Universal 2nd Factor

Universal 2nd Factor (U2F) はスマートカードと同様のセキュリティ技術に基づいて、専用の USB または NFC デバイスを使用した二要素認証 (2FA) を強化、簡素化するためのオープンスタンダードです。

当初は Google と Yubico が開発し、NXP セミコンダクターズが貢献していましたが、現在は、FIDO アライアンスがホストしています。

U2F および U2F-devices については、Category:Universal 2nd Factor も参照してください。

Authentication for websites

U2F is supported by major sites like Google, Facebook, Twitter, or GitHub. Check out twofactorauth.org or dongleauth.info to find other websites and links to setup documentation. For all browsers which support it, likely the only action required is to install libfido2. Yubico offers a demo page for testing.

Firefox

Firefox 設定#Fido U2F 認証

Chromium/Chrome

Chromium 設定#U2F 認証

Authentication for Arch Linux

Yubico, the company creating the YubiKey, develops an U2F PAM module. It can be used to act as a second factor during login or replace the need for a password entirely.

Installing the PAM module

The module is part of the package pam-u2f.

Adding a key

Keys need to be added with the tool pamu2fcfg:

$ mkdir ~/.config/Yubico
$ pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys

Click the button of your U2F key to confirm the key.

ノート: If the hostname of your system changes, e.g. because of DHCP in different networks, you would be unable to login. In order to prevent that, it is recommended to specify the abovementioned options and replace hostname with the actual hostname.

If you own multiple keys, append them with

$ pamu2fcfg -o pam://hostname -i pam://hostname -n >> ~/.config/Yubico/u2f_keys

Passwordless sudo

警告: Before making any changes to your configuration, start a separate shell with root permissions (e.g. sudo -s). This way you can revert any changes if something goes wrong.

Open /etc/pam.d/sudo and add

auth            sufficient      pam_u2f.so origin=pam://hostname appid=pam://hostname

as the first line. Be sure to replace the hostname as mentioned above. Then create a new terminal and type sudo ls. Your key's LED should flash and after clicking it the command is executed.

GDM login

Open /etc/pam.d/gdm-password and add

auth            required      pam_u2f.so nouserok origin=pam://hostname appid=pam://hostname

after the existing auth lines. Please note the use of the nouserok option which allows the rule to fail if the user did not configure a key. This way setups with multiple users where only some of them use a U2F key are supported.

ノート: This method will not work with encrypted home partitions because the decryption is not done before the login process completed, so the u2f_keys file is unavailable. In this case use a central mapping file as explained in the official documentation of pam-u2f.

Other authentication methods

Enable the PAM module for other services like explained above. For example, to secure the screensaver of Cinnamon, edit /etc/pam.d/cinnamon-screensaver.

Troubleshooting

If you managed to lock yourself out of the system, boot into recovery mode or from a USB pen drive. Then revert the changes in the PAM config and reboot.

OpenSSH

OpenSSH supports FIDO/U2F hardware tokens natively since 8.2. Both the client and server must support the ed25519-sk key types. Generate a security key backed key pair with:

$ ssh-keygen -t ecdsa-sk

ノート: If you are using a Yubikey, firmware version 5.2.3 is needed for the ed25519-sk key type.