"So the Somu is really nice. This just works straight out of the box.... this is really an open source solution that provides the capability for you to be able to hack around with these dongles."
"Autenticazione a due fattori: presentata Somu, una chiavetta FIDO2 che scompare nella porta USB"
"Concebida como una herramienta totalmente open source, esta llave de seguridad FIDO2 presenta el común formato USB para poder ser utilizada en las principales plataformas software de escritorio y sus correspondientes navegadores web."
"Most popular security keys, like the Yubikey, are closed sourced which limit their usefulness for hackers like myself. So now with the introduction of Somu, an open sourced alternative, tinkers are free to run wild."
Somu is a tiny FIDO2 security key you can use with your Google, Twitter, and GitHub accounts for two-factor authentication, or your Microsoft account for passwordless login. Somu fits in your USB port, so you’ll never forget your key again.
Somu and all our other keys share open source hardware and firmware, because we believe that security should be more open, especially when it comes to hardware. Our keys are verified, trustworthy and hide no secrets. Well, except one: a master secret is safely stored and protected by the STM32 microcontroller, so that only you can log in, of course.
A note on security: in this campaign, we’re only selling Somu Hacker, the reprogrammable version of Somu. Please read the details in the section “Somu Hacker and Security” below.
Hand soldered prototype.
Like many other FIDO2 security keys on the market, Somu works seamlessly with your Google, Twitter, and GitHub accounts for two-factor authentication, or with your Microsoft account for passwordless login. Somu fits in your USB port, so you’ll never forget your key again. And FIDO2 / WebAuthn is now a web standard, so you don’t need any extension whatsoever, Somu just works on most operating systems and browsers.
Unlike many other FIDO2 security keys on the market, Somu is fully open source and reprogrammable. It has an STM32L4, one RGB led, and two buttons. It’s secure against online attacks and can be permanently locked down to be secure against physical attacks (more on firmware security below).
During this campaign, we’ll be building the much-awaited support for SSH/GPG. We plan to add ECDSA keys first, followed by Ed25519. RSA is still a question mark because of the size of the keys, but of course the design will be modular enough to support everything eventually.
Development is already in progress, but the space is pretty fragmented with many lacking features from other tools (for example, ssh-agent/opensc lack support for Ed25519). For these reasons, a stretch goal seemed appropriate. With some extra funding, we can certainly speed up development, including submitting PRs to other projects. And if you’d like to be more involved, feel free to jump on GitHub!
Because Somu fits entirely in your USB port, it’ll soon become your inseparable companion for all your projects. Those (maybe low-levelish) projects, which before required space, extra devices, and wires all over the place… can now be worked on anywhere that you are! Here are some ideas:
You can use Somu to prototype or build applications that interact with a secure hardware component. Using WebAuthn extensions, you can build web apps that run in the browser and interact with Somu for functionalities other than pure authentication. For example, to digitally sign a document or a transaction. And because Somu is open source, you can even add new FIDO2 extensions to its firmware to expand its capabilities and then immediately use them within your app.
With one RGB LED and two buttons, Somu is a great STM32 board with a good amount of real-world code to tweak and learn from. You can also run Arduino on Somu via the STM32duino project. In both cases, you can access the entire spectrum of features of the STM32 in C/C++ (or even Rust), and not be limited by a Java card abstraction.
We have two different flavors for all our security keys, including Somu: “secure” for consumers, and “hacker” for developers.
In this campaign, we’re only selling Somu Hacker, the reprogrammable version of Somu (with the exception of the highest pledge value, for which you can choose any combination of Somu Hacker or Somu Secure—on the assumption you’ll want to resell the keys to consumers).
Both Somu Secure and Somu Hacker, like any security keys, are secure against online attacks, including account takeover and phishing.
Somu Secure has locked-down firmware, and you can only upgrade it with firmware released and signed by us.
