rust-u2f VS fido2luks

This project aims to support U2F / FIDO2 using fingerprint reader on Linux (via libfprint). The goal is to have the same user experience with 2FA using Windows Hello.

This project is based on https://github.com/danstiner/rust-u2f with minor modification (see my fork: https://github.com/ngxson/rust-u2f-pkexec)

Link to the project: https://github.com/ngxson/softu2f-fprintd-docker

I've considered adding FIDO2 support to the software-only U2F token I wrote ( https://github.com/danstiner/rust-u2f). It's a fair bit of work though, and I am not sure how comfortable I am with passwordless login unless the keys are kept purely in hardware such as a TPM.

That said, my reading of this post is that FIDO2 support will get built into Chromium directly, which is itself open source. Or if you do want a hardware key but running open software, I'd definitely recommend https://solokeys.com/, I've been following them for a long time.

Also there was some related discussion on this same article last week: https://news.ycombinator.com/item?id=31274677

On a Workspace account you only need U2F token emulator (https://github.com/danstiner/rust-u2f woks fine) and thenn you can setup u2f first and add normal TOTP in second step. But u2f must stay there. I don't have a personal account to try if it works the same.

As it becomes easier to emulate hardware tokens[1], Google may start limiting which ones it accepts. I believe they can use attestation keys to do that.

This is just a softer layer of security to slow down less sophisticated mass signup attempts.

They may very well eventually phase out TOTP, under the justification that it is not as secure, but I would be shocked if they ever retire the highly insecure SMS verification.

TOTP is really easy to implement, and adds a ton of value. I have a oneliner that takes a screenshot, extracts the QR code with zbarimg, and adds it to my pass[2] password database, which then hooks back into my browser. I use it whenever it is available because it is so low effort.

[1]: https://github.com/danstiner/rust-u2f

GitHub has a couple of others listed, but I have not tested them personally: Example https://github.com/danstiner/rust-u2f

Do you have a guide about your approach for u2f + Luks ? I have a solokey so I don't know if I can do that. I am using this to unlock my luks volume: https://github.com/shimunn/fido2luks

I asked a question about while back about setting up yubikey with luks and someone suggested this to use fido with luks. I haven't tried it just yet but plan to test it out soon.

I am on Arch and using https://github.com/agherzan/yubikey-full-disk-encryption since the key I had when configuring my laptop was YubiKey 4 Nano. However there is a similar project out there https://github.com/saravanan30erd/solokey-full-disk-encryption, which uses FIDO2 hmac-secret extension via fido2luks, which I prefer more (simply since it relies on FIDO2 only and works with any key).

According to fido2luks README, I followed the parameter shown in the grub here for my systemd-boot entry, but I'm guessing that the 2fa module is not built in natively (my syntax could be wrong, or messed something up with fido2luks)?