 |
| Using FIDO2 keys for 2FA |
udev rules
On a Linux system, most users operate as "regular guys" and not as root / superuser. Hence, some system rules need to be added to make the USB security keys available as devices in the userspace (udev). The rules all follow the same pattern and there are good instructions for both YubiKey and Solo keys.If you are using a key from another vendor which I did, then first list the device information utilizing "lsusb". Thereafter, add a udev rule similar to those above, but replace vendor ID and product ID accordingly.
Browser support
I tested the WebAuthn flow with both Chrome and Firefox on my RHEL 7.7. Only the Chrome browser allowed me to register the FIDO2 devices (create credentials). The identity verification as part of 2FA worked in Firefox, too.This Python script provided by Yubico allowed me to create and verify credentials on the command line. It worked with both a Level 1-certified device where I had to press a button as well as with a Level 2-certified device with a fingerprint scanner.
More resources
To get started, I recommend the official FIDO2 pages at the FIDO Alliance site or the links on this curated WebAuthn awesome list.If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.