Wednesday, May 20, 2020

Use Chromium-based browsers to manage FIDO security keys

Add fingerprints using browser
Add fingerprint to FIDO key
Recently, I made a discovery that simplified how I manage my FIDO security keys. Instead of using a vendor tool to set a PIN or add fingerprints, I now switched to utilizing a Chrome- / Chromium-based browser for the administration. This works well on my Linux box. In this blog post, I am going to detail some of the features available.

Chromium browsers

Most of you probably know or are even using Google's Chrome browser. It is based on the(ir) open source project Chromium. There is quite a long list of other browsers based on Chromium. Personally, I use Chromium, Chrome and the privacy-friendly Iridium browser.

When you click on the browser menu and go to the Settings, then to Privacy and security and expand that section, you can pick Manage security keys. It brings up options (see background in first screenshot below) to Create a PIN, view and delete Sign-in data, manage Fingerprints or to Reset your security key. I have already made use of all options, in all my Chromium-based browsers and with several USB security keys.

Manage FIDO security keys

If you have a fresh security key or just reset it, you can configure a PIN. If a PIN is already present, you can change it for you security key. The typical procedure is that you insert your USB key, then you have to touch or press it and, when present, provide the PIN.

Once the FIDO key has a PIN, you can add fingerprints to the USB dongle or delete existing ones. When adding a new fingerprint, you have to touch the reader multiple times until enough samples are taken. The top screenshots shows that stage, the image below pictures 6 fingerprints on one of my FIDO2 keys.

Manage fingerprints for FIDO2 key
Manage fingerprints on security key

To me the most interesting part is to manage the sign-in data. It is what was called resident key or resident credential (both deprecated), now client-side discoverable credential. IMHO, when going passwordless, this is the data how a website could identify you again.

The browser allows you to see the stored credentials (resident keys) on your security device and to delete them. This is really useful for testing scenarios and selectively cleaning up your USB security key. The screenshot below shows that I used the FIDO2 key with the test site https://verify.securitypoc.com/ and some others.

(Update on 2020-05-23: I changed the screenshot below)


View and manage FIDO2 sign-in data
View and manage sign-in data


Conclusions

The hidden gem in Chromium-based browsers to manage security keys is a time-saver. I can put vendor tools aside and replace them with a readily available app, one of my web browsers.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.