The implementations are following CTAP2.0 and CTAP1/U2F specifications.
Supported features:
You can use your CanoKey as a 2FA device on many websites.
The PIN is not set by default. You may set a new PIN using Windows Hello or other possible applications.
You may use the following command to generate a private key for ssh. See here for more info.
ssh-keygen -t ecdsa-sk
# or you prefer ed25519
ssh-keygen -t ed25519-sk
Use pam_u2f
provided by Yubico. One common scenario is sudo
.
Possible applications:
khefin, for LUKS full disk encryption.
systemd v248+, for LUKS full disk encryption
Due to a bug in the CTAP implementation, Canokeys with firmware version <= 1.3 are incompatible with libfido2 1.7.0, and thus cannot be used with systemd-cryptenroll
.
Users with such key may try libfido2 1.6.0 instead.