FIDO2 keyslots
YubiKey, Google Titan, Nitrokey, Windows Hello - hardware-backed unlock.
FIDO2 keyslots use the CTAP2 hmac-secret extension to derive a deterministic per-credential secret from your hardware authenticator. That secret derives the wrap-KEK that unlocks the vault.
Supported devices
LUKSbox treats every CTAP2 + hmac-secret authenticator the same way at the protocol level. We split the device list into what we have actually exercised end-to-end in our lab and what should work by spec but we have not yet personally tested.
Tested in our lab
| Device | USB ID | cred_id length | Notes |
|---|---|---|---|
| YubiKey 4 / 5 / Bio | 1050:* |
64 B | Classic key-handle format. Primary regression target. |
| Yubico Security Key Series ("Security Key NFC", "Security Key C NFC") | 1050:* |
64 B | Same Infineon silicon and same FIDO2 + hmac-secret firmware path as YubiKey 5, the YubiKey-side regression target covers this product line at the protocol level. Cheapest first-party Yubico device for LUKSbox use. |
| Google Titan Security Key v2 | 18d1:9470 |
288 B | Larger cred_id; supported via slot layout V3. |
| SoloKey 2 / Solo 2 | 0483:* |
64-140 B | Stateless mode produces larger cred IDs. |
| Nitrokey 3 (USB-C / NFC) | 20a0:42b2 |
158 B | Open-firmware (Trussed framework, Rust). Larger cred_id stored via slot layout V4; verified cross-platform (enroll and unlock on Linux, macOS, and Windows). |
| Windows Hello platform authenticator | windows://hello |
n/a | Win11 22H2+; PIN, fingerprint, or face. |
These are exercised end-to-end (enroll -> unlock -> revoke -> re-enroll)
on the example binaries under
crates/luksbox-fido2/examples/
on every release that touches the FIDO2 path.
Planned / expected to work but not yet exercised
| Device | Expected status | Notes |
|---|---|---|
| USB Armory Mk II + custom FIDO2 firmware | Research / DIY only; on the test plan | Not a turnkey FIDO2 token (general-purpose i.MX6UL processor running custom firmware). Tested for completeness as part of the device-survey effort, not as a recommended daily-driver device, see the side-channel note in the Choosing a hardware key section. |
| Trezor Safe 3 / Safe 5 | Spec-compliant; not yet in our matrix | CTAP2 + hmac-secret per Trezor's documentation. Wallet-vendor; FIDO2 is a secondary feature. |
| Token2 PIN+ | Spec-compliant; not yet in our matrix | Niche Swiss vendor; less public scrutiny. |
| OnlyKey | Spec-compliant; not yet in our matrix | Pinpad on the device; open firmware. |
Anything CTAP2-compliant with the hmac-secret extension should
work even if it's not in either table, those are the only protocol
features LUKSbox actually requires. If your device produces cred IDs
above 352 bytes, file an issue and we'll bump the cap (no production
device we know of exceeds 300 B). If you successfully use a device
that's not in either table, please tell us so we can move it to the
"Tested" row in the next release.
Two FIDO2 modes, and the backup-passphrase nuance
LUKSbox exposes two SlotKind values for FIDO2 enrollments:
| Mode | What the FIDO2 slot stores | What the MVK is |
|---|---|---|
Fido2HmacSecret (default; the "wrap" radio in the GUI) |
cred_id, hmac_salt, wrapped MVK ciphertext + AEAD tag | A fresh random 32 bytes wrapped under a KEK derived from the device's hmac-secret response |
Fido2DerivedMvk (the "FIDO2-direct" radio) |
cred_id, hmac_salt only, no wrapped MVK ciphertext | The HKDF expansion of the device's hmac-secret response. The MVK doesn't exist on disk anywhere |
The interesting question is what a backup keyslot does to each mode. Both modes can have other keyslots added to the same vault; those slots wrap the same MVK under their own KEKs. Once any passphrase slot exists, the offline-disk-stolen attack surface is identical between the two modes:
| Configuration | Wrapped MVK on disk? | Recover from device loss? | Offline brute-force surface |
|---|---|---|---|
Fido2HmacSecret, no backup |
Yes (under FIDO2-derived KEK only) | No | Wrap KEK is FIDO2-derived; brute-force needs to break CTAP2 hmac-secret |
Fido2HmacSecret + passphrase backup (added later via the keyslot manager / enroll) |
Yes (one slot per kind) | Yes (use backup) | The passphrase slot becomes the weakest link; Argon2id slows it |
Fido2DerivedMvk, no backup |
No (this is the defining property) | No | Nothing to brute-force, there is no ciphertext for this slot |
Fido2DerivedMvk + passphrase backup (filled in the create form, auto-enrolled after create_with_fido2_derived_mvk) |
Yes (a passphrase slot is added wrapping the same MVK under the passphrase KEK) | Yes (use backup) | Same as wrap + backup, the passphrase slot is the weakest link |
So the design rule is:
- Pick
Fido2HmacSecretfor the conventional setup (multi-slot, recoverable). Adding a passphrase or second-device backup AFTER create is the standard pattern. - Pick
Fido2DerivedMvkwithout a backup if the no-wrapped-MVK property matters more than recoverability, for example, an ephemeral or high-paranoia vault where the cost of losing the vault is acceptable. - Filling the backup-passphrase field on FIDO2-direct silently
removes the no-wrapped-MVK property. A passphrase keyslot is
enrolled after the vault is created, wrapping the same MVK under
a passphrase-derived KEK; the on-disk attack surface then
matches
Fido2HmacSecret+ passphrase backup. The GUI's create form spells this out next to the field; the wizard prompts for explicit confirmation. We surface the trade-off because it's a silent demotion of the slot's strongest property, not because having a backup is wrong.
