DIY hardware password key: the $5 button that types your password
Here is a fun one. Take a five dollar microcontroller that can pretend to be a USB keyboard, wire one button to it, and store a passphrase in the firmware. Press the button and it types your password into whatever the cursor is sitting in, perfectly, every time. This DIY hardware password key is a cracking weekend build. It is also not a real security key, and working out exactly why not will teach you more about authentication than any lecture. Here is the build, what it is honestly good for, and why the real thing still wins.
What the build actually is
The whole trick lives in USB itself. Plenty of hobby boards can enumerate as a standard USB keyboard. Not "sort of like" a keyboard: as far as your computer is concerned it is one, same device class as the thing you type on, no drivers, no prompts, nothing to install. Anything a keyboard can type, the board can type, at hundreds of characters a second without a single typo.
The shopping list:
- A microcontroller board with native USB that supports keyboard emulation. The product page will say USB HID or keyboard emulation. Around five dollars.
- One momentary push button. Cents, or salvage one from the parts drawer.
- A case if you are feeling fancy. Mint tin, heat shrink, or bare board worn with pride.
Wire the button between an input pin and ground, put your passphrase in the firmware, plug it in. That is the entire project.
The concept, in ten lines
No full sketch here because you do not need one. Every maker ecosystem has a well-worn keyboard emulation example, and this build is that example plus a button read. In plain terms:
setup:
announce yourself as a USB keyboard
watch the button pin
loop:
if the button is pressed:
type the stored passphrase
press Enter
wait for the button to be released
That is the whole firmware. The decisions left are cosmetic: send Enter or not, a second secret on a double press, a blink while it types. If you can follow a tutorial you will have it working the same afternoon the parts arrive.
What it is genuinely good for
- Long device-unlock passphrases. Disk encryption asks for its passphrase at boot, before any password manager is awake. A 40 character monster becomes one button press, so you stop being tempted to shorten it.
- Air-gapped machines. A computer that never touches the internet cannot sync a password manager. A button that types is about as offline as tooling gets.
- The relative who cannot type 24 random characters. Give them a proper long password and a button instead of a sticky note under the monitor.
- The places managers cannot reach. BIOS prompts, pre-boot screens, recovery consoles, the ancient box in the corner. If it accepts a keyboard, it accepts the button.
Notice the pattern: every good use is typing convenience in places better tools cannot operate. Hold that thought.
Why a real security key beats it
The DIY key types a secret. That sentence is the entire security review, because anything typed inherits every weakness a password has:
- It can be phished. A fake login page receives the button's perfect typing just as happily as the real one. The button cannot tell the difference, and neither can a rushed human at 5pm.
- It can be keylogged. Malware that records keystrokes cannot tell your button from your fingers. The secret crosses the same wire either way.
- It can be replayed. Captured once, useful until you change it. The password is identical every press.
A real security key, the FIDO2 or passkey class of device, never types anything. It does challenge and response. The site sends a fresh random challenge, the key signs it with a private key that never leaves the hardware, and the browser binds the whole exchange to the genuine site's identity. Point it at a lookalike domain and the key simply has no credential for it, so there is nothing to hand over. Nothing typed, nothing to capture, nothing to replay. It is not phishing resistant because the user is careful. It is phishing proof because of how the maths is wired.
That comparison is modern authentication in one build. A secret you reveal is fragile no matter how long it is. A proof you compute, fresh every time and bound to the other party, is not. Build the button, understand why it loses, and you understand passkeys better than most of the marketing written about them.
The threat model, honestly
Lose the DIY key and you have lost the password in plastic form. Whoever finds it plugs it into any computer, opens a text editor, presses the button, and reads your secret off the screen. No skill required. The stored secret is usually recoverable with the same hobbyist tools that put it there, so assume the device is the password, full stop.
You can soften that:
- Partial secrets. The key types a long random tail and you type a short prefix you remember. A finder gets half a password, you keep the half that lives in your head.
- A button combo. Long press or double press before it types. A speed bump for the curious, not encryption, and be honest with yourself about which one you built.
- Accept what it is. A convenience tool, not a security boundary. Put your disk passphrase on it. Do not put your banking password on it.
The verdict: build one, buy the real one
For actual two-factor, buy, do not build. Proper hardware security keys have fallen to the price of a takeaway dinner, they are phishing proof by design, and they are cheap enough to buy in pairs so a spare in the drawer solves the lockout worry. The sensible split: the DIY button for fun and for long passphrases in awkward places, a real key for anything with money or your email behind it. Email especially, because whoever holds your inbox can reset nearly everything else. Where keys sit in the bigger picture is covered in our guide to cyber security for small business.
And the serious point for business owners: passkeys or hardware keys on staff email is the single best phishing defence you can buy. One phished mailbox is how most small business breaches start, and a key removes that whole class of incident instead of training people to dodge it. It is one of the first things worth doing properly under managed IT, precisely because it is cheap, fast and permanent.
Building the button and want a sanity check, or want the honest version of where your logins are weak? Tell us what you are running and we will give you the straight answer.
Frequently asked questions
What do I need to build a DIY hardware password key?
A microcontroller board that can present itself to the computer as a USB keyboard, one momentary push button, and a few jumper wires. Suitable boards start around five dollars, and the product page will say USB HID or keyboard emulation. Wire the button to an input pin, store your passphrase in the firmware, and the whole thing fits in a mint tin.
Is a DIY password key a real security key?
No. A real security key, the FIDO2 or passkey kind, signs a fresh challenge that is bound to the genuine site and never reveals its secret. The DIY key just types a stored password, so everything it produces can be phished, keylogged or replayed. It is a convenience tool, a very fast and accurate finger, not a security boundary.
What happens if I lose the DIY key?
Whoever finds it owns the password. Any computer, a text editor and one button press prints the secret on screen, no skill required. Treat it like losing a written-down password and change the credential straight away. You can soften the blast radius by storing only part of the secret on the key and typing a short prefix yourself.
Can I use it for two-factor authentication?
You can make it type a static code, but that is not real 2FA, it is the same factor twice: things that can be copied. Proper hardware 2FA does challenge and response, so a fake login page gets nothing it can reuse. Real keys that do this now cost less than a takeaway dinner. Build the button for fun, buy the real key for email and banking.
Why does the computer accept it as a keyboard with no drivers?
Because USB was designed to trust keyboards. The board announces itself as a standard input device, the same class as every keyboard ever made, and the operating system takes it at its word. No driver, no prompt, no permission dialog. That is why the build works everywhere, and also why plugging unknown USB devices into your machines is a genuine risk.