Recently, I bought the Hypersecu HyperFIDO K5 Key to help me secure access to several websites and services with U2F (“Universal Two-Factor Authorization”).

This works fine and easy on Windows, but with Linux things get a little complicated: The key isn’t accessible to all users by default. This has to be activated using udev rules, which is widely documented on the web, but very often erroneous or outdated. Here’s what I found:

Disclaimer: I’m not a Linux security expert. The following udev rules might look cheesy to a seasoned sysadmin but work for me.

Mike Tsao had a similar problem and blogged about the solution. So, this was a good starting point for me. I just had to adapt the “idVendor” (my key shows idVendor=2ccf instead of 096e) and added the “idProduct” to make sure no other hardware from this vendor triggers this rule:

• Using sudo or a Super-User account, create a file “/etc/udev/rules.d/50-u2f.rules” containing:

# HyperFIDO U2F Key
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2ccf|096e", ATTRS{idProduct}=="0880", OWNER="root", GROUP="plugdev", MODE:="0660"

• Reload the rules (restart udev daemon):

# sudo udevadm control --reload-rules

• Plug in your U2F key, open Chromium or Chrome and check whether U2F works. I used this site for my checks: https://akisec.com/demo/

Troubleshooting or enabling other vendor’s key

# You can check what's happening in udev when you plug in the USB key:
udevadm monitor

# U2F keys are often identified as "hiddev0" by usb
# Search for "idVendor" and "idProduct" in output of:
udevadm info -n /dev/usb/hiddev0 -a|less

References

• Wikipedia: Multi-factor authentication
• FIDO Alliance: How FIDO works
• Hypersecu: HyperFIDO product information
• Once I knew what to search for I found this list of udev rules by Yubico on GitHub that covers many FIDO token vendors.