Choosing a hardware key
LUKSbox treats every CTAP2 + hmac-secret authenticator the same way at the protocol level. The choice between vendors is a function of price, maturity, public audit history, NFC support, and whether the vendor's silicon is known to have a published side-channel attack against an obsolete firmware. The table below is a snapshot from 2026; prices are EUR approximations from the vendors' official EU stores and do not include shipping or VAT where applicable. Always check the vendor's current page for the authoritative number.
| Vendor / model | Price (EUR, approx, no NFC unless noted) | NFC | Secure element | Public attack history | Firmware openness | Recommended for |
|---|---|---|---|---|---|---|
| Yubico Security Key Series (FW >= 5.7.0; "Security Key NFC" USB-A or "Security Key C NFC" USB-C) | around €29-€35 | Yes | Infineon SLE78 (same family as YubiKey 5; EUCLEAK-mitigated firmware) | EUCLEAK (2024) on FW < 5.7.0; mitigated in 5.7+ | Closed firmware | Cheapest first-party Yubico device that does what LUKSbox needs. FIDO U2F + FIDO2/WebAuthn (incl. hmac-secret) only, no PIV, OpenPGP, OATH, or YubiOTP. If you'd be paying for the YubiKey 5's extra protocols and not using them, this is the right SKU. NFC standard on both form factors. |
| YubiKey 5 Series (FW >= 5.7.0) | around €55-€105 (NFC variants around €60-€105) | Yes (5C NFC, 5 NFC, 5 Bio NFC) | Infineon SLE78 (EUCLEAK-mitigated firmware) | EUCLEAK (2024) on FW < 5.7.0; mitigated in 5.7+ | Closed firmware, Common Criteria EAL 6+ on some models | Pick over the Security Key Series only if you also need PIV / OpenPGP / OATH / YubiOTP for other tools. For LUKSbox alone the Security Key Series is the same FIDO2 stack at half the price. |
| YubiKey 5 / Security Key Series (FW < 5.7.0, sold 2017-May 2024) | n/a, replace | n/a | Infineon SLE78 vulnerable to EUCLEAK | EUCLEAK extract requires minutes of EM measurement | n/a | Replace per Yubico YSA-2024-03. Both product lines share the same affected silicon. Firmware is one-time-programmable; no field flash. |
| Google Titan v2/v3 (USB-C, sold 2021+) | around €35 (USB-C model with NFC around €39) | Yes on most variants | NXP P60/P70 family (different silicon from v1) | No published attack on current silicon; vendor disclosed nothing on v2/v3 vs Side Journey to Titan | Closed firmware | Best price-to-maturity ratio for FIDO2-focused use. Google vendor stability; Feitian-manufactured; cheapest mainstream device that meets our needs. |
| Google Titan v1 (USB-A, sold 2018-2021) | n/a, replace | n/a | NXP A700X | NinjaLab Side Journey to Titan (2021) clones device per-account in 10h of physical access + €10k lab | n/a | Replace with v2/v3. Side-channel attack is published methodology. |
| Nitrokey 3 (USB-C, NFC variant) | around €32 (USB-A NFC around €60) | Yes on Nitrokey 3 NFC | Microchip / NXP secure element (model-dependent) | No published FIDO2-specific extract attack | Open firmware (Trussed framework, Rust) | Users who want open firmware they can audit. German vendor, smaller user base than Yubico. |
| SoloKey Solo 2 (USB-C / Lightning, no NFC) | around €31 | No on Solo 2 | NXP LPC55S69 (TrustZone-M; no dedicated SE) | No FIDO2-specific extract on Solo 2 firmware; NCC Group 2020 found LPC55 secure-boot bypass, mitigated in revised silicon | Open firmware + open hardware spec | Developers, research, and people who want a hackable token. Smaller vendor; fewer audit dollars; price reflects that. |
| Trezor Safe 3 | around €80 | No (USB only) | Infineon OPTIGA Trust M11 | Wallet-domain audits; FIDO2 added recently, less FIDO2-specific scrutiny | Firmware open; hardware spec partial | Bitcoin / crypto-wallet users who also want one device for FIDO2. |
