During Nullcon I got a Titan Security Key. This device by Google is very similar to the popular Yubikeys. Unlike the first generation of Yubikeys is the Titan Security Key not generating an OTP (One-time password) but supports FIDO as a second factor. Beside using for websites and alike the device could be used for local access to a system as well. This means that I would only have to carry around one key to rule them all and use my old Yubikey as a backup.
Clik here to view.
The Titan Key immediately shows up after it’s plugged-in.
[116764.047928] usb 1-9: reset full-speed USB device number 5 using xhci_hcd [121937.920395] usb 1-1: new full-speed USB device number 22 using xhci_hcd [121938.047491] usb 1-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=44.00 [121938.047501] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [121938.047507] usb 1-1: Product: U2F [121938.047513] usb 1-1: Manufacturer: FT [121938.055623] hid-generic 0003:096E:0858.0011: hiddev96,hidraw3: USB HID v1.00 Device [FT U2F] on usb-0000:00:14.0-1/input0
To get the Titan Security Key working a new udev rule is needed.
Create a file for the rule:
$ sudo vi /etc/udev/rules.d/60-titan-key.rules
Add this:
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess"
After you are done. A reload of the udev rules is required.
$ sudo udevadm control --reload-rules
The next step is to associating the Titan Security Key with your local user account. Press the key when it’s blinking and your details should be written to the configuration file.
$ pamu2fcfg
user_name:Hxxxc-cHA-3xxxxj-xxxym-xxxX2h-G11_bKZfQ,04xxxxx1a15078c80889
So far so good. To activate the key in authentication process add the following line to the file in /etc/pam.d/ where you want it to use.
auth sufficient pam_u2f.so cue authfile=/etc/security/u2f_keys
