core U2F, so no SSH for sure. I'm not sure if there is a U2F module for PAM yet.
Generally U2F widgets don't run code or have any extra functionality unless they specifically mention it.
The OP key looks pretty barebones I wouldn't expect it to generate/store/use ssh or pgp private keys. That's more like a yubi key 4 or similar more expensive widgets that are basically smartcards and/or HSMs.
There is a U2F pam module that can allow you to use a U2F widget for screen unlock, login, sudo and the like. If you are worried about the U2F dying/being stolen/lost then you could always authorize more than one U2F widget and keep one in a safe place.
Well by "do login" I meant to basically require that + password. It's good to see it's possible.
I've been toying with the idea of buying a dock for my thinkpad and using it as my main system retiring my current low-powered desktop as a server.
My main concern is that, since I keep important docs on my system, I'd now be carrying them with me. Doing 2FA for harddrive decryption and system login would be amazing for me since then I'd be able to know that even if my computer is stolen the "attacker" won't really have the means to login.
Could use a comparison to e.g. a yubikey [0]. At this price, I can afford to just order one and see what happens, but still it would be nice to know what features I'm sacrificing for the cheaper price.
You're sacrificing everything the Yubikey does beyond U2F. Yubikey can support U2F, but also generates one time passwords, and appears as a smart card to your operating system allowing you to keep PGP/SSH keys on it.
Well, technically, since this device contains a clock, it should go through FCC Part 15 Verification before being sold. However, the FCC doesn't really have the budget to go after every board produced, you have to REALLY mess up to get on their radar...
Since it is USB based, it should technically go through USB-IF interoperability testing, if he wants to use the USB logo. Though actually it looks like he has a VID/PID allocated from SiLabs for this, which is already way better than a lot of inexpensive USB products.
Yeah I'm not sure about the legals and just figured it would be fine. I did get a VID/PID from SiLabs which has already done USB certification for the chip.
FIDO U2F also has a $10k certification process to allow you to use the FIDO logo. I don't think it's worth pursuing for me.
Though, if you can budget to go through FCC Verification testing (class B), maybe around $1000-1500 depending on your test house, it can sometimes be quite a useful learning experience for a board of moderate complexity. It is surprising where RF leaks out of these days. For a device that is this simple, it is probably fine. Officially, my opinion is that you should always have all the proper certifications in place.
Unfortunately, the $10k U2F certification is not that unreasonable compared to other similar certifications I have seen... As the fees don't just cover interoperability testing, but also legal fees if the trademark or specification must be defended.
I have a question about these tokens - what happens if they break? Are you effectively locked out? Is it possible to have two identical tokens so that if one breaks you can use the other?
You can often times have multiple different keys registered to a single account. I have a yubikey nano stashed away as my backup key if the one on my keychain breaks or is lost.
Thanks. I have quite a few services that only let me register one key. I always worry that if I lose my phone (or break it) I am going to be locked out.
Are you sure? I think you might be confusing OTP codes (what you get from an authenticator app on a phone) with U2F (a device like this that communicates via USB or NFC). Most services I know of only support one OTP seed (you can use it with multiple devices, though - just scan the QR code with all of them, the entire secrets are encoded in it. Of course, this makes it very cumbersome to add or remove a device, as you have to re-enrol all of them). But only allowing one U2F token is a bad idea, as losing (or breaking, depending on construction) it is very easy.
A good idea is to store backup codes some place safe. You can use them as one time 2nd factors. Then you can then either disable 2FA, or more preferably, register a different 2FA option.
I'm naive and didn't realize Amazon wouldn't ship internationally by default. I just updated the listing to enable international shipping which should take effect in a couple days. Thanks!
I always thought that "doesn't ship to Belgium" was about some sort of export restrictions or extra costs or whatever. Turns out it's just the default setting.
Next time I see this, I'm mailing the seller. Thanks for the info!
Oh, and thanks for the great work on the U2F device, and especially on open sourcing the whole thing. I'll probably order a couple to experiment with as well, as soon as they're available for shipping to Belgium :-)
If you leave your U2F key in your laptop or PC, I find it to be much more convenient than mobile 2FA. Just one tap and you're in... versus pulling out your phone, unlocking, and typing in the code.
Btw, all U2F services allow you to fall back to phone 2FA if you're on an unsupported device.
Yes, in the sense of convenience... but you are storing the generator on a networked device with potential for malicious exploitation. OK for my gmail, but maybe not the keys to a 6 figure brokerage account... Of course, in the case, I'm getting issued a key from the brokerage.
It can be easier too. I have a U2F key that lives in my USB hub, which means it's totally seamless and much easier than pulling out my phone and fiddling with authenticator apps. I also have a Yubikey on my keychain, which gives me U2F when I'm not at my desk (you can register more than one key) as well as TOTP for things that don't support U2F.
Generally I trust my U2F that has a simple button on it to not reveal it's private key much more so than a hugely complicated smartphone.
Especially the button, which makes it very hard for a remote attacker to get anything from the U2F token.
How many apps are on your phone? How secure is the software stack? Kernel? Hardware? Drivers? If android, how good is your manufacturer + cell provider at distributing the latest updates? Can you prove that an app can't see the screen and send a touch event?
Also generally it's faster to hit the single button on a U2F widget than it is to do anything with a smartphone.
Of course, I don't deny there're security benefits, but IMHO it's worth mentioning that there're some trade-offs.
>Well, of course there are always tradeoffs. The biggest one right now is that Google Chrome is the only major browser that supports U2F.
>Because it requires browser support to act as an intermediary between the website and the security key, you can only use it if the browser supports it.
>Mobile is also an issue, as they don't have USB ports!
>Some YubiKeys support U2F via wireless NFC, but support for this in mobile phones is very limited at the moment.
Sure, U2F has its drawbacks, too. NFC U2F and NFC TOTP are quite nice if your phone supports it. The YubiKey Neo can store TOTP secrets and show codes via the Yubico Authenticator app (also works on Desktop with yubioath), while Google Authenticator handles U2F via NFC. This is something that could really use an opening-up of NFC in iOS, only having it on Android is too limited to make it a success.
Other than that, great idea. It's how PayPal started.