One of the things I’ve always wanted to experiment with on my computers is logging in and authenticating things like sudo requests with a hardware tool – a fingerprint reader, a smart card, or a USB hardware security device like a YubiKey. There’s really no solid reason for me to want this other than that it just feels cool and futuristic to me (yes, even in this, the year of our lord 2024). I have no state secrets, no secret Swiss bank accounts, no whistleblower material to protect, and my computers rarely leave the house – I just want it because it’s possible and cooler than typing in my password.
Due to the flexibility and feature set of the YubiKey, I think it’s the best choice to go for. A no-name USB fingerprint reader would probably be ugly, cumbersome to position, and Linux support would be difficult to determine. A USB smart card reader would bring the same issues as the fingerprint reader, and combined with a smart card it seems like it’s just a Yubikey with extra steps. I do have to admit the idea of sliding a smart card in a slot and have it authorise you sounds really, really satisfying.
Anyway, YubiKeys come in all shapes and sizes, but I want one of the USB-A ones with a fingerprint reader built-in, since I can plug it in at the bottom of my monitor, perfectly positioned to put my thumb on it to authenticate. This way, it’s easily accessible to be used to log into my desktop session, authorise sudo requests when I’m configuring things, log into websites with Firefox, and so on.
But there’s a problem: setting up a YubiKey on Linux seems like it’s a huge ordeal.
Just look a the official instructions on the YubiKey website, or the instructions on the Fedora website, my distribution of choice. That’s absolutely insane, and nobody should be expected to understand any of this nonsense to use what is being marketed as a consumer product. It’s important to note that this is not a hardware, software, or driver issue – all the necessary support is there, and Linux can make full use of the functionality tools like the YubiKey offers. The problem is that you’re expected to set this up manually, package by package, configuration file by configuration file, PAM module by PAM module.
When I first looked into getting a YubiKey, I expected biometric and advanced authentication tools like these to be fully integrated into modern Linux distributions and desktop environments. I figured that once you plugged one of these tools into your PC, additional options would become available in GNOME’s or KDE’s user account settings, but apparently, this isn’t the case. This means that even if you manually set everything up using the official arcane incantations, your graphical user interface won’t be aware of any of that, and changing anything will mean you have to go through those official arcane incantations again.
This is entirely unacceptable. The moment you plug in an an advanced hardware security tool like a YubiKey, GNOME and KDE should recognise it, and the settings, tools, and setup ‘wizards’ relevant to it should become available. All the hardware and software support is there – and in 2024, biometric and advanced security devices like these should not be so complicated and unforgiving to set up. Smart cards and fingerprint readers have been supported by Linux for literally decades. Why isn’t this easier?
For now, I’m still in doubt about going through with buying a YubiKey. I definitely have the skills to go through with this whole insane setup process, but I really shouldn’t have to.
Everytime 2FA keys are mentioned everyone always links to Yubikey. But they are overpriced and not fully open anymore.
Not sure if your type of fingerprint key is in the product catalog but have a look at Token2.
https://www.token2.swiss/home
A lot cheaper and they have a software collection:
https://www.token2.swiss/site/page/tools-for-programmable-tokens
Wow, they have a lot of products available. Which one would you recommend?
It really depends on your needs. I don’t need NFC or Bio. Most versions can be had in USB-C, USB-A or both.
I have several but even the cheapest (5 euro!) works for me. I am not versed in all the security protocols and generally buy the cheapest (2 for 25 euro stuff). No complaints with any of them.
i do not like the concept of storing my fingerprint anywhere, let along on a computer or phone that can be accessed through the internet.
If they have the fingerprint and a reasonable amount of identification data they could easily make fake passports and do very nefarious things in my name. No thank you.
I’m pretty sure they don’t actually store your fingerprint. Instead, they store a one-way hash of your fingerprint, so it is impossible to recreate the original fingerprint from the stored hash.
Drumhellar,
That’s true. However, similarly to how password hashes can be brute forced, fingerprint hashes can be brute forced too. (I’ve successfully used hashcat to brute force gravatar email hashes just to prove it could be done).
