Latest/Best methods for using FlexSecure on linux?

I’m trying to use my FlexSecure to sign into my linux computers (one running KDE Neon and the others runnning tumbleweed). I have a ACR1252U reader. I’d also like to use it as a 2fa token or a passkey.

I’m looking at a bunch of documentation for accomplishing this, but most of it is at least a year old. Anyone have some up-to-date tips/guides?

Is the FIDO2 applet closed source again? I remember a while back the Apex switched to an open source applet, but now the documentation in the FlexSecure git repository seems to contradict this?

I think there are two FIDO2 applets – with the open source one being the most up-to-date.

One - GitHub - BryanJacobs/FIDO2Applet: FIDO2 Javacard Applet - is open source and designed to be compatiable with any JavaCard 3.04 chip. The repository looks to be updated regularly (last release was in January), and the documentation says that it can work with Linux – both to unlock a LUKS encrypted disk, and to log in (but that requires a Yubico designed module be installed first). I haven’t tested unlocking a LUKS disk with a an Apex/Javacard, but that seems a great use assuming it is straightforward to setup. I’m a little weary though, since my understanding is that FIDO2 requires a trusted authority, and I don’t know how that authority would be added or known by LUKS.

Then there is a second, closed source FIDO2 applet that VivoKey/Dangerous Things is developing. According to the documentation, "FIDO2 CTAP2 (Client to Authenticator Protocol) is an extension and improvement over FIDO U2F.", but it doesn’t look like it is complete yet (not sure if it is even being actively developed). The linked doc says that it doesn’t work natively with Linux, but can be proxied via an open source module.

There is also a discussion about getting a certified FIDO2 applet for Apex devices. I don’t know if that is just a certified version of the Bryan Jackobs applet, or a fork that DT will work on, or something else entirely.

All of the FlexSecure applets are available pre-compiled from Releases · DangerousThings/flexsecure-applets · GitHub. I think the compiled FIDO2 applet is the open-source Bryan Jackobs one. I was able to easily install and use it on a P71 test card I’ve been playing with, but I’ve only tried it on Windows. It worked to let me sign in to AWS, Google and some others on both Chrome and Firefox, but I didn’t try using it for Windows log on.

@StarGate01 is the maintainer and developer of most of the applets, so he would be the person to clarify the differences between the applets and their capabilities.


Hi, the FIDO2 applet distributed by Vivokey is the open source one by @BryanJacobs . The older closed source one has been frozen / deprecated.

We are still working towards getting the open source one certified. Thanks for the note in the docs, Ill update that. The FIDO2 binary availabe in flexsecure-applets is compile from the open source one.


LUKS uses symmetric encryption with no “trusted authority”.

The way it works is that each FIDO credential has a secret key, and one of those secret keys is used to wrap/unwrap the disk encryption key. You can use any FIDO authenticator (having the hmac-secret extension) to do it, certified or not.


Thanks! That was the part I was missing. I was thinking that the HMAC protocol was separate from FIDO2.

Are there any issues getting the PCSC drivers loaded into the initramfs? Is that something included on the more common distros like Debian?

1 Like

I have it working on Arch, but I did need to customize the initramfs there.

You need systemd (for systemd-cryptsetup), libfido2, and libpcsclite/pcscd.

As it’s still LUKS, you can - and likely should - have a recovery password in one of the other slots, so if your initramfs is broken you can boot.

There is a thing called “hmac-otp” which is not FIDO2. The FIDO2 hmac-secret extension is not the same as HOTP.


There is a separate HMAC-SHA1 applet available which implements the Yubico-style challenge-response protocol. This has almost nothing to do with the hmac-secret extension of FIDO2, just sharing similar cryptographic ideas.

1 Like