FIDO2: eWBM Goldengate Security Key G310

eWBM Goldengate Security Key G310 FIDO Certified and Level 2 (L2) Certified U2F Observations

Unpacking

Let's start with unpacking. Nice simple plastic packaging with little piece of cardboard and a card with QR code inside.

Software

There's an instructions card which tells you how to to download the Goldengate BioManager software from eWBM site. The software package itself is quite large 54.03 megabytes and the current version of the software is 2.2.2. When I checked the file with VirusTotal I got quite many warnings. This is something I do with every download. The file interestingly hadn't been processed earlier, so it was a new file to be uploaded and checked. That's something which doesn't happen too often with generally available software. Also the Windows Defender warned me about this binary file as being uncommon. Even when I started the binary in VM the Windows Defender warned me that I should not run a random software, because this isn't a common binary file to run. Nothing special, but just lot's of generic warnings. I also always run everything I download in a VM, to keep the key systems safe and isolating the software I'm testing. I've also got computers in several physical nested security zones.

After installing the software and running it, I found out that it is delightfully simple. It got everything required (?) and nothing extra. That is something absolutely lovely. On Windows systems you'll find the same features available via the Windows Hello Security Key management menu, so there's no actually need to install the Goldengate BioManager software at all.

Setup

I started the setup process by the key factory reset process. After that when registering the key for a first time it asks for the PIN code to be associated for the Goldengate Security Key Biometric USB device. When the PIN code is set, you can enroll up to three fingerprints for activating the key. Later the PIN code might be required in some specific situations, like when modifying the Fingerprints stored on the key or recovering from situation where the fingerprint reading has failed for several times repeatedly. The fingerprint enrollment process was really quick to perform. Something completely different from many of the cell phone fingerprint readers which require dozens of scans. This 160x160 reader took something like 6 reads per enrollment. Of course I rolled my finger and scanned a bit different part on every read. That's something which comes a habit when dealing with the inferior readers on many other devices.

After this I had only one thought, how I can confirm that the enrolled fingerprints are working properly? Most of similar applications allow an easy way to test the fingerprint enrollment process. I were kind of expecting that being a next step in the process. I thought that if I've got the main screen of the fingerprint management open, reading a fingerprint with the reader would show me which finger was detected or indicate that the scan was a failure. But this kind of verification feature doesn't seem to be implemented. If it would be implemented like that, it wouldn't require any extra buttons on the UI leaving it extra clean. Yet there is an option to delete specific fingerprints. But no way to label or later detect which print is which one. I do have a clear reading order and process currently. But I'm sure there are many users out there without clear process, because it's user's responsibility. Which make's it pretty sure that after a while it's impossible to tell which fingerprint is which one. This is why fingerprint read test feature would be a really nice way of finding which prints are working or registered at all, and which can be deleted and re-rolled. From the security standpoint I don't know what extra risk this feature would pose. Because you'll be able to find out the registered fingerprints indirectly anyway.

Physical aspects

From physical hardware point of view, this key is much stronger than SoloKeys Solo Secure key is. The key is also physically really compact and feels strong. But in general, I've seen people bend and destroy Abloy brass keys, which are extremely durable hardened metal. If that can be done, then there's no hope, that anything made of plastic would take such abuse without getting destroyed. Same goes with the aluminum USB flash sticks, which you can put on your key chain. After a while, those are so badly deformed, you can't connect those at all. We're using also the MIFARE NFC keyfobs, and those do get destroyed regularly. In this sense eWBM key is a lot better than SoloKeys, but I still wouldn't recommend binding it to the actual daily key chain, which you carry on as you go.

Test use

The key setup and technical part are now done. Let's start using the key. I'm especially curious about the use cases which the Solo Secure failed with Linux. Setting up passwordless sign-in with Microsoft Account = Office 365, Outlook, Azure, Windows 10, etc. I did a quick test with Windows and it worked out perfectly. Next test is to repeat this with Linux operating system. Currently it seems that the eWBM Goldengate BioManager software isn't available for Linux, but of course I could try using the Wine with Linux, but I'm bit skeptical of it working out.

Linux & Firefox & Outlook - Round 1

Started with failure, of course. That's because the udev device rules are missing. Let's add those by creating a rule file.

Filename: 70-eWBM-access.rules in /etc/udev/rules.d and content:

# Notify ModemManager this device should be ignored
ACTION!="add|change|move", GOTO="mm_usb_device_blacklist_end"
SUBSYSTEM!="usb", GOTO="mm_usb_device_blacklist_end"
ENV{DEVTYPE}!="usb_device",  GOTO="mm_usb_device_blacklist_end"
ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a1a", ENV{ID_MM_DEVICE_IGNORE}="1"

# eWBM Goldengate Security Key
SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a1a", TAG+="uaccess"

After reloading udevrules: sudo udevadm control --reload-rules and requesting triggers again sudo udevadm trigger and re-inserting the key.

Firefox & Linux & Outlook - Round 2

Everything is now working perfectly with the Ubuntu (Linux) as well, except the passwordless login feature. Which seems to require something which is missing from my current Linux environment. But I'm sure that will get fixed in the future too. After reading several posts about this topic, seems to be common issue with FIDO2 keys and Linux for now. The PIN entry part is probably handled by operating system instead of web-browser and that's the part which doesn't currently work. But it is software issue, not a problem with the key itself.

Fingerprint reader tests

I also tested the fingerprint reader with several fingers and different persons, and it seemed to work extremely well. Basically zero failed reads. Of course fooling fingerprint readers is completely it's own story and there are many means. But let's say as an example usage in home with the family or at office with colleagues: the fingerprint reading prevents with high probability other users from abusing the key, even if they would have physical access to it. Which is quite important if the passwordless login feature is being used.

If the fingerprint reading fails repeatedly several times sequentially then the device PIN is required for reset. That's a nice security feature, and makes it possible to login without providing the PIN by just using a fingerprint as long as everything goes smoothly. I have to mention, that the print reader is really good one. I didn't encounter failed reads except when intentionally testing for the situation. This reader is way better than most of the fingerprint readers out there.

Related remarks and links

Ref: eWBM, Goldengate Security Key G310 Product Info Page, which utilizes the eWBM MS500 chip. With all the modern basics: AES, SHA, HMAC, ECC, RSA, etc.

Some related articles: Logging into Microsoft Account using a FIDO2 security key. As expected Windows Hello worked perfectly, when using Microsoft Account with computer.

Final summary

I really wish that more services would support the FIDO2 standard, because the design and usability are totally awesome compared to other solutions like SMS, TOTP, HOTP, RSA Tokens, email login confirmation codes / links, etc. I also thought that I would just store the authenticator as backup option in a safe place. But due the vastly superior user experience, there's no way I'm going back to TOTP or SMS 2FA. - Yes, I of course used the key as U2F authenticator for my Google Account to post this blog post.

My previous post about FIDO2 and U2F when using SoloKeys Solo Secure.

Random remarks: It seems that eWBM also got LoRa modules, that's interesting.

2019-09-01