"Most popular security keys, like the Yubikey, are closed sourced which limit their usefulness for hackers like myself. So now with the introduction of Somu, an open sourced alternative, tinkers are free to run wild."

"So the Somu is really nice. This just works straight out of the box.... this is really an open source solution that provides the capability for you to be able to hack around with these dongles."

Somu is a tiny FIDO2 security key you can use with your Google, Twitter, and GitHub accounts for two-factor authentication, or your Microsoft account for passwordless login. Somu fits in your USB port, so you’ll never forget your key again.

Somu is the micro version of Solo. We were inspired to make a secure Tomu, so we took its tiny form factor, we added the secure microcontroller and firmware of Solo, et voilà! Here we have Somu.

Stretch Goals

$35k - campaign goal - we'll start manufacturing as soon as we reach this goal, so hurry up and back Somu! If you're undecided just go ahead and pick a pledge, you can always change it later.

- we'll start manufacturing as soon as we reach this goal, so hurry up and back Somu! If you're undecided just go ahead and pick a pledge, you can always change it later. $50k - tie die case - we'll cheer to a special campaign and make limited edition, unique cases for each Somu.

- we'll cheer to a special campaign and make limited edition, unique cases for each Somu. $100k - SSH/GPG - we'll invest part of the funding to speed up the implementation of SSH/GPG support, starting with ECDSA keys.

- we'll invest part of the funding to speed up the implementation of SSH/GPG support, starting with ECDSA keys. $150k - Ed25519 - we'll continue investing in our features set by supporting Ed25519 in both FIDO2 and SSH/GPG, that should provide better speed and security.

Open Source: Verified and Trustworthy

Somu and all our other keys share open source hardware and firmware, because we believe that security should be more open, especially when it comes to hardware. Our keys are verified, trustworthy and hide no secrets. Well, except one: a master secret is safely stored and protected by the STM32 microcontroller, so that only you can log in, of course.

A note on security: in this campaign, we’re only selling Somu Hacker, the reprogrammable version of Somu. Please read the details in the section "Somu Hacker and Security" below.

Hand soldered prototype.

FIDO2: Strongest Web Authentication

Like many other FIDO2 security keys on the market, Somu works seamlessly with your Google, Twitter, and GitHub accounts for two-factor authentication, or with your Microsoft account for passwordless login. Somu fits in your USB port, so you’ll never forget your key again. And FIDO2 / WebAuthn is now a web standard, so you don’t need any extension whatsoever, Somu just works on most operating systems and browsers.

Unlike many other FIDO2 security keys on the market, Somu is fully open source and reprogrammable. It has an STM32L4, one RGB led, and two buttons. It’s secure against online attacks and can be permanently locked down to be secure against physical attacks (more on firmware security below).

SSH (Stretch Goal): Hardware-backed Authentication

During this campaign, we’ll be building the much-awaited support for SSH/GPG. We plan to add ECDSA keys first, followed by Ed25519. RSA is still a question mark because of the size of the keys, but of course the design will be modular enough to support everything eventually.

Development is already in progress, but the space is pretty fragmented with many lacking features from other tools (for example, ssh-agent/opensc lack support for Ed25519). For these reasons, a stretch goal seemed appropriate. With some extra funding, we can certainly speed up development, including submitting PRs to other projects. And if you’d like to be more involved, feel free to jump on GitHub!

Build With Somu

Because Somu fits entirely in your USB port, it’ll soon become your inseparable companion for all your projects. Those (maybe low-levelish) projects, which before required space, extra devices, and wires all over the place… can now be worked on anywhere that you are! Here are some ideas:

Add FIDO2 / WebAuthn To Your Website

We talk a lot about hardware and firmware, but let’s not forget the basics. WebAuthn is now a W3C standard, supported in all major browsers and OS’s, and offers stronger authentication than plain username+password. With Somu, you can test WebAuthn with just a few lines of JavaScript in your website, and build support for two-factor authentication, passwordless login, and even extra verification for sensitive user actions within your app (e.g., confirming transactions or critical changes to the settings).

Develop Secure Web Apps

You can use Somu to prototype or build applications that interact with a secure hardware component. Using WebAuthn extensions, you can build web apps that run in the browser and interact with Somu for functionalities other than pure authentication. For example, to digitally sign a document or a transaction. And because Somu is open source, you can even add new FIDO2 extensions to its firmware to expand its capabilities and then immediately use them within your app.

Learn STM32 Development

With one RGB LED and two buttons, Somu is a great STM32 board with a good amount of real-world code to tweak and learn from. You can also run Arduino on Somu via the STM32duino project. In both cases, you can access the entire spectrum of features of the STM32 in C/C++ (or even Rust), and not be limited by a Java card abstraction.

Somu Hacker and Security

We have two different flavors for all our security keys, including Somu: "secure" for consumers, and "hacker" for developers.

In this campaign, we’re only selling Somu Hacker, the reprogrammable version of Somu (with the exception of the highest pledge value, for which you can choose any combination of Somu Hacker or Somu Secure—on the assumption you’ll want to resell the keys to consumers).

Is Somu Hacker Secure?

Both Somu Secure and Somu Hacker, like any security keys, are secure against online attacks, including account takeover and phishing.

Somu Secure has locked-down firmware, and you can only upgrade it with firmware released and signed by us.

Somu Hacker is unlocked and reprogrammable by design. Because of that, a potential malware on your laptop may rewrite its firmware. At anytime, you can permanently lock Somu Hacker down, and make it de facto a Somu Secure. (The opposite is not possible - a Somu Secure may never become a Hacker)

What About Physical Attacks and Malware?

