Bonum Certa Men Certa

A FIDO/FIDO2 False Sense of Security for Premium Prices

Military-grade nonsense that is proprietary and untrustworthy (monopolised by the likes of Google and Microsoft)

Manifestation against missileSummary: From the attack on software freedom (including Richard Stallman and other leaders/luminaries) we've seen a shift to attacks on privacy itself, e.g. auditable encryption; today we discuss the troubling developments in the FIDO/FIDO2 space

THE ESSENCE of Free/libre software is control, liberty, autonomy, independence, security, decentralisation and sometimes privacy too. Those are all just words that convey concepts in English. It's better understood in the absence of those things (when one lacks or loses freedom). As RMS puts it, to paraphrase a bit, either the user controls the program or the program is an instrument by which some corporation (or government) controls the user. It's really that simple. To alleviate that unjust leverage of power (developers or developers' employer) over computer users we need freedom-respecting software that is audited by many and forked if mischief occurs. This helps ensure that the public interest is prioritised, not the bottom line of some business/es. That does not mean that no business can exist; many businesses are based around distributing and supporting Free software. Perfectly moral and ethical business practices are compatible with the Four Freedoms.



"Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt..."With all that in mind, we've grown cynical if not deeply concerned about the Linux Foundation. The institution itself is a misnomer (it promotes operating systems other than Linux), its biggest players (leadership) are monopolistic proprietary software companies, it advocates mass surveillance, and it works for Microsoft (which in turn works to undermine Linux).

Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt, which is connected to the Linux Foundation and hosted/coded on Microsoft servers. These certificates were later revoked, but there was no transparency about what had happened. Can we trust one CA to manage so many certificates? Look at its backers and sponsors. These certificates aren't free; if they seem to be free, it's because someone foots the bill to gain something, such as the US government receiving back door access to undermine encryption (by access to private keys or similar). They're already done that even inside Switzerland, covertly of course! So do we trust Let’s Encrypt? Not really, even less so after that incident. There was never clarity and now even an explanation of what was done, who the culprit was and so on.

But this article isn't about Let’s Encrypt. It's about FIDO2. The patterns may be similar, at least some salient points. "I don't know if you've been keeping up with the developments in hardware security tokens," one reader told us this week, "but I have been very alarmed with the developments that are happening with regards to FIDO2. I feel like this is another attempt to stomp out competition just like TLS CAs did before Let's Encrypt was a thing."

"We use GnuPG a great deal here in Techrights. Most of our messages are encrypted."The reader is a bit of an expert in that domain. Also remember how the founder of Ubuntu originally amassed his wealth. "Right now," the reader noted, "companies that make products like Yubikey and Titan Security Key are selling obscenely overpriced hardware just because it has a "FIDO2 Certified" logo on it. I feel like hardware security tokens are going to end up in the same situation that happened with TLS CAs where a few bodies monopolise the system and dictate who gets to be a "trusted provider". A FIDO2 certification costs about $6500 USD, last time I checked. As someone that uses GnuPG and its open ecosystem of hardware, it pains me to see the monopolisation and profiteering that's happening around the security space."

We use GnuPG a great deal here in Techrights. Most of our messages are encrypted.

"I hope you can share this message with the right people," our reader appealed, "to combat the monopolisation and anti-competitive attempts by organisations like FIDO Alliance. There's nothing open about the FIDO Alliance. The firmware for most of those devices are closed-source and the only reason people are duped into buying them is because of the "FIDO2 Certified" seal on those products. I feel like this is a turning point in cybersecurity history and we need to kill this attempt at monopolisation before we end up with the tragedy that happened with TLS CAs."

"A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society."How many billions of dollars were washed down the drain because of these? And we ended up with "trusted" CAs that are mostly in bed with the world's biggest spying operation. Which means they might be worse than useless...

"We decide who to trust with our OpenPGP certificates," our reader noted. "We don't let other bodies make that decision for us. Let's work together to make sure we nip this FIDO nonsense in the bud. We've got the platforms and people. The WebAuthn W3C steering members are stuffed with Google, Microsoft, and (surprise) Yubico people. I'm almost certain that they're using embedded cryptography MCUs in their closed proprietary products and then making a eye-watering profit margin."

