Paper 2021/640

Security and Trust in Open Source Security Tokens

Marc Schink, Alexander Wagner, Florian Unterstein, and Johann Heyszl


Using passwords for authentication has been proven vulnerable in countless security incidents. Hardware authentication tokens effectively prevent most password-related security issues and improve security indisputably. However, we would like to highlight that there are new threats from attackers with physical access which need to be discussed. Supply chain adversaries may manipulate devices on a large scale and install backdoors before they even reach end users. In evil maid scenarios, specific devices may even be attacked while already in use. Hence, we thoroughly investigate the security and trustworthiness of eight commercially available open source authentication tokens, including devices from the two market leaders: SoloKeys and Nitrokey. Unfortunately, we identify and practically verify significant vulnerabilities in all eight examined tokens. Some of them based on severe, previously undiscovered, vulnerabilities of three major microcontroller products which are used at a large scale in various products. Our findings clearly emphasize the significant threat from supply chain and evil maid scenarios since the attacks are practical and only require moderate attacker efforts. Fortunately, we are able to describe software-based countermeasures as effective improvements to retrofit the examined devices. To improve the security and trustworthiness of future authentication tokens, we also derive important general design recommendations.

Available format(s)
Publication info
A minor revision of an IACR publication in Tches 2021
security tokensecond factor authenticationFIDOfault injection attackside-channel attackfirmware protection
Contact author(s)
marc schink @ aisec fraunhofer de
2021-05-17: received
Short URL
Creative Commons Attribution


      author = {Marc Schink and Alexander Wagner and Florian Unterstein and Johann Heyszl},
      title = {Security and Trust in Open Source Security Tokens},
      howpublished = {Cryptology ePrint Archive, Paper 2021/640},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.