For a certain kind of person, only open-source will do. If that sounds like you, then the €29 ($33.52, at the time of writing) Nitrokey FIDO2 is a go-to choice in the world of multifactor authentication (MFA) security keys. Small, German, affordable, and with support for the latest MFA standards, it helps secure your logins against attacks and relies on tried-and-tested, open-source technology. Using the Nitrokey FIDO2 with mobile devices will require a dongle, however, and it lacks the impressive encryption features found in other Nitrokey devices. As an entry-level device, the Nitrokey FIDO2 is a strong choice but Editors’ Choice winner Yubikey 5C NFC packs wireless communication and additional MFA capabilities into a sleek package.
What Is Multifactor Authentication?
Multifactor authentication (sometimes called two-factor authentication or 2FA) is a method for verifying your identity using two factors from a list of three options:
- Something you know,
- Something you have, and
- Something you are.
Something you know would be a password or PIN. Something you are would be a biometric reading—think a fingerprint scan or facial recognition. Something you have would be a hardware security key, such as the Nitrokey FIDO2, or a security code generated by an app.
Passwords are woefully insecure, but when you add additional factors, you reduce the likelihood of an account takeover. If a bad guy gets your password from one of the numerous data breaches of the last decade, he still won’t be able to access your account because he won’t have the other factors necessary. Google proved that this approach works when account takeovers effectively vanished after it required employees to use MFA. Now, the company is poised to enroll millions in MFA automatically.
Security keys have the advantage of requiring no power or network connection, don’t rely on messages that can be intercepted, and are harder to attack than mobile devices or computers. But you still need to maintain proper security hygiene elsewhere, too. Weak passwords and malware are also exploited to take over accounts, so we strongly encourage readers to use a password manager and standalone antivirus software.
What’s New With the Nitrokey FIDO2?
Like most things with the numeral “2” in the name, the Nitrokey FIDO2 is a sequel. The original, and now deprecated, Nitrokey FIDO U2F supported only the FIDO U2F authentication standard. The Nitrokey FIDO2, on the other hand, supports the latest FIDO2 and WebAuthn standards, plus CTAP1/CTAP2. It is backward compatible with any sites that still support only the FIDO U2F standard, too.
That’s a lot of letters, but the practical outcome is that the Nitrokey FIDO2 should work just about anywhere that accepts hardware security keys. It can even work for password-less login environments, such as Microsoft services.
The Nitrokey FIDO2 does not have any biometric sensors. Several security keys on the market can use fingerprint scans to verify that you’re the key’s owner, such as the $69.99 Kensington VeriMark Guard USB-C Fingerprint Key. Support for biometric authentication is still rare, though, so it’s no great loss.
While the Nitrokey FIDO2 works with nearly every site and service that supports security keys, it’s still very much a base model. Higher-end (and pricier) devices like the $45 YubiKey 5 NFC can fill a variety of other roles, from storing PGP keys to functioning as a smart card (also called a PIV card) and more.
Even among other Nitrokey products, the Nitrokey FIDO2 is a bit of an odd duck. It’s the only Nitrokey product that works as an MFA device. The Nitrokey Start (€29), Pro 2 (€49), and Storage 2 (starting at €109) don’t support FIDO2/U2F but can store passwords, one-time-passwords (OTP), encryption keys, and even encrypted data.
Open-Source, Open-Mind
The most compelling aspect of the Nitrokey FIDO2 is that it’s built with open-source hardware and firmware. That means that its code and design can be picked over by researchers for potential vulnerabilities. Open-source is also something of an ethos. Some people believe that proprietary technology is amoral and makes the world less secure.
The company explains its devotion to open-source technology explicitly as a security feature:
“As long as IT systems are proprietary, backdoors can remain undetected for a long time. That is why we at Nitrokey focus on Open Source and make our software and hardware developments available to the public. This enables our users as well as independent third parties to check and audit the security of Nitrokey products.”
A competing company, Solo Keys, also boasts open-source hardware and firmware. Yubico, meanwhile, does have open-source projects but relies on proprietary components and firmware. The company explained its position in a blog post.
Nitrokey is based in Teltow, Germany, and manufactures its products in Germany, as well. The company views this setup as an added security benefit because it can maintain greater control over its supply chain. Similarly, Yubico points out that its products are made in the US and Sweden. Feitian, another company that produces various security keys, is based in China; Google deemed Feitan trustworthy enough to be its long-term partner for making Titan security keys.
Tougher Than It Looks
In its physical design, the Nitrokey FIDO2 identical to its predecessor and the rest of the Nitrokey product line. Made of a black, textured plastic and tapered to a key ring slot, the Nitrokey reminds me of the first USB flash drive I ever owned (Dell-branded, 16Mb, circa 2003). A tricolor indicator LED lurks within and is only visible when illuminated, which is a neat trick.
