How to clone a Pico Key(Pico Fido Security Key)

Background

Most commercial USB security keys cannot be duplicated, which is a great security feature. However, in situations where physical keys might be lost or stolen, the only backup method for such security keys is to add multiple physical keys for the same security project. If one key is compromised or lost, another one can be used for authentication. This has been a reason why I have been resistant to such security settings until the Pico Fido project emerged. USB security keys based on Pico Fido can be conveniently fully backed up, providing a solution to this limitation.

Step

1.To get ready for Raspi Pico tool.

The official distribution doesn't provide pre-built binaries, Linux users should find it relatively convenient to compile. For Windows users, it's recommended to install msys2 and follow the steps outlined in Getting started with pico in Appendix A to prepare the compilation environment for the OpenOCD section. Install any missing dependencies as needed. Compiling should then be a straightforward process.

Update:

I found that picotool is already included in the PICO SDK Windows version,just download and install the windows sdk you will find picotool here below:

C:\Program Files\Raspberry Pi\Pico SDK v1.5.1\picotool

2.Have Zadig driver ready.

Hold down the bootsel button while inserting your Pico key. Replace the driver for the RP2 Boot device with the WinUSB driver using Zadig. Note that there are two interfaces here for RP2 Boot; just replace driver for interface 1 will do.

As below:

pico bootsel driver replace

3.Dump content from SPI flash.

This can be done via one simple command.Here, "dump.bin" is the filename for the exported file, and you can customize it as needed.

picotool.exe save -a dump.bin

4.Clone it.

Then switching to a new Pico key, enter the bootsel mode by holding down the bootsel button. And program spi flash using the dump.bin file we just got.

picotool.exe load dump.bin

Before cloning, you can register your Pico key on the webauthn website. This allows you to verify the success of the cloning process.