Anyone using the Apex for Webauthn on Linux

I published an AUR package at AUR (en) - libfido2-full . The Arch default libfido2 does not have support for PC/SC (smartcard) devices.

I’m not going to give you enormously detailed instructions, but the high level steps are:

1. Get to a state where the pcsc_scan command is available
2. Get to a state where executing pcsc_scan shows your card reader (hint: be running pcscd)
3. Get to a state where the fido2-token command is available
4. Get to a state where the fido2-token -L command shows your implant when it’s near the reader (hint: libfido2-full not the normal libfido2)

If by “this” you mean “webauthn on Linux”, you’re technically there at step four. If you want to do it in Firefox or Chrome you will also need software like I’ve linked above to pretend to be a USB authenticator for software that - like Chrome and Firefox on Linux - only supports FIDO2 over USB.

Thank you!

I don’t think pcsc_scan is showing my reader. It’s an ACR1252U.

Had to install Arch Linux - acsccid 1.1.11-1 (x86_64)

The fido2-token command is available but I can’t seem to get my implant to appear from fido2-token -L or

So I completed step 4 successfully and installed your AUR package. But I still am not getting a “system” prompt with Firefox, Firefox does prompt however.

image556×198 12.8 KB

Yes, now what you are running into is that Firefox only supports USB tokens.

Use one of the gateways from the top of this thread.

Here’s what I’m currently running:

Relay card reader to authenticator application

Tested with ACR1252U-DOT and Omnikey 5022 CL

I don’t think all of these packages are needed

sudo apt-get install libusb-1.0-0-dev libpcsclite-dev pcscd pcsc-tools libpcsclite-dev swig3.0 swig libffi-dev

pipx install poetry

cd /home/USERNAME/Documents/

git clone https://github.com/BryanJacobs/fido2-hid-bridge.git

cd fido2-hid-bridge

poetry install

Update permissions so the program cannot be modified by non-root user

sudo chmod -R 750 /home/USERNAME/Documents/fido2-hid-bridge
sudo chown -R root:USERNAME /home/USERNAME/Documents/fido2-hid-bridge

sudo -E ./.venv/bin/fido2-hid-bridge

Automate the reader to work upon reboot

(Tested on Ubuntu 24.04 LTS)

Create cronjob:

sudo su
crontab -e

Paste

@reboot /home/USERNAME/Documents/fido2-hid-bridge/.venv/bin/fido2-hid-bridge

I took the approach of making a systemd service, but have been using the same package for months without issue

[Unit]
Description=Fido2 to HID bridge
After=auditd.service syslog.target network.target local-fs.target

[Service]
WorkingDirectory=/opt/fido2-hid-bridge
ExecStart=/opt/fido2-hid-bridge/.venv/bin/python bridge.py
Type=simple
Restart=on-failure
RestartSec=60s

[Install]
WantedBy=multi-user.target

Did you ever find a solution to is? After more then a year of using my Apex without a PIN, I needed to enroll it for a new service on my work (Windows) laptop which required me to setup a PIN. Now I can use my Apex on Windows just fine with the PIN I setup, but trying to use it on Linux with the bridge just results in the same “incorrect pin” error (even though the same PIN works on Windows)

I have a debug log from fido2-hid bridge if it helps

Answered my own question. Found this issue on the github Cannot get bridge to work when security key is protected by a PIN · Issue #3 · BryanJacobs/fido2-hid-bridge · GitHub which prompted me to update to the latest version of the code and the issue went away. So solution in my case to make the bridge work with a PIN was to update to the latest version.

Anyone else’s FIDO stop working on Arch after updating recently?

Some issues with the service?

image1276×745 133 KB

fido2-hid-bridge.service: Failed with result 'exit-code'.
Stopped Fido2 to HID bridge.
Started Fido2 to HID bridge.
fido2-hid-bridge.service: Main process exited, code=exited, status=1/FAILURE
fido2-hid-bridge.service: Failed with result 'exit-code'.

@BryanJacobs Any ideas?

EDIT: With enough caffeine and ChatGPT I managed to fix it.