Passwords are the most common authentication mechanism for private as well as professional IT services such as social media, banking or enterprise infrastructure. Unfortunately, the use of passwords leads to many security issues. Weak passwords allow for guessing or dictionary attacks, password re-use may lead to credential stuffing where stolen passwords are used for other services of the same users.
This is why hardware security tokens are often used as a second authentication factor to increase the security. These tokens have been designed to prevent the described threats effectively by using strong cryptography and a securely stored key. Although the use of security tokens is generally helpful to improve authentication security, tokens could be manipulated at multiple points before they reach the end user. Starting from the actual token designs going into internationally distributed production, then to the supply chain and distribution to end users, there is significant additional attack surface for malicious manipulation.
In the paper Security and Trust in Open Source Security Tokens, we investigated the trustworthiness of security tokens. We specifically concentrate on security tokens which are marketed as open source and focus on hardware attacks in supply chain and evil maid scenarios. We perform a systematic analysis of the most important commercially available candidates. The trustworthiness of the security tokens was assessed according to a top-down methodology which we outline shortly in the following. We uncovered several vulnerabilities for which we were able to contribute effective software-based mitigation measures to the respective open source projects. All details can be found in the paper. The uncovered vulnerabilities in hardware indicated that respective microchips must only be used with caution when security is important for a product.