Adopting platform FIDO APIs (U2F/WebAuthn) on Linux

Originally posted on Bug 1530370.

I’m interested in hearing people’s thoughts on adopting FIDO2 platform APIs on Linux, akin to Windows Hello, or Android’s Fido2ApiClient – which Firefox already delegates to on those platforms.

I’ve written a FIDO2 (WebAuthn) and FIDO U2F platform library in Rust [1], for Linux. It’s a WiP, but it already supports the main FIDO2 ceremonies, both FIDO2 PIN protocols, and downgrading WebAuthn for U2F devices (as per specs). I’ve tested this with as many security keys I could get my hands on so far [2]. It’s designed to have pluggable transports, currently supporting HID and BLE (via Bluez), and plans for NFC and caBLE.

As mentioned before, whilst it could be used directly as a library, the main objective is to provide a backend for new D-Bus platform APIs. Secondary goals include supporting TPM platform authenticators, and supporting containerised applications (e.g. Flatpaks[3]), without requiring access to the USB stack, or BLE adapters.

I’m trying to gauge interest in Firefox delegating U2F and FIDO2 to the platform. If this sounds feasible, as the next step I will try and reach out to GNOME shell folks. I reached out earlier to some System76 engineers working on the Cosmic DE, as they may also be interested.



Right now the PassKeys developments have finally created critical mass around WebAuthN/FIDO2/etc. However, the ability to use these capabilities with any browser is practically non-existent in Linux. Currently, there doesn’t seem to be much interest by the major browser vendors to get this working on Linux. However, having a common interface that would simplify the implementation could really help break the log jam.

It looks like you’ve done a lot of work in this area and someone really needs to lead the charge to help get things moving. Thanks for everything you’ve done and I hope you are able to continue.

1 Like

tl;dr edit:

I see you have about 22 Issues on the project page, and tells me to start there.
I will try and get a handle on Rust and go from there.

long form

Hoping to help with this. How can I add to testing of your implementation?
I can get a FIDO2 device and currently have Debian 11 and plenty of RAM for VMs.

Without your input, my initial plan would be:

  1. Learn more about DBus
  2. Take a look at Rust as a language ( I have no knowledge at all of this )
  3. Throw up a VM and try to build your software and test it
  4. Feedback through the usual channels on your github project(s)

Any direction would be helpful.

Thanks everyone for your hard work and efforts!

Just curious, is there any update from Mozilla on this?

Given the increase of importance of 2FA in recent months and traction of passkeys, etc, I am a bit confused about all the silence. :wink:

Backlink to the xdg-desktop-portal issue on this and this bigger blog post on the topic laying out ideas for a design: