Anyone using the Apex for Webauthn on Linux

Wondering if anyone is successfully using the Apex for Webauthn on Linux? From what I’ve been reading, NFC support in Chromium/Firefox is currently limited to Windows (which mimic’s what I have been observing - I can use my ACR1252 on a Windows machine without issue, but no browser on Linux seems to show it as an option).

Wonder if there are any other Linux Apex users out there who have come up with a work-around? Currently I’m using Windows 10 in a VM, with the card reader passed through, but I’m hoping there’s a better way.

It’s possible to use an NFC implant on Linux with libfido2, if you compile libfido2 with support for pcsclite.

But no browser I know of links libfido2, so I don’t know of a way to use a PCSC smartcard for webauthn through a browser on Linux today.

It would be possible to make a piece of software that calls libfido2 on one side and exposes a USB HID virtual device on the other side. That would work fine, but I don’t think anyone has written it.

@StarGate01 has written a fantastic tool on their GitHub repo that emulates a USB U2F token.

You need to build the kernel module though if your distribution doesn’t have it.

I got it working on Ubuntu 22.04 and can share the steps for DKMS etc to rebuild it when the kernel updates, and getting it signed for secure boot.

Ahh Thank’s @StarGate01’s project seems promising.

You need to build the kernel module though if your distribution doesn’t have it.

I’m running on Linux Mint 20, which is based on Ubuntu 20.04, so if you have any points I’d love to hear them

I spent a few hours today hacking together a thing that definitely doesn’t require a kernel module: GitHub - BryanJacobs/fido2-hid-bridge: HID -> PC/SC Bridge for FIDO2 Device Use

5 Likes

@BryanJacobs you da man! This is fantastic, I just tried your project on my desktop and it works great with Firefox. Just successfully logged into one of the accounts I had previously registered to my Apex in my Windows VM!

I’ll need to do a bit of tweaking to get it working as a service, but that will be trivial, thanks for doing all the heavy lifting here, this is awesome!

Does this act as a virtual USB Fido device then? Is there a standard USB hardware ID for such a thing that all Fido devices must comply with or something?

It acts as a virtual USB device using the kernel userspace HID driver, yes.

There isn’t a standard “USB hardware ID”, no, but there is a FIDO standard HID Report Descriptor which this software returns. The browser will enumerate all HID devices in the system, and for each one check if its descriptor matches that magic. So it finds this one.

2 Likes

If you set up the systemd units or whatever, please feel free to contribute them back to the repository so others can use them as well.

I’m curious… if the browser finds the Fido USB descriptor, but there isn’t a contactless Fido token on the reader at the time, how does that event get translated? Is there some sort of emulation that mimics the button press on a yubikey? Something like that?

In the quick and dirty way I wrote this, there’s a configurable timeout for how long the app will wait to find a usable PC/SC device (10 seconds). If the timeout expires, the browser will see there being no device available. If the authenticator is tapped before the timeout expires, the browser will use it.

You still have to press the button on your yubikey to use it, of course, if it’s plugged in and getting accessed over PC/SC somehow.

It might also be worth pointing out that there’s the concept of a “channel” in CTAP-HID, and the bridge only looks for a device when opening a new channel. Once it’s locked on to a particular device it’ll keep using it (or trying to use it and failing, if it’s removed…) until the channel is closed.

1 Like

Oh that’s really cool, thanks.

I’ll give it a go.

Sounds good, make a very simple PR to add a basic systemd definition as an example that I’m using on my desktop

Thats how I did it in my bridge tool as well.

Just to be pedantic, it emulates a FIDO2 HID device, not a U2F one.

1 Like