FEITIAN ePass K9 USB Security Key - Two Factor Authenticator - USB-A with NFC, FIDO U2F + FIDO2 - Help Prevent Account Takeovers with Multi-Factor Authentication
|Item Dimensions LxWxH||1.73 x 0.83 x 0.12 inches|
About this item
- Make sure this fits by entering your model number.
- FIDO2 + FIDO U2F certified security key
- Secured by NXP semiconductors
- Works in every browser without installing any drivers
- Supports desktops and laptops via USB-A, and supports Android Phones via NFC
- Helps protect your accounts from phishing and other cyber-attacks
Frequently bought together
Have a question?
Find answers in product info, Q&As, reviews
Your question may be answered by sellers, manufacturers, or customers who purchased this item, who are all part of the Amazon community.
Please make sure that you are posting in the form of a question.
Please enter a question.
Feitian ePass K9 is a FIDO alliance certified U2F security key. It is now also FIDO2 certified. Unlike the traditional second factor authenticators, FIDO U2F provides a much more convenient and safer solution to replace and/or be an addition to traditional passwords. Each FIDO device is able to store multiple key pairs. Feitian ePass K9 is embedded with a NFC module into its key-like compact body. Users are able to use the Feitian ePass K9 for registration and authentication with computers, laptops, and tablets. Users are also able to use the ePass K9’s NFC feature for registration and authentication with their mobile phones and other NFC compatible devices. The Feitian ePass K9 will be a loving match for those who want both security and convenience in one product.
The Feitian ePass K9 security key is very easy to register and use with your favorite web-applications, web-services and programs. Just register the security key with your account inside the account settings, and press the security key button or place it next to your device when prompted during the account log-in process.
Top reviews from the United States
There was a problem filtering reviews right now. Please try again later.
To test whether the device you have has the vulnerability, use the OtpTool.exe tool from the Feitian website and attempt to change the drive mode to any other mode (E.g. U2F to U2F+CCID). If the request fails and the indicator on the device is blinking (requiring a button push to confirm the change) the device is not vulnerable and may be safely left in the computer USB port at any time. If the drive changes mode and the LED does not flash, the device is vulnerable and should only be connected to the computer USB port while authenticating with a website and should be removed after.
The gist of the vulnerability is that an affected device can be triggered to change modes, register, or authenticate without the required test of user presence. Removing the drive from the computer when not in use for authentication protects against this issue on affected devices.
My original post follows below:
I have bought this device, but found a security vulnerability everyone should know.
The OtpTool.exe from Feitian's website has the ability to reconfigure this device to support CCID. It enumerates as a Smart Card reader and can be connected with the PC/SC interface. The version of the firmware on the device is reported as 3119 by OtpTool.exe.
When connected with Alain Pannetrat's CardPeek, I was able to send raw commands (See "FIDO U2F Raw Message Formats" on the FIDO Alliance website) to the device on AID #A000000647. This isn't the vulnerability unto itself.
The vulnerability is that in that interface, the device does NOT respect the U2F_AUTHENTICATE parameter 0x03 ("enforce-user-presence-and-sign"). It acts like parameter 0x08 ("dont-enforce-user-presence-and-sign") (Which if called explicitly, it does not respect.). It signs the message right away without blinking the LED or waiting for the user to touch the button.
I believe the interface it is exposing over CCID is actually the one it presents over NFC. This interface doesn't enforce because the act of touching the device to the NFC reader constitutes user presence.
The safest workaround is to remove the device from the USB port when it does not need to be signing a message. It is possible the vendor could fix this, but I believe the firmware is non-upgradeable by design.
The reason this is a security vulnerability is because a malicious program could place the device into U2F+CCID mode quietly over the HID interface then silently perform U2F_AUTHENTICATE operations on demand without user confirmation. It would be possible to identify the device that registered with a given website by using the U2F_AUTHENTICATE 0x07 ("check-only") messages if, say, a botnet checked all of these devices present on the USB ports of its hosts. This would nullify the benefit of having 2FA, as indeed the attacker would have access to the device on demand if it remains in the USB port.
That said, the device so far has otherwise performed as a security key with both Android (Must install Google Authenticator to bridge from Chrome to the device) and on Windows and Mac. Just ensure you REMOVE the device from the USB port when it isn't needed. I must also state, that having 2FA on your accounts is highly desirable. Even with this vulnerability, if the device is treated with care knowing this issue, the security factor is certainly an improvement over SMS or security question "2FA".
