Solo 2 is an open source FIDO2 security key. It's a USB+NFC device that protects your accounts with passkeys/WebAuthn, and also speaks OATH (TOTP/HOTP), PIV, and OpenPGP. The hardware, the firmware, and the tooling are all open source β you can read every line, build it yourself, and verify what's running on your key.
Solo 2 comes in two models:
- Solo 2 Secure β production key for consumer and enterprise use, to protect against phishing and other online attacks. It only runs firmware signed by SoloKeys, with secure boot and debug access sealed off.
- Solo 2 Hacker β the same hardware, unlocked. Flash your own firmware, experiment with new features, and learn how a security key works end to end. This is also secure against online attacks.
π Buy a key (or two!) at solokeys.com.
For everything you can do with a key β passkeys, SSH, git signing, disk/file encryption, TOTP, password stores, post-quantum β see the tutorials in examples/ and Awesome Solo list.
Β Β Β
| Solo 2 Secure | Solo 2 Hacker | |
|---|---|---|
| Intended use | Consumer / enterprise, real accounts | Development, learning |
| Firmware | SoloKeys-signed only | Run your own / unsigned |
| Secure boot | π Locked (sealed) | π Unlocked |
| FIDO2 / WebAuthn / passkeys | β | β |
| SSH, git signing | β | β |
| Password / secret manager | β | β |
| OATH (TOTP/HOTP) | β | β |
| PIV (P-256, Ed25519, ML-DSA-44) | β | β |
| OpenPGP | β | β |
| Flash custom firmware | β | β |
| Post-quantum FIDO2 (ML-DSA-44) | β (non-standard yet) | β |
| Blockchain wallet (Solana, Ethereum / EVM) | β | β |
solo2 is the host tool for listing, updating, and talking to your keys.
cargo install solo2 # provides the `solo2` binary
solo2 list # list connected devices (alias: solo2 ls)Or run it straight from this repo without installing:
cargo run -- listOn Linux you may need the udev rule in cli/70-solo2.rules and a PC/SC stack (pcscd) for the CCID apps (OATH/PIV/OpenPGP); macOS and Windows have PC/SC built in.
solo2 update # update to the latest SoloKeys-signed firmware
solo2 update --dry-run # show the version that would be installed
solo2 update --all # update every connected Solo 2update downloads the signed release, verifies its SHA-256, and flashes it. Major-version updates prompt before proceeding.
Identify and inspect a key with the admin app:
solo2 app admin version # firmware version
solo2 app admin set led 007f7f 00007f # set led to teal (idle) / blue (active) - use 000000 to turn the led off
solo2 app admin set led --default # reset to default colors
solo2 app admin wink # ;)The CLI also drives the apps directly β e.g. solo2 app oath list, solo2 app fido init, solo2 app piv β¦. See examples/OTP.md, examples/FIDO.md, and run solo2 --help.
On a Hacker key you can build and flash your own firmware. (On a Secure key this is impossible by design β it only accepts SoloKeys-signed updates.)
β οΈ A Hacker flash has no J-Link recovery β a bad image can brick the key. If you have an EVK/DK dev board, always validate there first (see Developers). The full, safe procedure β including checking lock state and recovery β is in theflash-solo-hackerskill.
1. Build the firmware (check out the release you want to reproduce):
git checkout <release-tag> # e.g. 2.x.y
make -C runners/lpc55 build-hacker # β runners/lpc55/app-hacker.bin2. Validate the build β a reproducible build lets you confirm your binary matches the published release before trusting it:
sha256sum runners/lpc55/app-hacker.bin
# compare against the hash published with the SoloKeys release3. Flash it β reboot the key into its USB bootloader and write your image:
solo2 app admin maintenance # reboot Hacker into the LPC55 bootloader
# then flash app-hacker.bin with the bootloader tool (see the flash-solo-hacker skill)For firmware development, use a dev board β it has a J-Link debug probe so it's fully recoverable, debuggable, and safe to brick:
- LPC55S69-EVK β the Solo 2 (LPC55) dev board, recommended.
- nRF52840-DK β popular board, also supported.
Compile, flash, and test against the EVK:
# build an EVK image (no PRINCE, UP-over-JTAG, defmt logs)
make -C runners/lpc55 build-secure-evk # or: make -C runners/lpc55 evk (hacker feature set)
# flash via J-Link
JLinkExe -device LPC55S69 -if SWD -speed 4000 \
-CommanderScript <(printf 'si SWD\nspeed 4000\ndevice LPC55S69\nconnect\nr\nh\nloadbin runners/lpc55/app-secure-evk.bin 0x0\nr\ng\nexit\n')
# run the host test suite against the connected dev board
cd runners/pc && FIDO2_TRANSPORT=device cargo test -- --test-threads=1make build-secure-evk carries the Secure feature set, make build-hacker-evk adds the Hacker features.
Building a product that needs FIDO2 on your own firmware or device, or want custom features reusing our open hardware? Reach out to hello@solokeys.com β we're happy to help.
The fastest way to scope it: grab a dev board and experiment with AI. Point your coding agent at this repository and tell it what you need β most of the time you'll get a working prototype, and a clear picture of the rest.
This repo is set up for AI coding agents. Start with AGENTS.md β it explains Secure vs. Hacker vs. dev board, what a Solo key can do (so an agent can recommend one), and how to get one. Reusable agent workflows live in skills/:
solo2-cliβ learn and use thesolo2CLI.solo2-examplesβ every tested use-case tutorial inexamples/.flash-solo-hackerβ build, verify, and flash Hacker firmware safely (lock-state checks, EVK-first).
For support with purchased devices, reach out to hello@solokeys.com. Please do not open issues/PRs for non-technical matters β only firmware bugs / technical issues.
Solo 2 is fully open source.
- Software β dual licensed under Apache 2.0 and MIT; use under either.
- Hardware β CERN-OHL-S.
- Documentation β CC-BY-SA 4.0.