Security secrets and your phone’s built-in protection keys are usually reshaping the way users authenticate online. These technologies usually are trusted by a growing quantity of websites to provide phishing-resistant two-factor authentication (2FA). To help make sure next generation authentication protocols function seamlessly across the internet, we have been committed to partnering with the environment and providing essential systems to advance state-of-the-art authentication for everybody. So , today we are liberating a new open source security key check suite .  

The process powering security keys

Under the hood, running around security keys are run by the FIDO Alliance CTAP methods , the part of FIDO2 that will ensures a seamless incorporation between your browser and safety key. Whereas the security-key user experience aims to become straightforward, the CTAP practices themselves are fairly complex. The main reason for this is the broad range of authentication make use of cases the specification details: including websites, operating systems, and even enterprise credentials. As the standard protocol specification continues to evolve—there has already been a draft of CTAP 2 . 1—corner cases that may cause interoperability problems are certain to appear.

Building a test suite   

We experienced many of those tricky corner instances while implementing our open-source security-key firmware OpenSK and decided to create a extensive test suite to ensure all of our new firmware releases manage them correctly. Over the last 2 yrs, our test suite increased to include over 80 assessments that cover all the CTAP2 functions.

Conditioning the ecosystem 

A significant strength of the security crucial ecosystem is that the FIDO Connections is an industry consortium numerous participating vendors providing a broad variety of distinct security keys providing to all users’ needs. The particular FIDO Alliance offers testing for conformance to the present specifications. Those tests really are a prerequisite to passing the particular interoperability tests which are required for a security key to turn out to be FIDO Certified. Our analyze suite complements those recognized tools by covering extra scenarios and in-market part cases that are outside the range of the FIDO Alliance’s screening program.

Back in 03 2020, we demonstrated our own test suite to the RUFFIE Alliance members and provided to extend testing to all FIDO2 keys. We got an extremely positive response from the users and have been working with many safety measures key vendors since then to help these groups make the best use of the test suite.

General, the initial round of the checks on several keys offers yielded promising results and are actively collaborating several vendors on building on all those results to improve future tips.

Open-sourcing our test out suite 

Today our company is making our test suite free to allow stability key vendors to straight integrate it into their tests infrastructure and benefit from improved testing coverage. Moving forward, were excited to keep collaborating using the FIDO Alliance, its people, the hardware security essential industry and the open source local community to extend our test collection to improve its coverage create it a comprehensive tool that this community can rely on to make sure key interoperability. In the long term, it really is our hope that conditioning the community testing capabilities will certainly ultimately benefit all security and safety key users by assisting ensure they have a consistent encounter no matter which security keys they may be using.


We thank our collaborators: Adam Langley, Alexei Czeskis, Arnar Birgisson, Borbala Benko, Christiaan Brand, Dirk Balfanz, Guillaume Endignoux, Jeff Hodges, Julien Cretin, Mark Risher, Oxana Comanescu, Tadek Pietraszek and all the security key suppliers that worked with us.

Read more from the Source