As this is my first experience with a FIDO U2F device, I cannot speak to the security of any other such device, including others from Fentian. The FIDO U2F standard itself seems reasonably secure if there are not compliance lapses such as this.
Update: I have contacted Feitian about this issue, and they have confirmed it is present. While prudent removal of the device when not in use will completely protect against this issue, they mentioned they have changed in later firmware. I will request this from them and update my review accordingly after a re-test. They were quite responsive.
I bought this key because I wanted an NFC-capable FIDO-UDF security key. I actually wanted to by the Google Titan Security key but two things: 1. it's not presently available to the public, and 2. a teardown by Marko Vuksanovic on Medium titled "Unwrapping Google Titan Key" revealed it is actually build by Feitian and likely a rebranding of the Feitian ePass FIDO-NFC key here. I decided to purchase the Feitian ePass FIDO-NFC and the Yubico YubiKey NEO to compare them.
The good news is this key does everything it says on the tin for about a third of the price of the Yubico YubiKey NEO (which has more capabilities but none of which I needed). So far it works great, including the NFC. I had no problem using it to sign in on my MacBook Pro (no external drivers required) or my OnePlus 6 smartphone.
The biggest complaint I have with this key is the total lack of tamper-proof packaging. I've included a photo to show you, my lovely fellow customer, what I mean. The Yubico YubiKey NEO (left in the photo) came in two layers of tamper-proof plastic packaging. That doesn't mean someone can't compromise the key between Yubico's packaging center and your hands, but it means that it will be evident to you, should that have happened.
Contrast this with the cardboard packaging of the ePass NFC (right in the photo). It took no substantial effort to open the cardboard packaging. You don't even have to be particularly gentle about opening the cardboard. I have opened it, pulled the key out, and re-packaged the key in it multiple times and there is no evidence that I have even opened it. When this was delivered, it sat on my doorstep for hours. Thankfully my package showed no signs of tampering, but I still can't rule out it being tampered with in the Amazon warehouse.
I don't have any reason to suspect I am a target for such a difficult interception. Still, security is the point of purchasing a physical key like this. I would have easily given the ePass FIDO-NFC five stars for the value if it came in packaging like the YubiKey NEO. Instead I wavered between giving this between one star ("This is an affront to the very word 'security'!") and four stars ("It's a bummer, about the packaging, but it's great bang for the buck!"). I compromised on two stars. Yes this key is very affordable, but are you willing to put that affordability ahead of assurance? I feel like this is more than a minor detail to overlook, especially from a security company.
If you're protecting critical infrastructure from being hacked, if you're part of an underground cell bent on defeating Evil Corp, if you've recently been labeled as an enemy of the state by an unchecked despot, or if otherwise your job or life depends on your security habits and hygiene, DO NOT BUY the ePass FIDO-NFC key until Feitian provides tamper-proof packaging! Either get the YubiKey NEO now or wait for the Google Titan Security Key and buy that (packaged in hard vacuum-sealed plastic, like your favorite action hero or doll from childhood).
If you're otherwise an everyday Jane or Joe, this will do the trick at a VERY reasonable price, but you'll have to decide if your peace of mind is worth the $35 price difference compared to the YubiKey NEO, or the instant gratification compared to waiting on the Google Titan Security Key to get released for purchase in the Google Store.
Oh yeah, and the best part, it has NFC! So far this doesn't work on iThings (I hear Apple locks down the NFC chip), but it works great on Android!
Good enough that I'm thinking of buying a couple more for family and friends. Wish they offered them in other colors!
Top reviews from other countries
Most importantly for me, is that the key doesn't work over USB 3, meaning that on modern computers without USB 2 ports, the key is useless.
Additionally, thanks to the key's slim design, the ePass doesn't always make a solid connection, so I have to jiggle/replug it to get it to work, and about 50% of the time it just won't.
When it does work, however, the authentication process is very easy - just requiring a tap of the metal pad on the key.
For NFC authentication the key works without issue (when paired with the Google authenticator app). It's a shame that most apps don't support this though.
Overall, if you're looking to dabble with multi factor authentication but don't want to spend £45 on a YubiKey without knowing how it'll work and on which services, then I'd recommend this key. However, if you're looking for a long-term, reliable authentication method - I would not recommend the ePass.
As others have mentioned, the construction is slightly cheaper than a yubikey 4, but it's perfectly fine and should survive on a keyring.
Could not get the NFC to work with my phone either.
On Android, I haven't found a single site that uses the NFC feature. So, so far, I have not been able to test that it actually works.