Use Yubikey or other security keys for 2FA

[nevets]

Has anyone experience in using usb security keys / dongles?
Am considering 2FA with them.
These articles are quite involved and inconsistent
https://hackacad.net/freebsd/2020/03/27 ... eebsd.html
https://gist.github.com/spmzt/9436b30fb ... 769df71e4e
https://forums.freebsd.org/threads/howt ... bsd.84600/
And I'm not that technically savvy...
Need this to work with Firefox and ProtonPass

[ericbsd]

I think this would be the one for firefox https://gist.github.com/daemonhorn/bdd7 ... on-yubikey.

[ericbsd]

This morning, I was looking to get one for myself; I should be able to help further when I get one.

[ericbsd]

I got my Yubikey. I got it to work. I will come back with some instructions. I have to test other things.

[ericbsd]

So, I have installed those packages:

Code: Select all

sudo pkg install yubico-piv-tool libu2f-host u2f-devd py311-yubikey-manager

You might only need libu2f-host and u2f-devd.

After that, I have added my user to the u2f group.

Code: Select all

sudo pw group mod u2f -m ericbsd

I have tested it here: https://webauthn.io. I set it on my Proton account, and it is working, Although sometimes the first attempt fails.

[ericbsd]

For Firefox with PIV Authentication

Enable and start the pcscd service

Code: Select all

sudo service pcscd enable
sudo service pcscd start

Configure Firefox to use ykcs11

• Open Firefox.

• Enter about:preferences in the address bar.

• In the left hand column, click Privacy & Security

• Under the Security section, click Security Devices.

• Click Load and provide the following information:
  • Module Name: YubiKey PIV
  • Module filename: /usr/local/lib/libykcs11.so

I found the steps here https://support.yubico.com/hc/en-us/art ... entication

[ericbsd]

Enable FIDO U2F in Firefox

Ensure that FIDO U2F is enabled in Firefox. By default, it is missing.

• Open Firefox.

• Enter about:config in the address bar.

• Accept the risk warning to proceed.

• Search for security.webauth.u2f.

• It is missing, so create it has a bool and ensure the value is set to true.

I found this here https://support.yubico.com/hc/en-us/art ... entication.

After I did that, I was able to use the Yubico demo with Firefox.

[nevets]

Brilliant - I'll get my key now, thanks.

[nevets]

PLUS we need...
the pkg snap to run verifications:
# ykman info
# sudo snap connect firefox:raw-usb
# sudo snap connect firefox:password-manager-service
# sudo systemctl status pcscd
# snap connections firefox
# ykman fido credentials list
AND
To set the pin number we need:
# sudo ykman fido access change-pin --new-pin 123456

[mameko]

I use a Yubikey 5 for more then a year now and it works very well. I have a pin and the key is fully functional.
For a working key you only need to install:

Code: Select all

pkg install libu2f-host u2f-devd pcsc-lite 

Then enable pcscd at boot:

Code: Select all

service pcscd enable

Add your user to the u2f group

Code: Select all

pw group mod u2f -m user 

(replace user with your actual username,)
And simply reboot the system. For using 2FA in your Firefox you don't need to adjust anything in Firefox. In the current Firefox that works out of the box. I use it in FreeBSD and NomadBSD (Yes, FreeBSD) and GhostBSD. It works.