Monday, October 7, 2019

Quick notes on using FIDO2 security keys on Linux

Using FIDO2 keys for 2FA
Most of you know that I am using a Linux laptop. Thus, experimenting with FIDO2 hardware security keys as discussed in the earlier blog post requires some extra setup. But fortunately, most steps are documented somewhere and can be easily found. Here is my writeup for my own benefit...

udev rules

On a Linux system, most users operate as "regular guys" and not as root / superuser. Hence, some system rules need to be added to make the USB security keys available as devices in the userspace (udev). The rules all follow the same pattern and there are good instructions for both YubiKey and Solo keys.

If you are using a key from another vendor which I did, then first list the device information utilizing "lsusb". Thereafter, add a udev rule similar to those above, but replace vendor ID and product ID accordingly.

Browser support

I tested the WebAuthn flow with both Chrome and Firefox on my RHEL 7.7. Only the Chrome browser allowed me to register the FIDO2 devices (create credentials). The identity verification as part of 2FA worked in Firefox, too.

This Python script provided by Yubico allowed me to create and verify credentials on the command line. It worked with both a Level 1-certified device where I had to press a button as well as with a Level 2-certified device with a fingerprint scanner.

More resources

To get started, I recommend the official FIDO2 pages at the FIDO Alliance site or the links on this curated WebAuthn awesome list.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.