Mullvad is a Sweden-based open source commercial VPN service provider founded in 2009. Now, after years of working in software services, Mullvad is also getting into hardware security. At the recent Open Source Firmware Conference (Open Source Firmware Conference), Mullvad showed a new USB security key – Tillitis Key.

According to the official introduction, Tillitis Key can be used for purposes such as logging in to computers and websites or performing digital signatures. Functionally, the Tillitis Key shares many similarities with Fido2 solutions such as Yubikey, but it also has a very unique side.

First of all, Tillitis Key is completely open source, including its software and hardware, and of course its PCB design. Because of this, it is also more trustworthy, while other security keys on the market usually use closed-source hardware.

Second, Tillitis Key uses a “measured boot” system that measures security applications when the application is loaded on the device. The measurements are combined with the Unique Device Key (UDS) to derive the application’s key.

The purpose of this is that if the application is modified, the resulting key will also change. Conversely, if the resulting key is the same as the last time the app was loaded on the same device, it can be trusted that the app has not been modified. It’s worth noting that the Tillitis Key will continue to work if the app gets an update, but it also depends on how the app developer enabled code signing.

For more detailed information, check out Tillitis Key’s Github repository, including PCB schematics, source code, and more.