One of the things Iβve always wanted to experiment with on my computers is logging in and authenticating things like sudo requests with a hardware tool β a fingerprint reader, a smart card, or a USB hardware security device like a YubiKey. Thereβs really no solid reason for me to want this other than that it just feels cool and futuristic to me (yes, even in this, the year of our lord 2024). I have no state secrets, no secret Swiss bank accounts, no whistleblower material to protect, and my computers rarely leave the house β I just want it because itβs possible and cooler than typing in my password.
Due to the flexibility and feature set of the YubiKey, I think itβs the best choice to go for. A no-name USB fingerprint reader would probably be ugly, cumbersome to position, and Linux support would be difficult to determine. A USB smart card reader would bring the same issues as the fingerprint reader, and combined with a smart card it seems like itβs just a Yubikey with extra steps. I do have to admit the idea of sliding a smart card in a slot and have it authorise you sounds really, really satisfying.
Anyway, YubiKeys come in all shapes and sizes, but I want one of the USB-A ones with a fingerprint reader built-in, since I can plug it in at the bottom of my monitor, perfectly positioned to put my thumb on it to authenticate. This way, itβs easily accessible to be used to log into my desktop session, authorise sudo requests when Iβm configuring things, log into websites with Firefox, and so on.
But thereβs a problem: setting up a YubiKey on Linux seems like itβs a huge ordeal.
Just look a the official instructions on the YubiKey website, or the instructions on the Fedora website, my distribution of choice. Thatβs absolutely insane, and nobody should be expected to understand any of this nonsense to use what is being marketed as a consumer product. Itβs important to note that this is not a hardware, software, or driver issue β all the necessary support is there, and Linux can make full use of the functionality tools like the YubiKey offers. The problem is that youβre expected to set this up manually, package by package, configuration file by configuration file, PAM module by PAM module.
When I first looked into getting a YubiKey, I expected biometric and advanced authentication tools like these to be fully integrated into modern Linux distributions and desktop environments. I figured that once you plugged one of these tools into your PC, additional options would become available in GNOMEβs or KDEβs user account settings, but apparently, this isnβt the case. This means that even if you manually set everything up using the official arcane incantations, your graphical user interface wonβt be aware of any of that, and changing anything will mean you have to go through those official arcane incantations again.
This is entirely unacceptable. The moment you plug in an an advanced hardware security tool like a YubiKey, GNOME and KDE should recognise it, and the settings, tools, and setup βwizardsβ relevant to it should become available. All the hardware and software support is there β and in 2024, biometric and advanced security devices like these should not be so complicated and unforgiving to set up. Smart cards and fingerprint readers have been supported by Linux for literally decades. Why isnβt this easier?
For now, Iβm still in doubt about going through with buying a YubiKey. I definitely have the skills to go through with this whole insane setup process, but I really shouldnβt have to.