Versions Compared

Old Version 1

changes.mady.by.user Pavel Břoušek (Deactivated)

Saved on

compared with

New Version Current

changes.mady.by.user Pavel Břoušek (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Before adding a security key (WebAuthn), check if you already have at least one authentication code (TOTP) registered and one of the following:

...

Expand
titlePhysical Security Token (YubiKey, SoloKey, GoTrust IdemKey, Feitian, OnlyKey...)

For this type, simply follow the instructions below.
For more information, please visit the website of your manufacturer:

Yubico YubiKey: https://www.yubico.com/setup/

SoloKey: https://solokeys.com/pages/start

GoTrust IdemKey: https://gotrustid.com/products-idem-key/

Feitian: https://www.ftsafe.com/Products/FIDO

OnlyKey: https://onlykey.io/pages/how-it-works

Generally: https://fidoalliance.org/specifications/

How to set up security keys in ProxyIdp:

1

Open the Token Management System

2

Make sure that you already have at least one verification code device (TOTP) enrolled and have your backup codes generated. If not, enroll verification code (How to add (first) Verification Code) and generate backup codes (How to Generate Backup Codes), then continue to the next step.

3

Click the Enroll Token button.

...

4

Select the security key option and enter a description (e.g. key‑fob manufacturer or phone model). The description serves only as your name for the token.

Continue with the Continue button.

...

5

A dialogue box (system or browser) will appear, prompting you to confirm.

...

Expand
titleGoogle passkey

(The following tutorial is shown on a mobile device, but you can use the same procedure with other devices).

Depending on your device's screen lock type, take the appropriate action.

Note

This type of security key requires a screen lock (fingerprint, gesture, pin,...) on the corresponding device.

Then press continue to create a passkey.

...

Expand
titleLinux

Using a tool called tpm-fido it is possible to get TPM backed FIDO2 authentication on a Linux machine.

Check for TPM

Make sure that you have TPM available:

Code Block
$ ls -l /dev/tpmrm0
crw-rw---- 1 tss tss 253, 65536 Mar 13 10:11 /dev/tpmrm0

If not, it might help to update BIOS/UEFI, manufacturers often added firmware TPM to support Windows 11.

Install tpm-fido

If the TPM device is present, you can proceed:

Code Block
# Build
git clone https://github.com/psanford/tpm-fido/
cd tpm-fido
go build
cp tpm-fido ~/bin/

# Autostart
cat <<EOF >> /home/$USER/.config/autostart/tpm-fido.desktop
[Desktop Entry]
Exec=/home/$USER/bin/tpm-fido
Icon=
Name=tpm-fido
Path=
Terminal=False
Type=Application
EOF

# Allow user to use /dev/tpmrm0
sudo usermod -a -G tss "$USER"

# Setup uhid
echo uhid | sudo tee /etc/modules-load.d/uhid.conf
echo 'KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="users", MODE="0660"' | sudo tee /etc/udev/rules.d/70-uhid.rules

# reboot afterwards
Expand
titlePhysical Security Token (YubiKey, SoloKey, GoTrust IdemKey, Feitian, OnlyKey...)

Plug the security key into an easily accessible USB slot. If you have a security key with a fingerprint scan, make sure you already have a fingerprint set up.

Press the button or scan the fingerprint on the security key.

6

If the registration was successful, you will be informed that the token is enrolled. Click the Finish button.

...