Project update 6 of 20
We’ve done it! Signet HC is now officialy funded. Thank you to everyone who has pledged so far.
Everything is going very smoothly so far. Our board layout has been approved by PCBWay, fabrication has begun, and we are sourcing components for the assembly phase. The latest injection molding samples arrived from Sea Sky Tooling and all issues with the silkscreen and mold were significantly improved. We have placed an order for the minimum order quantity of 550 pieces.
Two-factor authentication (2FA) is a way to enhance the security of a site by requiring the presence of a device, such as Signet HC, to complete a login or other transaction. Signet HC supports FIDO U2F, FIDO2, HOTP one-time passwords, and TOTP one-time passwords.
Signet HC is different in many ways from 2FA devices on the market today. It is not small enough to leave plugged into a laptop like the Tomu and it’s relative the Somu. Signet HC needs to be larger to support its more powerful microcontroller, robust keyring loop, and eMMC memory. As a consequence, when not in use, Signet HC is more likely to be kept with the user than the user’s computer. This decreases the likelihood it could be taken from a lost or stolen computer. Furthermore, private 2FA data can be encrypted as part of Signet HC’s password database, making a lost or stolen device unlikely to be exploited.
Most two-factor authentication devices use a capacitive touch pad to indicate the presense of a user. Based on our experiences with various touch interfaces being occasionally unreliable, we decided to go with a tactile switch. It’s always clear when you’ve activated the device, we find it more satisfying, and we’ve never had a problem with presses not being registered. It’s true that all tactile switches eventually wear out but we have chosen a very light-touch switch that is rated for 500,000 presses. This is in line with the lifespan of the typical USB port which is about 5,000 insertions, allowing for 100 button presses per insertion.
To use Signet HC, or any U2F device, with a website, the device must first be registered with the site. The site sends a unique code to the device via the browser to allow it to identify the site in the future. In response, the device sends the public component of its public/private key pair to the website. Secure authentication is later accomplished through the properties of public and private keys:
During an authentication attempt, the site will transmit a randomized challenge message, which the device will sign with its private key and send back to the website. By using the device’s public key, the website can then verify the message signature. Since the private key is never transmitted and cannot be easily derived from the public key, this procedure effectively ensures that the user possesses the same key that was originally registered with the site.
FIDO2 uses a similar authentication mechanism as FIDO U2F but uses a different interface designed to support passwordless login instead of only second factor authentication.
One-time passwords are an alternate form of two-factor authentication that does not rely on public key cryptography. Instead they work on the basis of a single shared secret between the site and the device. The password changes over time either through a shared usage counter in the case of HOTP, or the wall clock time with TOTP. In both cases, the changing value is combined with the shared secret and passed through a cryptographic hash function. Signet HC can enter these passwords when needed using its USB keyboard interface, just as if you had typed them yourself. The one-time password feature is integrated into Signet HC’s existing password manager.