I'm also not a fan of PassKeys⁰. It feels weird to me that my computer is the password. I get the theoretical way it works - but it rubs me up the wrong way.

So, Yubikeys? I find them an annoyance. I never have my keys to hand - which sort of defeats the purpose of them.

A little while ago, I wondered "Where are the U2F Rings?" If I could have a wearable MFA token, that would solve many of my issues¹.

Enter the Cybernetic Z1 Encrypter Ring. It is a US$300 zirconia ring with a built-in range of JavaCard-based NFC apps - including the ability to unlock your Tesla². It is powered by the VivoKey Apex chip (NXP JCOP 4 P71) which provides all the security and functionality. Your money also gets you an NFC reader/writer which connects to your computer via USB. The team have sent me a demo version of the ring to review on the proviso that I give them feedback.

Demo

Here's a quick video showing how it works:

The Good

It works! Seriously, in a world of vapourware and vaguely-worded Kickstarters, it is refreshing to have a product which actually delivers. I was able to enrol it on my BitWarden account and then use it to log in - all via my Android phone. Similarly, I tested it working with Amazon, BitWarden, CodeBerg, Discord, Gandi, GitLab, GoDaddy, Google, PorkBun, Proton, WordPress and a few others.

It's a good looking, plainly designed, unibody ring. It is waterproof and survived the daily abuse I give my hands. It was washed with soap and blasted with a hand-dryer and it kept on chugging. No need to recharge it either - NFC runs off the power of radio waves like magic.

It is completely smooth, no built in scanners or LEDs or power-ports. The antenna appears to be all the way around the ring - so you can use either side of your finger on a scanner.

There is an Android app which you can use to send information to the ring. That's designed for being able to share contact details and has a generous 4KB of storage³.

But, the nice thing is, you don't need the app! By default the ring will work as a FIDO2 token suitable for logging in to a variety of services.

The code on the Ring is (somewhat) Open Source. You can write your own JavaCard applets and load them on to the ring.

The Bad

It works well... until it doesn't. Mostly this is a criticism of FIDO2. I initially was unable to use the ring with GitHub: I tried both Firefox and Chrome but got the same error. Similarly, CoinBase wouldn't register the key and didn't tell me why.

I contacted the Ring's manufacturer and they sent me details of a firmware update which claimed to fixed the issue.

Google worked - but gave me this rather weird default name and icon: I was able to rename it, but the icon can't be changed.

Amazon had the same issue, but with no way to rename.

Both LinkedIn and WhatsApp would only let me create a phone-based PassKey. They didn't give me a prompt to scan my NFC ring.

NFC only is also a bit of a limitation. Until every laptop comes with built-in NFC, you'll need to use a dongle / reader if you want to use the ring. For a phone or tablet with NFC, you're fine. Well, as long as you know where your phone's NFC reader is!

The Android app isn't open source, which feels like a bit of a missed opportunity. It is pretty bare-bones, only providing the ability to add contact details and see how much free storage and RAM there is. In the future, the app promises to offer "Smart PGP" and a few other services.

The contact card stuff is a bit underwhelming. Rather than embed a VCARD, it takes users to a separate website which has your contact details on it.

Weirdly, it zips the content of your contact details and uses them to populate the website with data. Because there's only a limited amount of space available, contact images end up very pixellated. The website also uses external JavaScript without using SRI - which isn't what I'd expect from a security focussed company.

If you use a 3rd party NFC app, you can change the NDEF share to be any URl you want. I think that's probably a sensible thing to do.

Obviously, $300 is a chunk of change. You can buy a basic U2F USB/NFC key for £20 - £50. So, with this, you're paying a higher price for a small-run product with a niche form-factor.

The Ugly?

Do you want to wear jewellery? The Z1 is plain black and unobtrusive - unlike the garish designs of some fashion rings - but perhaps a few different styles and colours would be nice?

I already wear a wedding ring, so having another to wear wasn't too much of an adjustment. The ring comes in a number of US ring sizes, so you may need to compensate if you're used to a different sizing system. However, it is a bit of a chunky beast. You will certainly notice it while wearing it.

Would an attacker rip it off your finger or even chop your finger off? It is a niche risk - but if you're using this to digitally safeguard your billions of crypto-riches, worth thinking about.

Updates

The Z1 Encrypter runs JavaCard applets so, in theory, you can load any compatible app onto it. By default, it runs Bryan Jacobs' FIDO2Applet. It recently received an update which should make it work with GitHub.

To install or update apps, you'll need the Fidesmo Android app or iOS app.

WARNING! Before installing a new app, you have to destroy the old one. This will wipe all your previous registrations.

However, I just couldn't get this to work. I tried using the Fidesmo app to uninstall the Tesla applet - but it failed.

Despite it asking me to uninstall again, there was no option to do so.

I find it a bit weird that the Ring relies on a 3rd party app to do this. I'd much rather see it built into the same app which controls the ring.

Security

By default, the ring has no password set on its internal memory. That means you can write whatever content you want to the NDEF share. Of course, this means someone sat next to you can also change your saved URl! If you use the Fidesmo app, you can lock the contents of the share. Once locked it cannot be overwritten unless you destroy the applet.

So I was able to change the default URl to one I controlled, and I was able to lock it.

