Why is Linux OS having an issue with registration and authentication on webauthn.io using yubikey 5 over NFC whereas it supports usb based only?

Question

Webauthn.io in Linux OS asks for usb based registration and authentication.It does not support yubikey over NFC due to some issue.

I tried using my yubikey over omnikey reader for testing on Webauthn.io from chrome browser on Linux OS but it only asks for usb based registration but I want to do it over nfc. Is there any solution ?

Answer 1

Disclaimer: I don't have a card reader lying around, so I couldn't test this.

There can be multiple reasons why your Linux system is having an issue with webauthn. The first might be support of whether your webauthn over PCSC. PCSC stands for Personal Computer/Smart Card. It is a specification for smart-card integration into computing environments. Linux systems use pcsclite implementation of PCSC, which I assume you have already installed.

Now the Yubikey needs to be able to communicate over PCSC for Webauthn. This is governed by libfido2. You can install it or can build it from source. I would personally recommend building the latest version from source.

You need to install the following dependencies for the same from apt:

sudo apt-get install git make cmake gcc build-essential libcbor-dev libudev-dev libpcsclite libssl-dev libfido2-doc fido2-tools

Then you need to clone the libfido2 repository, build it and install it

git clone https://github.com/Yubico/libfido2
cd libfido2
cmake -B build
make -C build
sudo make -C build install

Now you can restart your system to get the latest version of libfido2 working.

Now the second problem arises. Your system can now communicate with the Yubikey over PCSC on NFC. But your browser still does not support the same for NFC.

This is an issue with all major browsers like Chrome, Chromium, Firefox.(See here Stackoverflow)

There are usually two workarounds:

1. Get a supported browser
2. Make the browser read the YubiKey as an USB device even when it is on NFC

I came across a fork from the chromium browser called ungoogled-chromium which can allow the use of PCSC. Ungoogled Chromium Github. You can install this from flatpak. First uninstall your current chromium (if you have it installed) and then run.

sudo apt-get install flatpak
sudo flatpak install com.github.Eloston.UngoogledChromium

Now you can enable PCSC on it by

flatpak kill com.github.Eloston.UngoogledChromium
flatpak override --user com.github.Eloston.UngoogledChromium --socket=pcsc

Now you can try testing your YubiKey.

Now, the second approach is to bridge your YubiKey to be read as a USB device. This repo gives a promising approach. I personally dont use poetry to install packagages, so I would use pip3 only.

pip3 install cffi cryptography pyscard pycparser uhid fido2 fido2[pcsc]
sudo pip3 install cffi cryptography pyscard pycparser uhid fido2 fido2[pcsc]

Now clone the repository and run it

git clone https://github.com/BryanJacobs/fido2-hid-bridge
cd fido-hid-bridge
sudo python3 bridge.py

Now you can again test with the browser. Hope this works.