Fingerprint scanners may be able to distinguish between a million fingerprints, that’s hardly a challenge for modern computers. Technically you can increase precision required to trigger a fingerprint match in order to increase the computational complexity, but you’ll end up increasing the false negatives because fingerprint scans are not precise and matches are fuzzy by their analog nature.
IMHO if someone were to publish their bio metric hashes, I think someone would be able to crack it. It helps if hashes are kept locally on device and never sent upstream to providers. Local copies could still be breached, but IMHO it’s far harder for a hacker to compromise millions of individual devices versus one database containing millions of fingerprint hashes. Even barring the reversibility of hashes though, we leave copies of our fingerprints all around us: tables, door handles, mice, phones, touch screens, HD video footage… unless you take extraordinary measures 24×7, your probably vulnerable.
https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands
If course, Thom outlined his use case being for casual security only….and that’s fair enough. After all most of our stuff isn’t that interesting. But because bio-metrics can’t be changed and once they are leaked. It becomes risky to use them again for for more secure contexts. We have businesses using biometric for trivial matters, such as theme parks…
https://insidethemagic.net/2020/09/universal-orlando-resort-fingerprints-kj1/
Our school district intended to collect student fingerprints
These things could be valuable hacker targets.
Except they aren’t — fingerprint is not an exact value, it is fuzzy-matched by certain descriptors, so it cannot by hashed. Forging a fake finger from them is not an obvious or easy task, but still.
mbq,
There are fuzzy hashing algorithms that allow for variations, but they’re not in the same class as cryptographic hashes. While not for fingerprints, these links explain the concepts.
https://www.meshsecurity.io/blog/fuzzyhashing
https://en.wikipedia.org/wiki/Fuzzy_hashing
Think of fitting analog values into more granular buckets and using a lot more hashes to allow some of them to mismatch. Android and other fingerprint applications require the user to input many fingerprint samples to capture more analog variations.
Of course this has genuinely useful applications. Unfortunately though some sources aren’t very honest about biometric risks, and may claim that fingerprints cannot be recreated using the hashed data points. Such assertions involve a slight of hand at best and complete deception at worst….
https://www.universalstudioshollywood.com/web/en/us/faqs/biometrics
A fingerprint hash can be reversed by brute forcing inputs that pass the matching algorithm. Fuzzy matching functions might not even be cryptographically sound and there could be analytic solutions, but even if we assume the hashes are cryptographic quality one-way hashes, the brute forcing technique still works…
So when Universal says this…
Mathematically speaking, it absolutely is possible to recreate fingerprint images from the features they collect, the only question is whether they have enough bits of data to do so completely or partially. For all we know they might have kept all the bits, but let’s give them the benefit of doubt and say they throw away 50% of the bits…
1) Throwing away bits reduces the ability to discern matching fingerprints from non-matching ones simply because there is less data to go on (ie higher false positives). Throwing away bits implies less security.
2) Throwing away some bits removes finer details but it doesn’t prevent you from generating fingerprint images that match the bits they’ve kept.
3) Non-overlapping bits are cumulative. Different samples and/or different databases could be recombined. While hashes work a bit differently, it could be visualized in this way: One scanner throws away the left hand side of the fingerprint while another scanner throws away the bottom. Each sample only keeps 50% of the bits, but they only partially overlap and together they can recreate 75% of the fingerprint.
4) Throwing away bits doesn’t necessarily throw away all the information corresponding to those bits when there is redundancy in the pattern. Say we throw away 50 puzzle pieces from a 500 piece puzzle…we factually threw away 10% of the pieces, but did we loose 10% of the information about the remaining shapes? No, actually. Much of the information about a piece’s possible shapes can be derived from the other shapes we have. In fact this is the basis for both lossy and lossless compression algorithms.
I find this to be such an interesting topic, but I feel there are too many people trying to sugarcoat biometric technology and hashes as a secure yet privacy protecting panacea, They’ll gloss over lots of facts.
PS. This is a long post, hopefully I’ve taken care of the formatting issues.
Meanwhile people with Apple Watches can set their Mac to look for Apple Watch and if near and logged into same account. It works great 80% or more of the time. When it doesn’t work it is usually because the watch or Mac has an update.
Note: I am NOT anti Linux. I have worked for multiple reasons with over a dozen different Linux distributions. I just prefer Mac overall.