| Trezor Safe 5 | around €169 | No (USB only) | Tropic Square TROPIC01 (open SE design) | No published attack; chip is new (2024) | Firmware open; SE design open via Tropic Square | Same as Safe 3, plus users who care that the SE design is itself open. |
| Token2 PIN+ | around €40 | Varies | Infineon | Less public scrutiny; smaller deployed base | Closed | Budget; less audit transparency; small Swiss vendor. |
| OnlyKey | around €60 | No | Silicon Labs EFM32 (general-purpose MCU) | Less public scrutiny; pinpad on device is the differentiator | Open firmware | Users who want a pinpad on the device itself (PIN entered on the key, not on the host). |
| USB Armory Mk II + custom FIDO2 firmware | hardware around €150 + significant integration work | No | NXP i.MX6UL (general-purpose application processor; no dedicated SE) | Mk I HABv4 bypass (2017, unfixable on i.MX53). Fixed in Mk II using i.MX6UL silicon revision 1.2+. Same i.MX class boot issues affected multiple NXP application processors. No dedicated FIDO2 audit. | Full open platform | Research / DIY only. Not a turnkey FIDO2 token: you'd run a custom firmware (e.g. SoloKeys-on-Armory, U2F-Zero port). General-purpose application processor, no dedicated SE, meaningfully weaker against the hardware-side-channel attack class than purpose-built tokens. Original 2017 advisory: Security_Advisory-Ref_QBVR2017-0001.txt. |
What we'd pick (and why)
- Cheapest acceptable single device: a current-firmware Yubico Security Key Series with NFC (USB-A "Security Key NFC" or USB-C "Security Key C NFC"). around €29-€35. Same Infineon silicon and same FIDO2 stack as the full YubiKey 5; the only thing missing is the protocols LUKSbox doesn't use. Vendor maturity is identical to YubiKey 5 (it's the same vendor and the same firmware family). This is the device we'd hand to a non-technical user without caveats.
- Cheapest non-Yubico alternative: a Google Titan v2/v3 USB-C (around €35, NFC on most variants). Different silicon family from Yubico, which is exactly the property you want for the second slot of a multi-vendor pair.
- Daily driver if you also use other tools: a current-firmware YubiKey 5 NFC. Worth the price premium over Security Key Series ONLY if you're also paying for PIV / OpenPGP / OATH / YubiOTP for tools outside LUKSbox. For LUKSbox alone the Security Key Series is the same protocol surface at half the price.
- Open-firmware preference: a Nitrokey 3 (NFC variant if you need it). German vendor, Rust firmware, smaller deployment than Yubico but actively maintained.
- Multi-vendor backup pair: enroll two different vendors' devices into the same vault. Recommended for high-value vaults: if a side-channel attack is later disclosed against one silicon family, the other slot still protects you. A common pairing is Yubico Security Key + Google Titan v2, or YubiKey 5 + Nitrokey 3. Note that pairing two Yubico devices (Security Key + YubiKey 5) does NOT give you silicon-family independence, they share the same Infineon SE.
- What to avoid for daily-driver use: USB Armory + custom firmware (use case is research, not "encrypt my files"); any device whose firmware you can't update and whose vendor has not publicly responded to the 2024 EUCLEAK / 2021 Side Journey to Titan advisories. Pre-2024 Yubico (FW < 5.7.0, both Security Key Series and YubiKey 5) and 2018-2021 USB-A Google Titan are the two "replace it" cases.
General principles
- A current-generation hardware key is meaningfully better than no
hardware key, and meaningfully better than a 2018-vintage one.
Side-channel attacks documented in
docs/HARDWARE_SIDE_CHANNEL_NOTES.mdall require continuous physical possession + lab equipment; none is remote. - Pair two different vendors' devices in any vault you care about. The cost is one extra €30-€40 device; the upside is independence from any single silicon family's failure mode.