But anyone with the Fidesmo app can delete any applet on your ring. Simply open the app, tap the phone against the ring to read the data, select the app you want to delete, and hold the phone against the ring for a few seconds.

It isn't unobtrusive. You'd probably notice someone clutching your hand for a several seconds. But you probably wouldn't notice if you were asleep.

The only damage is rendering your PassKey inoperable. So you would have to revert back to using a different 2FA method. An attacker couldn't steal your data, but they could provide a denial of service attack on you.

It would be great if the ring came with a password. However, there is the risk that if you lost your own password, you'd be unable to write data to it.

I am unqualified to audit the hardware security. If an attacker had physical access to the Ring, could they crack it open and extract the keys from hardware? I don't know.

Linux Support & Open Source

The Cybernetic website says the Z1 supports "iOS, Android, Windows. MacOS coming June 2024." But how well does it work with Linux?

There are several open source tools repositories available from VivoKey - although none specifically related to the ring.

I took a look at a bunch of compatible readers and got the ACR1252u-MF (full review later). There are a couple of Linux utilities which claim to work as NFC U2F readers - but the only one I could get working was Bryan Jacob's FIDO2 HID Bridge. Installing was a bit of a faff (yay various Python incompatibilities) and using it means invoking an obscure command on the terminal. But... it worked!

I registered the ring on a service using my Android device, then I was able to sign in to the same service using Firefox on Linux!

Even better - I was finally able to register the ring with GitHub! And, once I'd registered it using Linux, I could sign on with Android. HASHTAG INTEROPERABILITY!

The Broken

And then I kinda broke it. Somehow, the Fidesmo app ended up locking the entire card. Everything still worked - both NDEF and WebAuthN - but I couldn't update the firmware or applets. On the one hand, no one can wipe my OS! But on the other, I can't load new software or fix any bugs.

NFC is fragile technology. Send the wrong obscure command to the device and it will behave unpredictably.

Final Verdict

For a certain type of nerd, this is awesome. It doesn't have aggressive "geek-chic" branding - it just quietly lets you augment your body with a useful bit of tech. Now I don't need to search for my key-ring every time I want to log into a secure service.

The flaws with this product are mostly to do with the ecosystem. Mostly.

U2F / FIDO2 / Whatever is pretty nifty technology. When it works, it is just like magic. Wave your hand near your phone and you are authenticated.

When it doesn't work, you might get stuck in a loop trying to work out why things are going wrong. It's terrifyingly easy to accidentally break something.

FIDO2 is still a pain. Do you know the difference between CTAP1 and U2F, or how they relate to WebAuthn? Does your favourite service support 2FA at all? Are you happy running a Python script on the CLI if you want to log in?

But that's not the ring's fault. It is early days for the tech and there are teething troubles.

The built-in contact-card portion of the ring is a bit daft. Pointing users to a 3rd party site doesn't seem like the right call for the type of people who'll buy this. I'm glad it could be pointed to a site that I control - albeit by using a different app to write the data.

I got used to wearing the ring after a few days, and it was the exact size that I requested. Although it is chunky, it is a subtle piece of jewellery and unlikely to draw unwanted attention. There are no LEDs or batteries to worry about.

Despite the teething issues and the price, I'm rather keen on this. Waving my hand next to my phone to exchange cryptographic information makes me feel part-way to being a cyborg-wizard. Is this the future of wearable technology? I don't know - but it is rather fun. I'm happy to be an early-adopter and to bash out the bugs in the tech.

If you want, VivoKey will also sell you an NFC Implant which you can inject under your skin and use as an MFA token. Personally, I think I'll stick with the ring!

You can buy the ring directly from Cybernetic.

1. Get two YubiKeys
2. Associate them both with your accounts
3. Keep one off-site in a safe location

OK, done! My wife and I spend a very boring evening going through every single account we have which supports FIDO tokens with WebAuthN - about a dozen in total. We manually paired two keys each. We put our main key on our keyrings, then drove out to the woods and buried our spares in a a waterproof box in a top secret location⁰.

But what if I lost my keys?

Perhaps I could have been pickpocketed or just been careless and dropped them when getting my wallet out. Either way, I can buy new eurocylinders for my home's doors, replace the padlock on my shed, and grovel to work for a new locker key.

And then, of course, I would have to dig up my backup key and start the painful process of revoking the old one. But here's the snag...

I have no idea which services I've associated my WebAuthN token with!

Firstly, there is staggeringly little chance that the person who found / took my keys would also know my username and password for various services. But we use MFA because we're paranoid, right? So it makes sense to invalidate the lost token to prevent even the slimmest chance of it being used against me.

Secondly, obviously I know some of the major services that I associated the token with - Facebook, Google, and the Russian crypto exchange where I keep all my money¹. But what about the rest? Should I have made a list of each service I used? Should I have recorded it in my password manager?

Apparently a YubiKey can only hold 25 FIDO2 tokens, but unlimited FIDO U2F tokens. I'll be honest, I've no idea how many I have. And I don't think there's any way to query my key to see which services it was registered to.

It is probably a good thing that there's no big button which would universally revoke a key. That would be an extremely tempting target for abuse.

But I wish there were an easy way for a user to see where they had used their token. As it stands today, that's impossible.