Arch Linux

awes

Member

Registered: 2015-03-13

Posts: 26

Yubikey + Chromium + AppArmor - webauthn stopped working

Hello!

This used to work correctly, but at some point it stopped — I'm not sure exactly when.
Currently, when I try to authenticate, Chromium shows the prompt window, but it does not react to the YubiKey at all. The LED on the YubiKey also does not light up.
I use KDE+Wayland.

Thanks in advance for any suggestions.

Some logs:

dmesg

Linux 6.19.11-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 02 Apr 2026 23:33:01 +0000 x86_64 GNU/Linux
...
[202923.275029] usb 1-9: USB disconnect, device number 39  
[202925.373472] usb 1-9: new full-speed USB device number 46 using xhci_hcd  
[202925.498547] usb 1-9: New USB device found, idVendor=1050, idProduct=0406, bcdDevice= 5.43  
[202925.498559] usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=0  
[202925.498562] usb 1-9: Product: YubiKey FIDO+CCID  
[202925.498565] usb 1-9: Manufacturer: Yubico  
[202925.503461] hid-generic 0003:1050:0406.0053: hiddev100,hidraw4: USB HID v1.10 Device [Yubico YubiKey FIDO+CCID] on usb-0000:00:14.0-9/input0

Checking which device is handling FIDO:

fido2-token -L
/dev/hidraw4: vendor=0x1050, product=0x0406 (Yubico YubiKey FIDO+CCID)

USB Device:

lsusb | grep -i yubikey 
Bus 001 Device 046: ID 1050:0406 Yubico.com Yubikey 4/5 U2F+CCID

Permissions after connecting:

ls -l /dev/hidraw4
crw-rw----+ 1 root root 243, 4 04-15 14:39 /dev/hidraw4

Trying chmod, no luck...

chmod 0666 /dev/hidraw4
ls -l /dev/hidraw4
# crw-rw-rw-+ 1 root root 243, 4 04-15 14:39 /dev/hidraw4

pcscd service - active, but I don't know if it's needed (I've also checked with pcscd disabled)

systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon  
    Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)  
    Active: active (running) since Wed 2026-04-15 14:42:56 CEST; 3s ago  
Invocation: f135805663624bab9513f61cca68830d  
TriggeredBy: ● pcscd.socket

chromium device log - chrome://device-log/

[14:44:52] UI step: kClosed
FIDODebug[14:44:48] Discovery session started.
FIDOEvent[14:44:48] UI step: kCableV2QRCode
FIDODebug[14:44:48] Transport availability checks done
FIDODebug[14:44:48] Discovery started for transport 0
FIDODebug[14:44:48] Transport availability not yet ready
FIDODebug[14:44:48] Discovery started for transport 3
FIDODebug[14:44:48] BLE adapter address 18:93:41:C6:6A:E1
FIDODebug[14:44:48] Transport availability not yet ready
FIDODebug[14:44:48] Bluetooth status enumerated
FIDODebug[14:44:48] Bluetooth status: On
FIDODebug[14:44:48] Transport availability not yet ready
FIDODebug[14:44:48] FidoRequestHandler observer set
FIDOEvent[14:44:48] Starting MakeCredential flow: { "attestation": "direct", "authenticatorSelection": { "residentKey": "discouraged", "userVerification": "discouraged" }, "challenge": "KUz6xUM2nwV1BlvGsBgWd0r19QLJ8ZRMTtlDnYCbvto", "excludeCredentials": [ ], "pubKeyCredParams": [ { "alg": -7, "type": "public-key" }, { "alg": -8, "type": "public-key" }, { "alg": -35, "type": "public-key" }, { "alg": -36, "type": "public-key" }, { "alg": -37, "type": "public-key" }, { "alg": -257, "type": "public-key" }, { "alg": -47, "type": "public-key" }, { "alg": -48, "type": "public-key" }, { "alg": -49, "type": "public-key" }, { "alg": -50, "type": "public-key" } ], "rp": { "id": "demo.yubico.com", "name": "Yubico Demo" }, "timeout": 600000, "user": { "displayName": "Yubico demo user", "id": "KeztCgK6nv4035SKCQAULjJ_GRM2pMqHz0gndGaG9oA", "name": "Yubico demo user" } }
FIDODebug[14:44:48] Transport availability not yet ready
FIDODebug[14:44:48] No need to check for biometrics on this platform
FIDODebug[14:44:48] Checking for bluetooth availability
FIDODebug[14:44:48] Adding discovery for transport 3
FIDODebug[14:44:48] Adding discovery for transport 0
FIDODebug[14:44:48] Initializing FIDO discoveries
FIDOEvent[14:44:48] Enclave authenticator disabled because no suitable account

YubiKey manager info (run as normal user)
I've disabled OTP, since I don't use it.

ykman info

Device type: YubiKey 5 Nano  
Serial number: 13828877  
Firmware version: 5.4.3  
Form factor: Nano (USB-A)  
Enabled USB interfaces: FIDO, CCID  
  
Applications  
Yubico OTP      Disabled  
FIDO U2F        Enabled  
FIDO2           Enabled  
OATH            Enabled  
PIV             Enabled  
OpenPGP         Enabled  
YubiHSM Auth    Enabled

Packaged installed

libfido2 1.16.0-4
python-fido2 2.1.1-1
chromium 147.0.7727.55-1

Last edited by awes (Yesterday 07:48:17)

cryptearth

Member

Registered: 2024-02-03

Posts: 2,049

Re: Yubikey + Chromium + AppArmor - webauthn stopped working

still having issues? tested just right now on both webauthn.io and yubico playground - my YK5 works fine without issues in chromium
sometimes you just have to replug the token - maybe also a reboot could help

Last edited by cryptearth (2026-04-18 21:08:50)

awes

Member

Registered: 2015-03-13

Posts: 26

Re: Yubikey + Chromium + AppArmor - webauthn stopped working

Unfortunately, the problem persists. I performed not only a reboot, but also a full system update (including Chromium and libfido2). I was hoping everything would be fine by now, but unfortunately it isn’t.

awes

Member

Registered: 2015-03-13

Posts: 26

Re: Yubikey + Chromium + AppArmor - webauthn stopped working

So I found that the key access is somehow blocked by the AppArmor, but I don't know why. Event if I add full filesystem access and all "features" (file, network, capability, dbus, signal, ptrace, unix, mount) - doesn't work and AppArmor does not log anything usefull in the complain mode. Must be something included with "include <tunables/global>". Will investigate further...

cryptearth

Member

Registered: 2024-02-03

Posts: 2,049

Re: Yubikey + Chromium + AppArmor - webauthn stopped working

ah, ok - i don't have any such security mitigation stuff in place ... but i remember both AppArmor and SELinux can be a pain in the a** on a regular desktop (i currently still fight SELinux on my server after udate to Suse 16)