Docs

Guides

Using Token2 FIDO2 keys under Linux

Name: Token2 C301-i programmable hardware token for Office 365 and Azure MFA
Brand: Token2
SKU: t2-51
Price: 21 EUR
Availability: InStock
Rating: 5 (4752 reviews)

Although many modern versions of Linux have native support for FIDO2 USB keys, quite a lot still do not support them out of the box. The reason is that, by default, USB dongles can't be accessed by users, for security reasons. To allow user access, so-called "udev rules" must be installed.

It is quite easy to fix this: manually, create a file like 70-token2-access.rules under your /etc/udev/rules.d directory with the following content

# this udev file should be used with udev 188 and newer
ACTION!="add|change", GOTO="u2f_end"

# PID for FIDO U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="349e", ATTRS{idProduct}=="0010", TAG+="uaccess"

LABEL="u2f_end"

Please note that /etc/udev/rules.d also contains rules for different apps, such as Firefox or Chromium, for example, 70-snap.firefox.rules. The IDs for these apps may need to be modified as well if you plan to use the keys with these browsers.

Additionally, run the following command after you create this file (it is not necessary to do this again in the future):

sudo udevadm control --reload-rules && sudo udevadm trigger

If you are using the latest build of snapd or products based on it, the correct PID should already be in the config files. See an example below:

{
		Name:             "Token2 FIDO2 key",
		Name:             "Token2 FIDO2 Security Keys",
		VendorIDPattern:  "349e",
		ProductIDPattern: "0010|0011|0012|0013|0014|0015|0016|0020|0021|0022|0023|0024|0025|0026|0200|0201|0202|0203|0204|0205|0206",
	}

Hardware IDs

The IDs shown in the code above are given as an example only. Follow the instructions below to find the ID values of other security key models.

For use with some applications, such as security software, you may need to know the USB product ID (PID) of the FIDO security key you have. You can use the steps below to find the USB PID of your device.

Windows

Open Devices and Printers in the Control Panel.
Right-click on the icon for the FIDO Security key and choose Properties.
Click on the Hardware tab.
Click on Properties button
Click on Details tab.
Change Property drop down to Hardware IDs.
You will see the PID listed.

Linux

Open Terminal.
Run: lsusb | grep -i FIDO
You will see pairs of VendorID:ProductID listed.

macOS

Open System Report (Apple Menu > About This Mac > System Report).
Navigate to Hardware > USB.
Select the FIDO key.
See the Product ID below.

VID/PID Table

The vendor identification and product identification (VID/PID) data for the latest FIDO2 products from Token2 products is shown in the table below:

Model	VID	PID1 (for FIDO)	PID2 (for OTP on FIDO)	PID3 (for FIDO+ OTP)
USB only	0x349E	0x0010	0x0011	0x0012
USB+NFC	0x349E	0x0020	0x0021	0x0022
USB+Fingerprint	0x349E	0x0200	0x0201	0x0202

For newer devices with the OpenPGP applet, there are additional PIDs used for CCID access and management. See the list below:

Device #1
FIDO   0x0020
OTP     0x0021
FIDO+OTP  0x0022
OTP+PGP  0x0023
FIDO+PGP  0x0024
PGP  0x0025
OTP+PGP+FIDO  0x0026

Device #2
FIDO   0x0010
OTP     0x0011
FIDO+OTP  0x0012
OTP+PGP  0x0013
FIDO+PGP  0x0014
PGP  0x0015
OTP+PGP+FIDO  0x0016

Device #3
FIDO   0x0200
OTP     0x0201
FIDO+OTP  0x0202
OTP+PGP  0x0203
FIDO+PGP  0x0204
PGP  0x0205
OTP+PGP+FIDO  0x0206