Merry Christmas!

μKey: Your U2F Security Key Gift

Welcome! I've given you a U2F (Universal 2nd Factor) / WebAuthn security key as a Christmas gift. There's only a few of these in the world, and I made it myself just for you. It's a small physical device that makes logging in safer by adding a strong "something you have" factor.

What is a U2F Key?

A U2F security key (part of the broader FIDO/WebAuthn ecosystem) is a physical authenticator used for two-factor authentication (2FA) or passwordless sign-in. Compared to SMS codes (and often better than app-based codes), it's strong because:

• It's resistant to phishing (the key verifies the website origin)
• There's no code to copy/paste or intercept
• It requires physical presence (you must have the device)

Most modern sites call this “Security Key”, “Passkey”, “WebAuthn”, or “FIDO2”.

How to Use It

1. Open a website that supports WebAuthn / security keys (Google, GitHub, Microsoft, etc.)
2. Go to the site's Security or 2FA settings
3. Choose Add security key (sometimes under “Passkeys” or “FIDO2/WebAuthn”)
4. When prompted, plug in the key (or tap it) and touch the button
5. Keep the key somewhere safe — your account is now much harder to take over 🎉

Tip: If a site allows it, add the key as an extra factor in addition to your normal password, and keep recovery codes somewhere secure.

Security Consequences of Using a Custom Key Made by Me

Here's what it means, security-wise, that this is a custom key made by me:

• It's designed with readout protection, meaning the private key material isn't meant to be extractable (so even I couldn't read the key back out after it's created).
• A new key is generated every time a website is registered, so even if the first statement were not true, I still couldn't reuse a key for other sites.
• The key is fully offline and doesn't talk to the internet — it only responds when you physically use it during login.

For the account credentials to be compromised, the following has to happen:

• The password is leaked,
• The key gets stolen.

Since it is highly unlikely for both to happen, it gives good enough security (way better than without 2FA).

References (Learn More)

If you want to dig deeper into how security keys work and what this project is based on:

• gl-sergei/u2f-token (GitHub) — the U2F token project this is based around
• webauthn.guide — a friendly overview of WebAuthn
• FIDO Alliance: FIDO2 / WebAuthn — ecosystem overview
• W3C WebAuthn (spec) — the technical standard