Linux does not allow using non-USB transport for FIDO2 natively. We're happy to announce token2-fido-bridge, a small open-source tool that finally lets browsers on Linux use FIDO2 credentials stored on NFC and contact smartcards for WebAuthn.
On Windows and macOS, using a security key in the browser mostly just works. On Linux, one gap has stubbornly remained: browsers can't talk to a FIDO2 credential read through a PC/SC reader. You can have a working reader and a working card, confirm they work with other tools, and still find that no browser will use them to sign in.
Why this happens
A FIDO2 authenticator can speak over more than one transport. USB keys use USB-HID; NFC and contact smartcards use the PC/SC stack. The standard supports both — but Linux has no system-wide WebAuthn API, so each browser ships its own FIDO support, and every mainstream browser built that support for USB-HID only. They scan hidraw devices and never open a PC/SC session, so a working smartcard reader is simply never consulted.
The fix
token2-fido-bridge creates a virtual USB-HID FIDO2 device that the browser sees as an ordinary security key, then relays the browser's CTAP2 requests to your card over PC/SC and passes the responses back. To the browser, your NFC or chip card behaves exactly like a plugged-in key.
What makes it different
The idea isn't new — earlier bridges exist, mostly in Python. We wrote this one in C++ to make it something you install once and forget:
- Tiny and dependency-free — a single native binary of a few hundred kilobytes, versus roughly 15 MB for a Python bridge with its interpreter and packages. No
pip, no virtualenv, nothing to break on the next Python upgrade. - A proper system service — ships as a
.deband.rpmthat install a systemd service and udev rules and start automatically at boot. No script to run every time you log in. - Works with Snap Firefox — Ubuntu's confined Snap browser can't see arbitrary devices, and a virtual HID device has no USB parent for its stock rules to match. We ship a udev rule crafted for exactly this case, so the sandboxed browser works too — not only Chrome.
A couple of things worth knowing
- Chip readers: insert the card before starting the operation. This isn't specific to the bridge or to Linux — a contact card is only "present" while it's seated, and the browser uses whatever authenticators are available the moment the request begins. NFC is different: present the card when prompted.
- It's a systemd service: manage it with
sudo systemctl status|restart|stop|start token2-fido-bridgeif needed.
Manufacturer-agnostic
token2-fido-bridge works with Token2 FIDO2 cards and keys, and with any FIDO2/FIDO2.1-compliant smartcard over PC/SC.
Get it
token2-fido-bridge is completely open source (MIT).
Install the `.deb` (Debian/Ubuntu/Mint) or `.rpm` (Fedora/openSUSE) from the latest release, make sure `pcscd` and your reader are running, and test at /tools/fido2-demo with your card in the reader. Chrome works immediately; for Snap Firefox, fully restart the browser once after installing.
We welcome bug reports, feature requests, and pull requests. Ideally, Linux or the browsers would grow native PC/SC support for WebAuthn and no bridge would be needed — until then, this is the practical layer that makes contactless and smartcard FIDO2 usable for phishing-resistant login on Linux.
updates tools
Did you know?
Token2 is offering currently the most secure FIDO2 keys for enterprise customers, known as the PIN+ Series FIDO2 keys. These keys, certified by the FIDO alliance, enforce PIN complexity at the firmware level. This unique feature is not available with other keys, even those marked as FIPS-certified.Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!