Somu Hacker is unlocked and reprogrammable by design. Because of that, a potential malware on your laptop may rewrite its firmware. At anytime, you can permanently lock Somu Hacker down, and make it de facto a Somu Secure. (The opposite is not possible - a Somu Secure may never become a Hacker)
If an attacker physically steals your key, they can simply use it. So physical attacks are generally not considered by FIDO. This said, you can set a PIN for your security key, and we use STM32 level 2 readout protection to ensure that secrets never leave the device - thus ensuring that an evil butler can’t clone your key.
Also note that malware could potentially compromise many things in your system - such as your browser pr your DNS cache (important against phishing attacks). So while it’s clear that Somu Secure is strictly more secure than Somu Hacker in theory, in practice, it’s hard to define where the line is. In general, to stay safe, we don’t recommend using Somu Hacker for production.
|Somu||Tomu||Yubikey Nano 5||Yubikey Nano 4||Solo|
|Made in||Italy||China||US / Sweden||US / Sweden||Italy|
* The microcontroller supports security features to protect against physical extraction of key material
The PCB is a one mm thick two-layer board, with Z-axis milling. The milling makes the short tabs on the sides allow the PCB to “slide fit” into the case.
The edge that protrudes (slightly) out of your USB port is plated to make two independent capacitive touch buttons. Firmware will currently combine and treat them as one, but they may be configured for two different actions in the future.
Similar to Solo, the case is a durable silicone sleeve, which will flex slightly around the PCB to make a good fit.
An initial design check was to 3D-print the PCB and case to check both the case slide-fit and the fit into a USB-A port.
After making sure that worked, a real prototype order was made. The necessary firmware changes to Solo were added to also work on Somu.
The prototypes worked well, and only needed some minor changes for production. About 15 samples were hand-soldered and sent out for reviews.
We’ll manufacture Somu in Italy, where we produce Solo. Everything is already lined up, and manufacturing will take about two-three months to complete. We’ll start production as soon as we reach the $35k goal (not when the campaign ends), so backing us in a timely manner is important. If you’re unsure, just back Somu now, you can always change your pledge later. Thanks to your support, production will start sooner!
All Somu units will be delivered to Crowd Supply’s warehouse for final distribution to backers worldwide. For more information, please see this page about ordering, paying, and shipping.
There are very few risks with this project, as the Somu design is complete and the manufacturer knows our products and is ready to go. However, component delays and unexpected shortages can occur. If this happens, we’ll be sure to keep you informed via updates to this project and we’ll work to quickly resolve the issue.
First, by backing this campaign you’ll help us bring Somu to the market. We’ll start the production immediately after reaching the $35k goal, so we highly encourage you to back Somu quickly, instead of holding out until the end of the campaign.
Next, we’re pretty actively working on firmware development on GitHub, you can join the discussion, submit PRs, or just lurk around and learn about our project or FIDO more generally.
Finally, with this campaign, we want to add support for SSH/GPG, to which you’re very welcome to contribute.
We also noticed that the space is fragmented and many features are lacking from other tools. For example, while OpenSSH supports Ed25519 and we could add support to our firmware, connecting the dots isn’t as straightforward as it seems. Neither OpenSSH agent (the client) nor OpenSC (the PKCS11 driver) support Ed25519. Any help to add support for Ed25519 in OpenSSH agent and OpenSC is greatly appreciated.
And of course, if you have any other ideas on things you want to make with Somu, please don’t hesitate to get in touch below or reach out on Twitter @SoloKeysSec… this is the beauty of open source!
You can find more about SoloKeys at https://solokeys.com, and if you have any specific questions, feel free to reach out just below. If you want to take a look at the code and current documentation, you can start at https://github.com/solokeys/solo.
Nitrokey is a leading vendor of open source security hardware for data encryption, key management, and user authentication. https://www.nitrokey.com/
13-37.org is a premiere electronics shop dedicated to manufacturing and direct sales of open-source hardware. https://13-37.org/