This repository contains sources for a Linux virtual USB-HID FIDO2 device.
This device will receive FIDO2 CTAP2.1 commands, and forward them to an attached PC/SC authenticator.
This allows using authenticators over PC/SC from applications that only support USB-HID, such as Firefox; with this program running you can use NFC authenticators or Smartcards.
Note that this is a very early-stage application, but it does work with Chrome and Firefox.
Add this repo as a flake input, and enable the fido2-hid-bridge
service.
Now you can use your smart card for 2fa in your browser!
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
fido2-hid-bridge.url = "github:arilotter/fido2-hid-bridge";
};
outputs = { fido2-hid-bridge, ... }: {
nixosConfigurations = {
"hostname_here" = nixpkgs.lib.nixosSystem {
modules = [
inputs.fido2-hid-bridge.nixosModule
{
services = {
pcscd.enable = true;
fido2-hid-bridge.enable = true;
};
}
];
};
};
};
}
If you're using an ACR122U, you might also need to blacklist the NFC kernel modules, and add the ACSCCID plugin for pcscd.
# disable modules that conflict w/ smart card reader.
boot.blacklistedKernelModules = [ "nfc" "pn533" "pn533_usb" ];
services.pcscd = {
enable = true;
plugins = [ pkgs.acsccid ];
};
You'll need to install dependencies:
poetry install
And then launch the application in the created virtualenv. You might need to be root
or otherwise get access to raw HID devices (permissions on /dev/uhid
):
sudo -E ./.venv/bin/python bridge.py
If you use nix
, you can simply
nix develop
python3 ./bridge.py
This uses the Linux kernel UHID device facility, and the python-fido2
library.
It relays USB-HID packets to PC/SC.
Nothing more to it than that.