Also know that security is kept on the watch and on the Mac or iPhone/iPad and not on the Internet with windows or Linux sometimes.
Personally, I like all operating systems, except for windows.
I don’t use my yubikey to log into my desktop (fedora) but it’s my 2fa for nearly everything. I have a backup key, stored in a firesafe.
Why? Having everything on my phone is just to easy to lose or run out of battery at an inopportune moment.
I just installed the Flatpack and touch by yubikey when it asks… Done.
I bought one of these about 10 years ago. It looks like it’s gotten much easier and friendly over the last decade :)… well, it looks about the same, really. What’s changed is that there’s better support for it in the OS than there was back then.
I have tried this before, I’ve used fingerprint readers, smart card readers, and yes yubikey. I’m back to using password on linux. Why? Its a royal, royal pain in the behind. Even when implemented correctly its still a terrible solution prone to breaking. I thought it was absurdly difficult years ago and it hasn’t changed.
I recently ran headfirst into this issue when I got a YubiKey in the hopes of making it easier and more secure to manage lots of Linux VMs (surprise! It’s actually harder). As far as I can tell, there is only one terminal or ssh program that has figured out a way to make this simple to setup and deploy: Terminus (https://termius.com/). They’ll configure your security key, generate certificates, securely distribute them, and login using them, all using a simple GUI wizard (https://support.termius.com/hc/en-us/articles/5618120162457-Using-FIDO2-for-SSH-authentication).
If only they didn’t know they were the only people around who’ve figured this out and put it behind a $10/month subscription fee.
subsider34,
You could use ssh-copy-id to automatically authenticate sessions from the host into the guests. This works out of the box. I imagine a YubiKey solution would have to be installed in every single guest VM.
While you can use FIDO2 with SSH, I’d recommend just using the OpenPGP card app on the yubikey and store your ssh key in the auth slot.
Presumably you already have some method in place to provision public keys to VMs to login, so it should just be a drop-in solution.
> There’s really no solid reason for me to want this other than that it just feels cool and futuristic to me (yes, even in this, the year of our lord 2024). I have no state secrets, no secret Swiss bank accounts, no whistleblower material to protect, and my computers rarely leave the house – I just want it because it’s possible and cooler than typing in my password.
You are, however, a possible attack vector through which your family/friends/other acquaintances could be scammed. Using a usb 2fa key for email and other internet accounts, which only requires that the account in question supports it (no exotic installations on your part), would significantly reduce the risk of passwords and 2fa codes getting fished.
Am I the only one who looks at the instructions and think: wow, these are entirely reasonable
Someone coming from the early HOWTO days, which usually did work, or required downloading 20 things manually resolving their version conflicts, this is almost “straightforward”.
Download a tool, add this as a PAM authentication method, sign some certificates, and it works. Not even requires updating firmware or binary blobs.
What happened to Linux users?
which usually did not* work (need that edit button)
I get that this is frustrating, but this is not a thing either KDE or Gnome can address by themselves, and they really shouldn’t try. Your desktop environment should 1000% not be touching your PAM configuration and if it did it would likely be a never ending nightmare of security vulnerabilities in the making.
Ultimately, this has to be something each distribution must address for themselves and I suspect there are a hell of a lot of other usability issues that come much higher in the priority queue than this one.
I use a Yubikey for my desktops, and I have it tuned just the way I like it. Just touch to log in to the display manager, pin + touch for shell access, sudo and polkit. I just keep the PAM configs for my setup on usb flash and copy-paste them to new machines as required. While this isn’t perhaps terribly newbie friendly, it’s not exactly a chore either.
Got a Tuxedo Linux laptop with fingerprint reader, and guess what ? Only supported on Windows. Linux is not ready, yet.
Kochise,
IMHO the FOSS community is fairly good at reverse engineering certain hardware classes like networking, printers, and cameras, but with specialty devices and/or ancillary functions it become more hit and miss. Many of my computers don’t have drivers for the fan controllers under linux even though I’d like to have control over thermal solutions. A fujitsu laptop I own also has a finger scanner that won’t work under linux. This is really the fault of the manufacturers. Alt OS users live with this catch-22. If their platform had more market share, it would be officially supported. However gaining marketshare is very difficult without any official support.