[Linux Login] How to use the Thetis FIDO2 Security Key to protect my local Linux account
Using a FIDO2 Security Key for Two-Factor Authentication (2FA) on Ubuntu
This guide explains how to set up a FIDO2 security key as a second factor when logging into your Ubuntu account.
Note: Linux setup processes can vary across distributions and even between different versions of the same distribution. If you encounter any issues during setup, we recommend consulting the official documentation or community forums for your specific Linux distribution.
Requirements:
• A Thetis FIDO security key with a PIN set
• Any of the latest releases of Ubuntu
Installing the required Software
1) Open Terminal
2) Run: sudo apt-get update
3) Run: sudo apt-get install libpam-u2f
In Ubuntu, MFA can be used in two authentication scenarios:
a) As a second factor after entering your login and password in the form of touching the token (2FA).
b) As a replacement for entering a password with a PIN code and touching the token (Passwordless).
Setup 2FA
1) Open Terminal
2) Run the command:
$ mkdir -p ~/.config/Thetis
3) Plug in the security key
4) Run the command:
$ pamu2fcfg > ~/.config/Thetis/u2f_keys
Touch the key when the key's light blinks. This will add your FIDO key to the list of accepted security keys.
5) Run the command:
$ sudo mkdir -p /etc/Thetis
6) Run the command:
$ sudo mv ~/.config/Thetis/u2f_keys /etc/Thetis/u2f_keys
7) Run the command:
$ sudo nano /etc/pam.d/common-auth
8) Append line:
auth sufficient pam_u2f.so authfile=/etc/Thetis/u2f_keys
9) Save changes to the /etc/pam.d/common-auth file.
Save the file and DO NOT CLOSE THE FILE - CONFIRM that the deployment was successful (see below).
10) Check that a touch is requested when the user logs in by running the command:
$ su fidouser
Setup Passwordless
1) Open Terminal
2) Run the command:
$ pamu2fcfg -u username > /tmp/u2f_mappings
Please note that if the command is entered without the username parameter, a configuration file will be created for the current user.
Touch the key when the key's light blinks. This will add your FIDO key to the list of accepted security keys.
3) The result should be a file with similar content:
$ cat /tmp/u2f_mappings
fidouser: hOzdi1ekgoVWLEzQH20uWJmoA3Dwno53zd2WCvlApHwfMVp/zz3+awUbeCL0E3pe,jzL+t6w7vhBgR2wwO+61/g8aliGNbDUpYZj6mxLXain4F1bQB0rvnwzP3n+n/GIXUp5Oiui0Du7/aKP/pE27PQ==,es256,+presence
4) Run the command:
$ sudo mv /tmp/u2f_mappings /etc/Thetis/u2f_mappings
5) Run the command:
$ sudo nano /etc/pam.d/common-auth
6) Append line:
auth sufficient pam_u2f.so authfile=/etc/Thetis/u2f_mappings cue pinverification=1
7) Save changes to the /etc/pam.d/common-auth file.
Save the file and DO NOT CLOSE THE FILE - CONFIRM that the deployment was successful (see below).
8) Check if a PIN is requested when the user logs in by running the command:
$ su fidouser
Please enter the PIN:
Please touch the device.
9) Check the GUI login:
Related Articles
[Login.gov] Setup Guide for Login.gov with Thetis FIDO2 Security Key
In recent days, more federal accounts—such as Social Security accounts secured by Login.gov—have begun supporting FIDO2 security keys. This added support allows you to enhance your account's protection with strong, phishing-resistant authentication. ...[Windows Login] I have an issue with setup the security key to do windows login I am using the Thetis Pro product
1. Understanding Windows Login with Security Key Windows 10/11 Home: Unfortunately, security keys like the Thetis Pro cannot be used for direct Windows login without using a Microsoft service like Azure Active Directory (Azure AD) or Windows Hello ...[Linux/Mac] Initial PIN setup using Chrome on Linux/Mac
For Linux users and Mac users (macOS 11 or earlier, or those who prefer not to use our Manager App): You can manage your key directly through the Chrome browser by following these steps 1. Open Chrome, click the three dots in the top-right corner, ...[NFC] How to use NFC feature of the Thetis Pro Series Security Key
Prerequisite: The Thetis Pro Series FIDO2 Security Keys are already registered to your online account. And you only do the authentication on your phone with the Security key via NFC. We recommend to register your keys to you account on your PC/Mac. ...[SSH Keys] Does the Thetis FIDO2 Security Keys support SSH keys?
Yes. Theis FIDO2 Security key support ED25519 SSH keys for secure authentication and encryption. Here’s a refined and professionally structured version of your instructions for configuring the SSH client and server with FIDO2 security keys: ? ...