Notice that their stuff is controlled partly by Microsoft and the NSA (in GitHub). So they clearly do not value or grasp basic security.

Our reader noted: "The OpenSK project on GitHub (by Google, I believe) uses an overpriced board and there's a nice disclaimer at the bottom that OpenSK is not FIDO certified (this is blatant FUD). They aren't even using the embedded crypto MCUs on the Nordic chip. They have gone with the excuse that their software-driven crypto is "research quality" code. OpenSK is a blatant attempt to spread FUD about uncertified FIDO hardware. Yubico are in on it as well.

"We might be the first site to touch this subject, but there's more on the way for sure.""Nitrokey has a FIDO2 product and I think it's uncertified by the looks of things. I know Nitrokey people are very closely linked to GnuPG devs because I've been around GnuPG dev a lot recently. I'm pretty sure the folks at Nitrokey see the dangers of monopolisation but they're keeping it quiet (probably in fear of the media pull Google et al have). I would also prefer remaining anonymous, thanks for allowing that..."

A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society. Those who undermine the encryption basically maintain keys to the castle. They've long attempted to put back doors (or back door access, e.g. via third parties) to everything. Sometimes the media describes that as "weakening" encryption, but that actually means breaking; weak means broken.

We might be the first site to touch this subject, but there's more on the way for sure. "Wanted you to be the first to throw a punch though," our reader noted, "because people in the community trust you on these things."

But there's lots more on the way. Stay tuned.

Recent Techrights' Posts

Get Ready for Increase in PIPs and RAs at IBM, Red Hat, and Other Companies Devoured by IBM
IBM's "market cap" has just fallen to 199 billion dollars and it has about 70 billion dollars in debt
Like Kyndryl, Multiple Securities Fraud Investigations Into IBM
Remember what happened to Kyndryl
Who Next After IBM? (Bubbles Don't Last Forever)
the demise of companies with "ai" in their name/domain
GNU/Linux Estimated at 8% "Market Share" Today (in statCounter)
Days ago it said 7.1%, then 7.3% or 7.4%
 