If an attacker physically steals your key, they can simply use it. So physical attacks are generally not considered by FIDO. This said, you can set a PIN for your security key, and we use STM32 level 2 readout protection to ensure that secrets never leave the device - thus ensuring that an evil butler can’t clone your key.

Also note that malware could potentially compromise many things in your system - such as your browser pr your DNS cache (important against phishing attacks). So while it’s clear that Somu Secure is strictly more secure than Somu Hacker in theory, in practice, it’s hard to define where the line is. In general, to stay safe, we don’t recommend using Somu Hacker for production.

Comparisons

Somu Tomu Yubikey Nano 5 Yubikey Nano 4 Solo Tiny Yes Yes Yes Yes No Secure* Yes No Yes Yes Yes Open Source Yes Yes No No Yes U2F Yes Yes Yes Yes Yes FIDO2 Yes No Yes No Yes Buttons 2 2 1 1 1 LEDs RGB R+G RGB RGB RGB Made in Italy China US / Sweden US / Sweden Italy Retail Price $35 $30 $50 n/a $20

* The microcontroller supports security features to protect against physical extraction of key material

Specifications

Supported Protocols : FIDO2, U2F

: FIDO2, U2F Supported Operating Systems : Linux, Microsoft Windows, Mac OS X, Chrome OS

: Linux, Microsoft Windows, Mac OS X, Chrome OS Supported Browsers : Chrome, Firefox, Edge, and Safari support is coming soon (GA in MacOS Catalina)

: Chrome, Firefox, Edge, and Safari support is coming soon (GA in MacOS Catalina) Secure Processor : STM32L432KC (with TRNG, security isolation for keys, two levels of locked flash)

: STM32L432KC (with TRNG, security isolation for keys, two levels of locked flash) Crypto Algorithms : ECC P256 (as per FIDO2 standard)

: ECC P256 (as per FIDO2 standard) Host Interface : USB-A

: USB-A Interaction : two touch buttons - in our FIDO2 firmware the two buttons behave as a single one

: two touch buttons - in our FIDO2 firmware the two buttons behave as a single one Feedback : RGB LED

: RGB LED Size : 0.5 x 0.5 x 0.1 inches (13 x 13 x 2.4 mm)

: 0.5 x 0.5 x 0.1 inches (13 x 13 x 2.4 mm) Weight: 0.11 ounces (3 g)

Design and Prototypes

The PCB is a one mm thick two-layer board, with Z-axis milling. The milling makes the short tabs on the sides allow the PCB to "slide fit" into the case.

The edge that protrudes (slightly) out of your USB port is plated to make two independent capacitive touch buttons. Firmware will currently combine and treat them as one, but they may be configured for two different actions in the future.

Similar to Solo, the case is a durable silicone sleeve, which will flex slightly around the PCB to make a good fit.

An initial design check was to 3D-print the PCB and case to check both the case slide-fit and the fit into a USB-A port.

After making sure that worked, a real prototype order was made. The necessary firmware changes to Solo were added to also work on Somu.

The prototypes worked well, and only needed some minor changes for production. About 15 samples were hand-soldered and sent out for reviews.

Experiments Making Somu (Fun)

Using a Hammer

Using a Phone

Using a Washing Machine

Manufacturing Plan

We’ll manufacture Somu in Italy, where we produce Solo. Everything is already lined up, and manufacturing will take about two-three months to complete. We’ll start production as soon as we reach the $35k goal (not when the campaign ends), so backing us in a timely manner is important. If you’re unsure, just back Somu now, you can always change your pledge later. Thanks to your support, production will start sooner!

Fulfillment & Logistics

All Somu units will be delivered to Crowd Supply’s warehouse for final distribution to backers worldwide. For more information, please see this page about ordering, paying, and shipping.

Risks & Challenges

There are very few risks with this project, as the Somu design is complete and the manufacturer knows our products and is ready to go. However, component delays and unexpected shortages can occur. If this happens, we’ll be sure to keep you informed via updates to this project and we’ll work to quickly resolve the issue.

How Can I Be More Involved?

First, by backing this campaign you’ll help us bring Somu to the market. We’ll start the production immediately after reaching the $35k goal, so we highly encourage you to back Somu quickly, instead of holding out until the end of the campaign.

Next, we’re pretty actively working on firmware development on GitHub, you can join the discussion, submit PRs, or just lurk around and learn about our project or FIDO more generally.

Finally, with this campaign, we want to add support for SSH/GPG, to which you’re very welcome to contribute.

We also noticed that the space is fragmented and many features are lacking from other tools. For example, while OpenSSH supports Ed25519 and we could add support to our firmware, connecting the dots isn’t as straightforward as it seems. Neither OpenSSH agent (the client) nor OpenSC (the PKCS11 driver) support Ed25519. Any help to add support for Ed25519 in OpenSSH agent and OpenSC is greatly appreciated.

And of course, if you have any other ideas on things you want to make with Somu, please don’t hesitate to get in touch below or reach out on Twitter @SoloKeysSec… this is the beauty of open source!

Support & Documentation

You can find more about SoloKeys at https://solokeys.com, and if you have any specific questions, feel free to reach out just below. If you want to take a look at the code and current documentation, you can start at https://github.com/solokeys/solo.

Nitrokey is a leading vendor of open source security hardware for data encryption, key management, and user authentication. https://www.nitrokey.com/

13-37.org is a premiere electronics shop dedicated to manufacturing and direct sales of open-source hardware. https://13-37.org/