At 1.89 by 0.75 by 0.28 inches (HWD) and weighing just 0.18 ounces, the Nitrokey FIDO2 feels worryingly light and hollow in the hand. But it’s sturdier than it feels; I cruelly twisted it back and forth, and while it groaned, it didn’t budge. Most other security keys have a visible tap sensor, often made of a different material. The tap-zone of the Nitrokey is marked only with paint, which is elegant in one sense but sometimes left me wondering if I was hitting the sweet spot.
The Nitrokey FIDO2 is unusual in that it has a full-sized USB-A connector—complete with metal shield. This ensures a solid connection and helps protect the device from damage, but it’s an outlier as far as the competition goes. Most favor an unshielded USB-A connector and a slimmer design, which I prefer. USB-C is, however, more compatible with modern computers and mobile devices.
For added protection, the Nitrokey FIDO2 comes with a plastic cap to cover the USB connector. Friction holds the cap tightly, but you have to set it aside every time you use the Nitrokey. It is almost certainly doomed to be lost within days. Kensington wisely includes a small cord in the box to connect the cap with the VeriMark Guard USB-C key.
A Fast Firmware Fable
My journey with the Nitrokey FIDO2 started in the winter of 2019 when the company first sent me the device. Then, COVID-19 happened. The PCMag labs went quiet and the Nitrokey sat forlornly in my desk drawer along with my other office knickknacks until a few weeks ago when I retrieved it from product review Limbo.
Given how long it had been gathering dust, I asked Nitrokey if the key was the same as the FIDO2s currently for sale. A company representative told me it was the same hardware and that all I needed to do was head over to a special website where I could upgrade to the latest firmware. The process took just a few seconds.
The ability to update firmware for computers and even IoT devices is generally a good thing. In fact, the main benefit of open-source products is that their vulnerabilities can be found and patched quickly. Competitor Yubico, however, argues just the opposite. That company views firmware updates as a potential vulnerability. Its devices are completely locked down.
Nitrokey is no slouch when it comes to to upgrade security. Its firmware is digitally signed, meaning that the key only accepts updates cryptographically signed by Nitrokey. A company representative also tells me that its devices cannot be downgraded to older, potentially less secure, firmware versions. That said, the SolarWinds attack was so devastating precisely because attackers were able to sign their fake, malicious update code with that company’s real cryptographic key.
I prefer Yubico’s approach of not providing firmware updates. Part of the point of a security key, in my opinion, is that it’s isolated from external attacks. If you buy something for its open-source cred, however, you probably want those firmware updates.
Hands On With the Nitrokey FIDO2
To test the Nitrokey FIDO2, I went to Twitter and enrolled it as my security key. I then logged out and back in on a variety of devices and browsers. I did so successfully with Firefox and Chrome on Windows 10 and macOS machines. Sometimes, a quick tap was enough to authenticate me but other times I had to tap and hold my finger on the Nitrokey to authenticate.
Notably, the Nitrokey FIDO2 does not support NFC, which is a bit of a problem if you want to use it with mobile devices—especially iPhones. The $70 YubiKey 5Ci does without NFC by using a bizarre, double-headed design that is compatible with both lightning and USB-C connectors. With USB-C and NFC, Editors’ Choice winner YubiKey 5C NFC works with just about every device on the market but is a bit more upscale at $55. Even the $24.50 Security Key NFC communicates wirelessly. In my testing, I successfully logged into the Twitter app on my Pixel 3a using the Nitrokey FIDO2 and a USB-C dongle, which could neatly sidestep the problem.
One of the exciting features of the FIDO2/WebAuthn standards are their support for password-less logins. To test this with the Nitrokey FIDO2, I enrolled it with my Microsoft account through that company’s web portal. After registering the key, Microsoft prompted me to add a PIN. Logging in again later, I clicked the small print option to login passwordlessly with a security key. After tapping the Nitrokey and entering my PIN, I was in. Easy.
Nitro-Boosted Security
Security keys are the strongest method for multifactor authentication and the Nitrokey FIDO2 brings a lot to the table. It’s inexpensive and supports the newest standards, meaning it works with any site or service that accepts MFA keys. The Nitrokey FIDO2 does fine in passwordless contexts as well, giving you a leg-up on the future of authentication. With its open-source bona fides, you can be sure that this device is secure against attacks.
If you plan on using the Nitrokey FIDO2 with a mobile device, you will need a dongle since it lacks NFC. This bites into its value proposition because the Security Key NFC costs slightly less. The Nitrokey FIDO2 also doesn’t support biometrics or the advanced features of other Nitrokey products.
Shopping for open-source products is often an endeavor of conscience. If you subscribe to that ethos, then the Nitrokey FIDO2 is an excellent choice. If you want more capabilities and don’t mind a more closed approach, look to our Editors’ Choice winner, the Yubico YubiKey 5C NFC.