- NFC is worth paying for if you have a phone or tablet you also want to authenticate from. Without NFC the device is USB only.
- Pin counters are part of the security story. Every modern authenticator wipes the credential after a low number of wrong PIN attempts (typically 8). A device-without-PIN is meaningfully weaker; LUKSbox respects whatever PIN policy the device enforces.
- The hybrid-PQ keyslot is the easiest defence-in-depth to layer
on: any future side-channel cloning of one of your FIDO2 devices
alone doesn't unlock the vault, the attacker also needs the
.kyberseed file. See post-quantum keyslots.
Vendor security-advisory feeds (subscribe to these)
Hardware-key vendors publish CVE-style advisories on their own schedules. Subscribe / bookmark the right page per device you own; the headline 2024-2026 items per vendor are summarised below.
| Vendor | Where advisories live | Recent 2024-2026 highlights affecting FIDO2 use |
|---|---|---|
| Yubico | yubico.com/support/security-advisories | YSA-2024-03 (EUCLEAK, Infineon ECDSA private-key recovery on FW < 5.7.0), covered above; YSA-2024-02 (FIDO Relying Party enumeration); YSA-2025-02 (FIDO PIN/UV Auth Protocol Two out of conformance); YSA-2026-01 (DLL search path issue in libfido2 / python-fido2 / YubiKey Manager). The DLL advisory is Windows-toolchain-specific and does NOT affect LUKSbox on Windows because LUKSbox uses webauthn.dll directly on Windows, not libfido2; the libfido2 path is Linux/macOS only. |
| Nitrokey | nitrokey.com/blog (no separate advisory page; security-relevant posts live in the blog) | Nitrokey 3 firmware v1.8.1 security update (Feb 2025), PIV-smartcard issue, recommended immediate update. Does not affect FIDO2 directly. v1.8.2 (Sep 2025) added passkeys + Bitcoin curve. Subscribe to the blog feed for ongoing visibility; Nitrokey's release cadence is the practical advisory channel. |
| SoloKeys (Solo 2) | github.com/solokeys/solo2/security/advisories | No published advisories for the Solo 2 firmware as of writing. The repo has a security policy in place; private disclosure goes through GitHub Security Advisories. SoloKey is a smaller project, fewer disclosure channels, fewer audit dollars; treat the absence of advisories as "smaller deployed base + less public scrutiny," not "verified clean." |
| Google Titan | Google does not publish a dedicated Titan-specific advisory feed. The de-facto channels are the Google Security Blog for major incidents and the Google Help Center for product status. The 2021 NinjaLab "A Side Journey to Titan" attack on the original USB-A Titan was disclosed through NinjaLab, not via a Google advisory; Google did not issue a recall. v2/v3 (Feitian-manufactured, USB-C, 2021+) ship with different silicon and have no public attack disclosure as of writing. | Search the Google Security Blog if you suspect a new disclosure; assume "no news" is the current vendor stance on Titan v2/v3. |
| Trezor | trezor.io/support/firmware and blog.trezor.io | Trezor's advisories are dominated by wallet-domain issues (PSBT, transaction signing, recovery seed handling). FIDO2 is a secondary feature; less FIDO2-specific disclosure history than Yubico or Google. |
| Token2 / OnlyKey | Vendor-specific pages; smaller signal volume | Niche vendors with smaller deployed bases. The same "fewer disclosure channels, fewer audit dollars" caveat as SoloKey applies. |
Operational note for LUKSbox users: the LUKSbox project does
not re-publish vendor advisories, we don't have visibility into
silicon supply chains. We do track the upstream libfido2 library
for advisories that affect our Linux/macOS FFI link path, and we
update the bundled version on the next release after any relevant
upstream fix lands. Windows builds talk to webauthn.dll directly
and do not link libfido2, so libfido2-specific advisories
(YSA-2026-01 above) only affect the Linux/macOS surface.
Enroll a hardware key
For an existing vault:
luksbox enroll my-vault.lbx --fido2
# Touch the device when prompted (TWICE: once for makeCredential,
# once for getAssertion).
For a fresh FIDO2-only vault:
luksbox create my-vault.lbx --kind fido2
# Same two-touch enrollment + you'll be asked for a backup passphrase.
Multi-device setup
Best practice for any vault you care about:
# Day-1 setup with primary YubiKey
luksbox create my-vault.lbx --kind fido2 --fido2-device /dev/hidraw3
# Add a backup YubiKey kept in a safe deposit box
luksbox enroll my-vault.lbx --fido2 --fido2-device /dev/hidraw4
# Add an emergency passphrase as the third slot
luksbox enroll my-vault.lbx --passphrase
Use luksbox list-fido2-devices to see the path strings to use with
--fido2-device. This matters when more than one authenticator is
plugged in (otherwise libfido2 picks the first one it sees, which
might not be the one you meant).
