Skip to content
Abusing U2F to 'store' a stable secret
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Key 'storage' by abusing U2F devices

This is a proof of concept for abusing U2F devices and the cryptography they use to derive a stable secret.

If you're brave or reckless, you could use this technique to derive keys to encrypt your disk, or password database, or SSH keys.

See for the background.


You need python-u2flib-host first:

Then run python enroll to set things up. This will print the key value and store state to data.json in the working directory.

Next, run python auth to get the key value back.



You can’t perform that action at this time.