Page 1 of 1
Use Yubikey or other security keys for 2FA
Posted: Fri Sep 20, 2024 8:40 pm
by nevets
Has anyone experience in using usb security keys / dongles?
Am considering 2FA with them.
These articles are quite involved and inconsistent
https://hackacad.net/freebsd/2020/03/27 ... eebsd.html
https://gist.github.com/spmzt/9436b30fb ... 769df71e4e
https://forums.freebsd.org/threads/howt ... bsd.84600/
And I'm not that technically savvy...
Need this to work with Firefox and ProtonPass
Re: Use Yubikey or other security keys for 2FA
Posted: Sun Sep 22, 2024 8:47 am
by ericbsd
Re: Use Yubikey or other security keys for 2FA
Posted: Sun Sep 22, 2024 8:51 am
by ericbsd
This morning, I was looking to get one for myself; I should be able to help further when I get one.
Re: Use Yubikey or other security keys for 2FA
Posted: Wed Sep 25, 2024 10:05 pm
by ericbsd
I got my Yubikey. I got it to work. I will come back with some instructions. I have to test other things.
Re: Use Yubikey or other security keys for 2FA
Posted: Wed Sep 25, 2024 11:21 pm
by ericbsd
So, I have installed those packages:
Code: Select all
sudo pkg install yubico-piv-tool libu2f-host u2f-devd py311-yubikey-manager
You might only need
libu2f-host and
u2f-devd.
After that, I have added my user to the u2f group.
I have tested it here:
https://webauthn.io. I set it on my Proton account, and it is working, Although sometimes the first attempt fails.
Re: Use Yubikey or other security keys for 2FA
Posted: Thu Sep 26, 2024 6:39 pm
by ericbsd
For Firefox with PIV Authentication
Enable and start the pcscd service
Code: Select all
sudo service pcscd enable
sudo service pcscd start
- Enter about:preferences in the address bar.
- In the left hand column, click Privacy & Security
- Under the Security section, click Security Devices.
- Click Load and provide the following information:
- Module filename: /usr/local/lib/libykcs11.so
I found the steps here
https://support.yubico.com/hc/en-us/art ... entication
Re: Use Yubikey or other security keys for 2FA
Posted: Thu Sep 26, 2024 6:45 pm
by ericbsd
Enable FIDO U2F in Firefox
Ensure that FIDO U2F is enabled in Firefox. By default, it is missing.
- Enter about:config in the address bar.
- Accept the risk warning to proceed.
- Search for security.webauth.u2f.
- It is missing, so create it has a bool and ensure the value is set to true.
I found this here
https://support.yubico.com/hc/en-us/art ... entication.
After I did that, I was able to use the Yubico demo with Firefox.
Re: Use Yubikey or other security keys for 2FA
Posted: Fri Sep 27, 2024 3:20 am
by nevets
Brilliant - I'll get my key now, thanks.
Re: Use Yubikey or other security keys for 2FA
Posted: Mon Oct 28, 2024 4:45 pm
by nevets
PLUS we need...
the pkg snap to run verifications:
# ykman info
# sudo snap connect firefox:raw-usb
# sudo snap connect firefox:password-manager-service
# sudo systemctl status pcscd
# snap connections firefox
# ykman fido credentials list
AND
To set the pin number we need:
# sudo ykman fido access change-pin --new-pin 123456
Re: Use Yubikey or other security keys for 2FA
Posted: Mon Oct 28, 2024 9:20 pm
by mameko
I use a Yubikey 5 for more then a year now and it works very well. I have a pin and the key is fully functional.
For a working key you only need to install:
Code: Select all
pkg install libu2f-host u2f-devd pcsc-lite
Then enable pcscd at boot:
Add your user to the u2f group
(replace user with your actual username,)
And simply reboot the system. For using 2FA in your Firefox you don't need to adjust anything in Firefox. In the current Firefox that works out of the box. I use it in FreeBSD and NomadBSD (Yes, FreeBSD) and GhostBSD. It works.