Windows Hello
luksbox create my-vault.lbx --kind fido2 --fido2-device windows://hello
Routes through webauthn.dll. The OS prompts for your PIN /
fingerprint / face. Behaves identically to a hardware key from
LUKSbox's perspective - same hmac-secret derivation, same wrap.
Unlocking
luksbox open my-vault.lbx -m /tmp/v --fido2
# Touch your key once.
If your vault has multiple FIDO2 slots and multiple devices are
plugged in, LUKSbox tries each slot in turn until one device returns
a matching cred_id. Devices that don't have the credential return
FIDO_ERR_NO_CREDENTIALS immediately (no touch needed); the matching
device prompts for a touch.
What happens cryptographically
For the full enroll + unlock ceremony with sequence diagrams, see
docs/CRYPTO_SPEC.md Section 19
in the source repository. Short version:
enroll: (cred_id, hmac_secret) <- device (2 touches)
KEK = Argon2id("lbx:fido" || passphrase || hmac_secret, salt)
wrapped_ct, tag = AEAD_seal(KEK, MVK)
store: cred_id, hmac_salt, wrapped_ct, tag
unlock: hmac_secret <- device (1 touch, with cred_id + hmac_salt)
KEK = Argon2id(...) # same inputs as enroll
MVK = AEAD_open(KEK, wrapped_ct, tag)
The hmac_secret is deterministic - same (cred_id, salt) always returns the same 32 bytes from the same device. That's what makes the unlock reproducible without storing the secret anywhere.
Hardware-side risks (what LUKSbox can't fix)
Public security research has demonstrated physical-possession side-channel attacks that extract the secret material from specific FIDO2 silicon. These are the two most impactful published attacks:
-
NinjaLab "A Side Journey to Titan" (2021): EM side-channel against ECDSA on the NXP A700X chip used in original USB-A Google Titan keys (sold 2018-2021). 10 hours of physical access
- lab equipment recovers the long-term private key for one FIDO account, enabling device cloning. Paper | Project page
-
NinjaLab EUCLEAK (2024): Timing + EM side-channel against ECDSA in Infineon's crypto library, used by all YubiKey 5 series with firmware before 5.7.0 (sold 2017 to May 2024). A few minutes of EM measurements can extract the ECDSA private key. The same Infineon library ships in many TPMs, smart cards, and crypto hardware wallets. Project page | Plain-English summary
Practical takeaway:
| Situation | What to do |
|---|---|
| You own a YubiKey 5 with firmware < 5.7.0 | Replace it (firmware is one-time-programmable; field flash isn't possible). Yubico's YSA-2024-03 lists serial-number ranges. |
| You own an original USB-A Google Titan | Replace with a current-generation Titan or any post-2024 YubiKey 5. |
| You have a Nitrokey, SoloKey, Token2, OnlyKey, Trezor | Different silicon = different vulnerability profiles. Check that vendor's security advisories. |
| You lose a hardware key | Treat as compromise: revoke its slot + luksbox rotate-mvk, on the assumption a sufficiently-resourced finder could extract the secret over weeks. |
| You're protecting very-high-value secrets | Enroll two different vendors' devices into the same vault. Different silicon = different vulnerability profiles. Add a hybrid-PQ keyslot so a cloned FIDO2 device alone doesn't unlock anything. |
LUKSbox's threat model explicitly delegates secure-element security to the device vendor (see Threat model and CRYPTO_SPEC.md Section 19.5). There is no host-side defence against an attacker who can extract the per-credential master from a physical device. What we DO offer:
- The device's PIN counter (typically wipes after 8 wrong attempts) still protects against an attacker who has the device but not the PIN.
- Multi-keyslot vaults limit the damage of single-device compromise.
- Hybrid-PQ FIDO2 keyslots add a
.kyberseed file as a second factor that physical-possession-of-the-device alone doesn't satisfy. luksbox rotate-mvkmakes any previously-extracted MVK useless against the vault going forward.
Bottom line: a current-generation hardware key is meaningfully
better than no hardware key, and meaningfully better than a
2018-vintage one. For the full per-paper writeup + per-vendor
status matrix, see
docs/HARDWARE_SIDE_CHANNEL_NOTES.md
in the source repository.