Anyone using the Apex for Webauthn on Linux

Wondering if anyone is successfully using the Apex for Webauthn on Linux? From what I’ve been reading, NFC support in Chromium/Firefox is currently limited to Windows (which mimic’s what I have been observing - I can use my ACR1252 on a Windows machine without issue, but no browser on Linux seems to show it as an option).

Wonder if there are any other Linux Apex users out there who have come up with a work-around? Currently I’m using Windows 10 in a VM, with the card reader passed through, but I’m hoping there’s a better way.

It’s possible to use an NFC implant on Linux with libfido2, if you compile libfido2 with support for pcsclite.

But no browser I know of links libfido2, so I don’t know of a way to use a PCSC smartcard for webauthn through a browser on Linux today.

It would be possible to make a piece of software that calls libfido2 on one side and exposes a USB HID virtual device on the other side. That would work fine, but I don’t think anyone has written it.

@StarGate01 has written a fantastic tool on their GitHub repo that emulates a USB U2F token.

You need to build the kernel module though if your distribution doesn’t have it.

I got it working on Ubuntu 22.04 and can share the steps for DKMS etc to rebuild it when the kernel updates, and getting it signed for secure boot.

Ahh Thank’s @StarGate01’s project seems promising.

You need to build the kernel module though if your distribution doesn’t have it.

I’m running on Linux Mint 20, which is based on Ubuntu 20.04, so if you have any points I’d love to hear them

I spent a few hours today hacking together a thing that definitely doesn’t require a kernel module: GitHub - BryanJacobs/fido2-hid-bridge: HID -> PC/SC Bridge for FIDO2 Device Use

@BryanJacobs you da man! This is fantastic, I just tried your project on my desktop and it works great with Firefox. Just successfully logged into one of the accounts I had previously registered to my Apex in my Windows VM!

I’ll need to do a bit of tweaking to get it working as a service, but that will be trivial, thanks for doing all the heavy lifting here, this is awesome!

Does this act as a virtual USB Fido device then? Is there a standard USB hardware ID for such a thing that all Fido devices must comply with or something?

It acts as a virtual USB device using the kernel userspace HID driver, yes.

There isn’t a standard “USB hardware ID”, no, but there is a FIDO standard HID Report Descriptor which this software returns. The browser will enumerate all HID devices in the system, and for each one check if its descriptor matches that magic. So it finds this one.

If you set up the systemd units or whatever, please feel free to contribute them back to the repository so others can use them as well.

I’m curious… if the browser finds the Fido USB descriptor, but there isn’t a contactless Fido token on the reader at the time, how does that event get translated? Is there some sort of emulation that mimics the button press on a yubikey? Something like that?

In the quick and dirty way I wrote this, there’s a configurable timeout for how long the app will wait to find a usable PC/SC device (10 seconds). If the timeout expires, the browser will see there being no device available. If the authenticator is tapped before the timeout expires, the browser will use it.

You still have to press the button on your yubikey to use it, of course, if it’s plugged in and getting accessed over PC/SC somehow.

It might also be worth pointing out that there’s the concept of a “channel” in CTAP-HID, and the bridge only looks for a device when opening a new channel. Once it’s locked on to a particular device it’ll keep using it (or trying to use it and failing, if it’s removed…) until the channel is closed.

Oh that’s really cool, thanks.

I’ll give it a go.

Sounds good, make a very simple PR to add a basic systemd definition as an example that I’m using on my desktop

Thats how I did it in my bridge tool as well.

Just to be pedantic, it emulates a FIDO2 HID device, not a U2F one.

hi @BryanJacobs,

Thanks so much for providing this script!
I’m using a HID Omnikey 5022 with the HID Crescendo C2300 FIDO2 NFC card.
I’m getting the following error message below.
Can you please help me get past it?

thanks!

root@vincenttran-laptop:/home/vincent/Downloads/fido2-hid-bridge-main# sudo python3 bridge.py
Traceback (most recent call last):
File “/home/vincent/Downloads/fido2-hid-bridge-main/bridge.py”, line 6, in
from ctap_hid_device import CTAPHIDDevice
File “/home/vincent/Downloads/fido2-hid-bridge-main/ctap_hid_device.py”, line 8, in
from fido2.pcsc import CtapDevice, CTAPHID, CtapError, CtapPcscDevice
File “/usr/local/lib/python3.10/dist-packages/fido2/pcsc.py”, line 34, in
from smartcard import System
ImportError: cannot import name ‘System’ from ‘smartcard’ (/usr/local/lib/python3.10/dist-packages/smartcard/init.py)

That looks like a problem with your Python install of the smartcard package, not with the bridge library.

I can’t help but notice it’s trying to import things from /usr/local. Did you follow the setup instructions, which say to use a venv?

thanks @BryanJacobs! I was able to get the script to run after running poetry install with the run python 3.11 version installed.

However, Chrome and Firefox won’t accept my valid PIN after tapping the NFC security key on my card reader. It keeps on displaying the following message:

The proxy code doesn’t do anything to change PINs. It just forwards HID bytes to PCSC bytes. It can’t make your PIN invalid or return an “incorrect PIN” error response itself.

The PIN you want is the CTAP PIN, not any yubikey OTP PIN. If you don’t know it you will need to do a CTAP reset on the authenticator and start over.

You can check you do indeed know your PIN with a command like fido2-token -L <device>.

Can anyone give me some guidance for getting this working on Arch? New to Linux.