Links 16/07/2026: Solar Greenwashing by Energy-Wasting GAFAM and Growing Concerns About Harm by Social Control Media
Links for the day
Gemini Links 16/07/2026: Photography, Agility, and "Today I have Truly Become a Linux User."
Links for the day
Rebellion Brewing at Microsoft
As always, we welcome Microsoft whistleblowers
Technology Against Human Nature
Losing a sense of what it means to be alive
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 15, 2026
IRC logs for Wednesday, July 15, 2026
IBM Down to $211.20, the Market in General is Up
No recovery for IBM today
UEFI 'Secure Boot' Still Not Secure in 2026, New Holes (or Bypasses) Still Being Found
In 2026 there are still many people who call it "secure" and pretend to themselves that it is about security. It's not. It never was.
Gemini Links 15/07/2026: Lab 6, Retrospective 2, and "Getting Back Into Gemini"
Links for the day
Links 15/07/2026: "Gianni Infantino Under Fire" and "Todd Blanche's Record Raises Alarming Questions About the Future of the US DOJ"
Links for the day
Allegedly More IBM RAs (Mass Layoffs) Same Day the Stock Crashed
No paper trail, so it never happened, right?
Techrights Was Right: Microsoft's Layoffs Tally Was False, Far More People Are Being Sacked
"The Xbox Bloodbath Is Actually Way Bigger Than It Seems"
IBM Sinking to Lowest Levels Since 2024, But Will Any Executives Be Arrested for Securities Fraud?
52-week high of $332.46 and now down to $212.94
Microsoft Whistleblowers Say "The Entire Thing is Going to Fall Apart" and There Are "No Benefits" to Being Part of Microsoft
"Multiple sources, who chose to remain anonymous for fear of reprisal"
IBM's Crash Continues Today
Stocks go up and down, but they don't typically go down by over 25% in a single day
How Long Before GNU/Linux is Measured at 20% in Chad?
The main way to get people to adopt Vista 11 is to sell them a new PCs and in poor countries it happens a lot less
Making Techrights Faster Down Under (Australia and New Zealand)
there's more to life than speed
Strikes at the EPO Approved for the Rest of the Year, "€1,3 Billion Taken From Staff Income"
Intensity can be revised and increased over time
Focusing on What We Really Ought to Focus on
Today we'll focus mostly on EPO affairs
Violence is Not a Joke
"Police say Widdecombe killing was targeted but motive remains unclear"
How to Properly Measure the Performance of a Patent Office
A "contribution from staff [which] is published by SUEPO Munich."
EPO "Cocaine Communication Manager" - Part XIV - "Not One of Us" (How the Group Dubbed by EPO Insiders "Alicante Mafia" Pushes Out Talent, Replacing It With Friends)
misuses the EPO's budget like it is a fountain of money for his friends
LibreTech Collective Abandons Microsoft GitHub and All Other Proprietary Software
Each time a project eliminates control by a hostile party it stands to gain
Links 15/07/2026: US Regime "Cuts Two Utah National Monuments by More Than 90%", "Hormuz is Less Crucial Than It Was"
Links for the day
Gemini Links 15/07/2026: Old Computer Challenge, "Trial by Fire", LLM Slop Destroying Companies
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, July 14, 2026
IRC logs for Tuesday, July 14, 2026
Heshan de Silva-Weeramuni Becomes Program Manager at the Free Software Foundation (FSF)
Heshan's addition means that the FSF is growing after a solid financial year (best in years)
Michael McMahon Explains Distributed Denial of Service (DDoS) Attacks on the Free Software Foundation (FSF)
The real solution is a curb on botnets. A mitigation strategy, however, would involve going static.
Matters of Public Safety
"Police say Ann Widdecombe killed in 'targeted attack' as motive investigated"
The Register MS and Its Promotional Microsoft Content
It's not too hard to see what the business model of The Register MS is
IBM: From $306 to $212 in 7 Days, IBM Won't Go Up More Than 50% to Where It Was at 'Peak Vapourware'
There's a limit to how much or how long a company can fake its performance and its potential [...] Early this morning a few insiders ("traders") cashed in on their "pump-n-dump"
Red Hat Staff Needs to Start Looking for the Next Job
Workers can conveniently lie or deny it to themselves, but waves of PIPs ("silent layoffs") will sweep over more and more units or teams as the company runs out of money to play with
IBM the Next Bear Stearns
IBM cannot recover if all it has to show is vapourware
IBM Stock Collapses and It's Only the Beginning
Will GAFAM soon follow and will any executives be arrested for the accounting fraud insiders have long cautioned about?
I'll Be Extremely Difficult for Microsoft to Sell Any XBox Consoles Now
Microsoft understands this
How Software Freedom Would Benefit Everybody
A society that denies control by greedy companies would do a disservice to monopolies and improve all services to citizens
Links 14/07/2026: Harsh But Also Fair Criticism of Hey Hi (AI) Slop, 'Open' AI Shuts Down Its Own Products as Funds Run Out
Links for the day
Gemini Links 14/07/2026: Old CD Binder and AWK
Links for the day
In Defence of Physical Tickets
Tickets are not some "app" and not some "code" on some "screen"
Microsoft Layoffs Not Limited to XBox (False Narrative in the Mainstream Media)
Microsoft is becoming less relevant and workforce reductions won't end any time soon
Links 14/07/2026: Plagiarism Spun as "Training", Zelensky Announces Leadership Shuffle
Links for the day
The Register MS Has Just Published "AI" Webspam That Mentions "AI" 54 Times. It Was Paid to Do This.
Who pays for all this "AI" hype or "buzz"?
Gemini Links 14/07/2026: Self-Advocacy Online; "The Internet Is Dead: How the Web Lost Its Human Soul"
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, July 13, 2026
IRC logs for Monday, July 13, 2026
Modern Technology Harms Women More Than Men (Because the 'Tech Bros' Who Dominate STEM Have a Poor View of Women)
“Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance.”
Internet Relay Chat Trolls Are Not Expressing Opinions, They Are Saboteurs
For the record
Links 14/07/2026: "The Freedom of Information Act Is in Serious Trouble"; Irish Datacenters Use Up Almost 25% of Total Energy
Links for the day