Universal 2nd Factor
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards.
While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.
For all articles on U2F and U2F-devices see: Category:Universal 2nd Factor.
Authentication for websites
U2F is supported by major sites like Google, Facebook, Twitter, or GitHub. Check out 2fa.directory or dongleauth.com to find other websites and links to setup documentation. For all browsers which support it, likely the only action required is to install libfido2. Yubico offers a demo page for testing.
Firefox/Tweaks#Fido U2F authentication
Chromium/Tips and tricks#U2F authentication
Authentication for user sessions
Yubico, the company creating the YubiKey, develops an U2F PAM module. It can be used to act as a second factor during login or replace the need for a password entirely.
Installing the PAM module
The module is part of the package pam-u2f.
Adding a key
authfile=/path/to/u2f_keysto the end of the line for pam_u2f.so. This is also useful if you wish to move
u2f_keysto a protected part of the file-system. For multi-user implementations use a central mapping file as explained in the official documentation of pam-u2f.
Keys need to be added with the tool
$ mkdir ~/.config/Yubico $ pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
After entering your PIN, click the button of your U2F key to confirm the key.
hostnamewith the actual hostname.
If you own more than 1 key, append the next ones with
$ pamu2fcfg -o pam://hostname -i pam://hostname -n >> ~/.config/Yubico/u2f_keys
-nin the above command is required. It will omit the username portion of the generated line as required in the spec for subsequent entries for the same user. Multiple lines with the same username will cause unpredictable behaviour in PAM.
sudo -s). This way you can revert any changes if something goes wrong.
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
as the first line. Be sure to replace the
hostname as mentioned above. Then create a new terminal and type
sudo ls. Your key's LED should flash and after clicking it the command is executed. The option
cue is set to provide indication of what to do, i.e.
Please touch the device.
In order to make the token the only method of sudo (ie. no password fallback) you will need to comment out the other auth methods present. This is usually just the default system-auth include.
#auth include system-auth
You should also change
required in the above pam_u2f.so line.
/etc/pam.d/gdm-password and add
auth required pam_u2f.so nouserok origin=pam://hostname appid=pam://hostname
after the existing
auth lines. Please note the use of the
nouserok option which allows the rule to fail if the user did not configure a key. This way setups with multiple users where only some of them use a U2F key are supported.
u2f_keysfile is unavailable. In this case use a central mapping file as explained in the official documentation of pam-u2f.
Other authentication methods
Enable the PAM module for other services like explained above. For example, to secure the screensaver of Cinnamon, edit
If you managed to lock yourself out of the system, boot into recovery mode or from a USB pen drive. Then revert the changes in the PAM configuration and reboot.
In case the pam-u2f module silently fails, add debug keyword to the auth line in a file in
OpenSSH ≥8.2 supports FIDO/U2F hardware tokens natively, see SSH keys#FIDO/U2F.
Data-at-rest encryption with LUKS
Since version 248, systemd can be use to unlock a LUKS partition using a FIDO2 key.
First, you will need to setup your
/etc/crypttab file, or customize your initramfs if you wish to unlock your root partition. The full procedure is similar to the use of a TPM chip for unlocking. See Trusted Platform Module#systemd-cryptenroll.
To register the key, you will need to use the systemd-cryptenroll utility. First, run the following command to list your detected keys:
$ systemd-cryptenroll --fido2-device=list
Then you can register the key in a LUKS slot, specifying the path to the FIDO2 device, or using the
auto value :
$ systemd-cryptenroll --fido2-device=/path/to/fido2_device /dev/sdX