Will FIDO2 also support PIV?

I am still looking for a Nitrokey that supports like some Yubikeys PIV/Smartcard (FIPS201) for a password-less login on a macOS. Will FIDO2 support this ?

BTW: I was looking on your web-page for a comparison: Under the topic “The Nitrokey Family” the new NK is missing. And the HSM2 shoudl also be stated as update-able

PIV is not planned but OpenPGP Card should come next year. I wouldn’t be surprised if sooner or later it will become possible to login passwordless and with a FIDO device at macOS. Potentially requiring a 3rd party software.

Regarding our website: Thank you for pointing this out. It will be fixed shortly.

Thanks for the outlook - hmm, 3rd Party should not be required on macOS.If PIV is not working, there might be an option to use the build-in pam_smartcard.so, when the NK is recognised as SmartCard

I am also still looking for a Nitrokey that supports a password-less login on a macOS.

And as far as I know password less login on macOS should work with the Nitrokey Pro and OpenSCToken:

But until now, I didn’t got it working:

I would be very keen if anybody could give me a hint why this is not working.

1 Like

@boe
Cross-linking your post (Will FIDO2 also support PIV?) to macOS Login with NK (Pro or FIDO).

Hi, have you tried to load the certificate to slot 9 ?

Card Provisioning
In order to use smartcards with macOS, identities must be populated into Slot 9a, PIV Authentication, and 9d, Key Managment(KMK, Encryption), and optionally 9c, if signing functions
such as mail are to be used.

from %man SmartCardServices

Hi @Peacekeeper,

as far as I know there is no support for PIV for Nitrokey FIDO2 and Pro. So there is also no Slot 9a,b or c.

The Nitrokey Pro supports OpenPGP and is by this supported by OpenSC. And “OpenSCToken aims at providing the existing functionality of OpenSC through CryptoTokenKit.” (https://github.com/frankmorgner/OpenSCToken). When I understand it correct OpenSCToken is an alternative to PIV.

Unfortunately currently even the OpenSCToken does not support the Nitrokey Pro 2. At least for RSA keys. And with ECC keys I’m currently stuck:

(https://github.com/frankmorgner/OpenSCToken/issues/14)

Hi,
yeah, I also did some investigations during the holidays and have the same results in addition to with the conflict with GnuPG ( driver competition). OpenSCToken was recognised in my system in general, but I was not able to use it as login.
To be honest: I gave up ! I don’t want to dig deeper into the code than “normal” configuration. Especially as there are tokens on the market that support login out of the box.
As I am the only user and the system is a desktop system, I decided to get a bit further and use no login anymore - dangerous, but simplifies things and saves some nervs and money :smiley:
In case you find a solution , it would be great if you would post it here.

PS: With Catalina (https://developer.apple.com/security/) Apple has disabled TokenD which also had PKCS11Token (https://smartcardservices.github.io) . Oh, and Apple only accepts RSA Keys ( and min. 2048 bits)

@Peacekeeper
Do you think it’s worth trying with Nitrokey HSM?

@nitroalex Could you take a look at https://github.com/frankmorgner/OpenSCToken/issues/14#issuecomment-572240953 ?

IMHO the HSM is more a server token as it could handle a lot of different key pairs. And it also has no possibility for “touch” enablement.

Here is the charm of FIDO2 token: Stick it in before or during boot to do the first login (without touch due to the first USB connection ) and when the screensaver has locked the device, simple touch the FIDO2.
This would not work with HSM.

When FIDO2 would also support ssh, pgp and share the device driver, it would be the perfect enduser stick.The focus only on 2FA and saving to enter web login passwords would be too narrow - remember my topic “Why Fido2 ?”

1 Like