Nitrokey 3A Mini - touch button

flippipe · May 17, 2022, 8:53am

Hi,

The design of Nitrokey 3A Mini seems to have intent to be always plugged in the usb port.

If so, the purpose to have a security key like this will be in jeopardy if someone remotely access the content of the key.

What is the purpose of the touch button?

It is to allow during sometime “awake” the security key to perform its actions, and in that way, do not allow the use by a remote attacker?

Cheers,

daringer · May 17, 2022, 9:57am

Hey @flippipe

this is correct, the Nitrokey 3A Mini (and e.g., also the Nitrokey FIDO2) are designed to be always plugged in. This is generally the plan and the touch button explicitly serves as a security mechanism.

Basically, yes.

Let’s assume the worst-case, someone has control over you computer and tries to login into some FIDO2 secured website, after requesting the login, the Nitrokey will request a “user presence” (i.e., a button press on the token) in order to confirm that you want to login into this website. Without the “user presence” check the website won’t receive the information needed for the login, thus no login may occur.

The firmware of the Nitrokey 3 Mini is designed so that this user presence is always (at least) necessary, on top various variants can be implemented by the website (check https://webauthn.io/ for some) to increase the security level, like also asking for the PIN or deploying a so-called ResidentKey.

flippipe · May 17, 2022, 10:15am

Thanks you @daringer for the information.

The same request of “user presence” will be valid for the other authentication mechanisms like OpenPGP smart card, OTP, etc, or is just for FIDO2?

daringer · May 17, 2022, 10:22am

Generally, this is not planned. The OpenPGP Card Spec requires the PIN for most operations, which is kind of the replacement for “user presence” in this context. OTP and/or PasswordManager through a security token is of my knowledge not standardized, means traditionally (e.g., with the Nitrokey Pro2) this has been also protected through a PIN.

Technically using the touch-based user-presence would be an option for additional security here, but there are, as of now, no set plans to introduce this.

petkan · May 12, 2023, 3:26pm

I have configured my YK4 to always require touch when authenticating new SSH session. Its LED start blinking to remind me that i have to touch it so the authentication can continue. I find this security feature rather important, especially when i need to use my key on a random machine, IOW one that i don’t own.

I believe it is a feature that should be available for NK 3A Mini as well.

petkan · May 29, 2023, 1:41pm

Well, this:

https://docs.nitrokey.com/nitrokey3/linux/openpgp-uif

is exactly what i meant. I tried ‘uif’ and it works for me.

Note: It would have been nice if the LED is blinking as a reminder that a touch is in order. A couple of time i’ve been sitting in front of an empty terminal before i remember i need to touch nk3 so the auth can continue. Anyway, this is a minor detail and i am happy that the main functionality is there.

thanks,
Petko