/
How to add a security key

How to add a security key

Owned by Šárka Portešová (Unlicensed)
Last updated: Nov 09, 2023 by Pavel Břoušek (Deactivated)
5 min read

Before adding a security key (WebAuthn), check if you already have at least one authentication code (TOTP) registered and one of the following:

  • a physical security key (so-called "key fob")

  • a device with a security key function

  • an application which serves as a security key (e.g. tpm-fido or a password manager with passkey function)

Decide which security key option to use (we recommend creating a security key for all your devices). If you're not sure which option to choose for each device, you can try our Which MFA is right for me? MFA Guide .

More information about the different types of security keys can be found here:

You can use Google Passkeys on your phone or computer. However, you need to set them up separately on each device.

Phone:
You can use Google Passkeys on your Android smartphone on Chrome, Edge, Opera or Vivaldi browsers. You need your Google account in that browser to do this.

Computer:
It is also possible to use Google Passkeys on your computer. You need to have Windows or macOS operating system and use the Chrome browser with your Google account.

Passwordless login with passkeys  |  Authentication  |  Google for Developers

This option is for Android devices only and only works with Firefox browser. To create an Android security key, simply follow the instructions below. Everything must be done in Firefox. Each device must be set up separately.

This option is for MacBooks, iPads and iPhones. The security key is created using TouchID or FaceID. Each device must be set up separately.

iPhone: https://support.apple.com/en-gb/guide/iphone/iphf538ea8d0/ios

Mac: https://support.apple.com/en-gb/guide/mac-help/mchl4af65d1a/mac

This option is for Windows computer/laptop devices. To authenticate use a fingerprint, face recognition, PIN, etc. Each device must be set up separately.

https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0

These password managers offer security key function on a computer:

This type of security key is only for Linux devices with TPM 2.0. Each device must be set up separately.

https://github.com/psanford/tpm-fido/

For this type, simply follow the instructions below.
For more information, please visit the website of your manufacturer:

Yubico YubiKey: https://www.yubico.com/setup/

SoloKey: https://solokeys.com/pages/start

GoTrust IdemKey: https://gotrustid.com/products-idem-key/

Feitian: https://www.ftsafe.com/Products/FIDO

OnlyKey: https://onlykey.io/pages/how-it-works

Generally: https://fidoalliance.org/specifications/

How to set up security keys in ProxyIdp:

1

Open the Token Management System

2

Make sure that you already have at least one verification code device (TOTP) enrolled and have your backup codes generated. If not, enroll verification code (https://perunaai.atlassian.net/wiki/spaces/PERUN/pages/202539070) and generate backup codes (https://perunaai.atlassian.net/wiki/spaces/PERUN/pages/202440793), then continue to the next step.

3

Click the Enroll Token button.

4

Select the security key option and enter a description (e.g. key‑fob manufacturer or phone model). The description serves only as your name for the token.

Continue with the Continue button.

5

A dialogue box (system or browser) will appear, prompting you to confirm.

Take the appropriate action depending on the type of security key:

(The following tutorial is shown on a mobile device, but you can use the same procedure with other devices).

Depending on your device's screen lock type, take the appropriate action.

This type of security key requires a screen lock (fingerprint, gesture, pin,...) on the corresponding device.

Then press continue to create a passkey.

 

Select This device, then another dialog box will appear asking you to enter your screen lock.

This type of security key requires a screen lock (fingerprint, gesture, pin,...) on the corresponding Android device.

iPhone:
Use FaceID or TouchID to complete the sign in. If you have not set up Face ID or Touch ID on your iPhone, enter your device passcode (the code you use to unlock your iPhone).

 

MacOS:
Use TouchID to complete the sign in. Place your finger on the TouchID sensor.

 

Confirm with a fingerprint, face recognition, PIN (or take the appropriate action depending on the type of device).

After setting up the security keys in your password manager (in this case, Dashlane), continue by logging into the Token Management System.

A dialogue box (system or browser) will appear, prompting you to confirm.

 

Using a tool called tpm-fido it is possible to get TPM backed FIDO2 authentication on a Linux machine.

Check for TPM

Make sure that you have TPM available:

$ ls -l /dev/tpmrm0 crw-rw---- 1 tss tss 253, 65536 Mar 13 10:11 /dev/tpmrm0

If not, it might help to update BIOS/UEFI, manufacturers often added firmware TPM to support Windows 11.

Install tpm-fido

If the TPM device is present, you can proceed:

# Build git clone https://github.com/psanford/tpm-fido/ cd tpm-fido go build cp tpm-fido ~/bin/ # Autostart cat <<EOF >> /home/$USER/.config/autostart/tpm-fido.desktop [Desktop Entry] Exec=/home/$USER/bin/tpm-fido Icon= Name=tpm-fido Path= Terminal=False Type=Application EOF # Allow user to use /dev/tpmrm0 sudo usermod -a -G tss "$USER" # Setup uhid echo uhid | sudo tee /etc/modules-load.d/uhid.conf echo 'KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="users", MODE="0660"' | sudo tee /etc/udev/rules.d/70-uhid.rules # reboot afterwards

Plug the security key into an easily accessible USB slot. If you have a security key with a fingerprint scan, make sure you already have a fingerprint set up.

Press the button or scan the fingerprint on the security key.

6

If the registration was successful, you will be informed that the token is enrolled. Click the Finish button.

 

You can add any number of additional verification codes or security keys. We strongly recommend the registration of at least two devices.

Related content

Support: perun@cesnet.cz