FIDO2 security keys with FINGERPRINT protection not working on FREEBSD

[maurizio]

Hello all,
I have FreeeBSD 13.1.
I have many fido2 security keys with fingerprint protection: Feitian BIOPASS FIDO2 and Token2 2F2BIO.
I have other standard FIDO2 keys that works perfectly (yubikey 5 nfc for example) on my freebsd 13.1.
Now even Yubikey offers the BIO version with fingerprint protection.
As you can read here Chrome/Chromium (https://www.token2.com/site/page/managing-t2f2-fido2-keys-under-macos-or-linux) offers a sort of configuration tool for FIDO2 keys to reset security key, add/remove PIN, add/remove fingerprints.

$ dmesg
ugen0.3: <TOKEN2 FIDO2 Security Key> at usbus0
ukbd1 on uhub0
ukbd1: <TOKEN2 FIDO2 Security Key, class 0/0, rev 1.10/1.00, addr 2> on usbus0
kbd3 at ukbd1
uhid1 on uhub0
uhid1: <TOKEN2 FIDO2 Security Key, class 0/0, rev 1.10/1.00, addr 2> on usbus0

Why fido2 security keys with fingerprint protection don't work on FreeBSD?

Regards

 

[ralphbsz]

Why fido2 security keys with fingerprint protection don't work on FreeBSD?

What minimum version of Chrome/Chromium do you need for them to be supported? What version are you using on FreeBSD?

Does the FreeBSD USB subsystem need to be adjusted for this model? There are some files that describe specific "quirks" (normal behavior overrides) that certain USB devices need; it's possible that these tokens need such a quirk, and someone has to modify the table for them. Read usb_quirk.c in the kernel sometime, to see how that is conceptually done.

 

[vienuolis]

pam_fprint seems deprecated since may 2020

https://forum.nomadbsd.org/t/how-to-login-with-the-fingerprint-reader/893/

 

[mer]

Sometimes it can be a matter of permissions on the USB device. An example, I have a Digital camera that I can plug in via USB and pull images off. Well, I'm running software a my user but the default permissions don't allow my user to read the camera.
Solution was to create a devd config file that matches on the vendor/product and does chgrp and chmod on the /dev/cdev.

I'm not saying this would be a solution for the OP but could be a hint/clue.

 

[maurizio]

https://forum.nomadbsd.org/t/how-to-login-with-the-fingerprint-reader/893/

Maybe adding/removing fingerprints on chromium require additional software (maybe pam_fprint or other alternatives).
I suppose standard usage process (normal login) of FIDO2 keys' Fingerprint reading should be done on the device itself and not on OS (freebsd, linux, ...) level. I don't know.

Fido2 security keys with fingerprint protection work on firefox too but firefox does not have a configuration tool to reset security key, add/remove PIN, add/remove fingerprints.

I installed security/u2f-devd using freebsd pkg.
On /etc/devd/u2f.conf I have BioPass FIDO2 but it does not work on FREEBSD:

# Feitian ePass FIDO, BioPass FIDO2
notify 100 {
match "system" "USB";
match "subsystem" "DEVICE";
match "type" "ATTACH";
match "vendor" "0x096e";
match "product" "(0x0850|0x0852|0x0853|0x0854|0x0856|0x0858|0x085a|0x085b|0x085d)";
action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
};

attach 100 {
match "vendor" "0x096e";
match "product" "(0x0850|0x0852|0x0853|0x0854|0x0856|0x0858|0x085a|0x085b|0x085d)";
action "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
};

On https://www.token2.com/site/page/using-token2-fido2-keys-under-linux this is the linux configuration for token2 bio:

# this udev file should be used with udev 188 and newer
ACTION!="add|change", GOTO="u2f_end"

# Key-ID FIDO U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="349e", ATTRS{idProduct}=="0010", TAG+="uaccess"

LABEL="u2f_end"

I should check hardware IDs (idVendor, idProduct, ...).

Standard FIDO 2 keys like Solokeys and Yubikeys works perfectly on my Freebsd on Firefox and Chromium.
FIDO2 is technically considered an evolution of FIDO U2F, even if its freebsd package is called u2f-devd.

FIDO2 security keys are great! Far better than TOTP (Time Based One Time Password) because TOTP secret key can be copied by anyone. FIDO2 security keys are unique because they cannot be copied.
Furthermore pins and fingerprints offer additional protection.

 

[maurizio]

Hello all,

I think FIDO 2.1 is the new standard that include fingerprint-biometric protection https://fidoalliance.org/specs/fido...-authenticator-protocol-v2.1-rd-20201208.html

But on Yubikey Bio Techinical Manual https://docs.yubico.com/hardware/yubikey/yk-bio/tech-manual/webdocs.pdf I read on Usage Notes:

The YubiKey Bio implements biometrics as outlined in the CTAP 2.1 specification. The best user experiences are
provided by the YubiKey Bio with client applications and browsers that also implement CTAP 2.1. Applications and
browsers that implement CTAP 1 or CTAP 2.0 will also work with the YubiKey Bio; however, the UI on client devices
will not be as intuitive, and there may be some limitations.

It seems that biometric fido2 keys should also work on applications/browsers that support up to fido 2.0.
So maybe this is the reason why it already works on linux and windows.

I have just installed libfido2, using freebsd pkg, but my bio fido2 keys don't work.

In my previous post I wrote the wrong path to u2f.conf file.
On FreeBSD 13 the right path is /usr/local/etc/devd/u2f.conf

I hope more users-experts-developers will test and make biometric fido2 keys work on freebsd to make freeBSD desktop users more secure.

 

[angry_vincent]

i suggest to file PR on bugs.freebsd.org about this very issue, it is the right place.