Nitrokey 3A Mini - touch button


The design of Nitrokey 3A Mini seems to have intent to be always plugged in the usb port.

If so, the purpose to have a security key like this will be in jeopardy if someone remotely access the content of the key.

What is the purpose of the touch button?

It is to allow during sometime “awake” the security key to perform its actions, and in that way, do not allow the use by a remote attacker?


Hey @flippipe

this is correct, the Nitrokey 3A Mini (and e.g., also the Nitrokey FIDO2) are designed to be always plugged in. This is generally the plan and the touch button explicitly serves as a security mechanism.

Basically, yes.

Let’s assume the worst-case, someone has control over you computer and tries to login into some FIDO2 secured website, after requesting the login, the Nitrokey will request a “user presence” (i.e., a button press on the token) in order to confirm that you want to login into this website. Without the “user presence” check the website won’t receive the information needed for the login, thus no login may occur.

The firmware of the Nitrokey 3 Mini is designed so that this user presence is always (at least) necessary, on top various variants can be implemented by the website (check for some) to increase the security level, like also asking for the PIN or deploying a so-called ResidentKey.

Thanks you @daringer for the information.

The same request of “user presence” will be valid for the other authentication mechanisms like OpenPGP smart card, OTP, etc, or is just for FIDO2?

Generally, this is not planned. The OpenPGP Card Spec requires the PIN for most operations, which is kind of the replacement for “user presence” in this context. OTP and/or PasswordManager through a security token is of my knowledge not standardized, means traditionally (e.g., with the Nitrokey Pro2) this has been also protected through a PIN.

Technically using the touch-based user-presence would be an option for additional security here, but there are, as of now, no set plans to introduce this.

1 Like