@Edent surely this will be a software thing with the pam and the smart card library, not something hardware specific? Or just to clarify, you are looking for hardware known to work with that stack?
@Edent you need something that works with pcsclite. These things use a chipset made by NXP, and usually the internal are designed by 2 companies: HiD or ACS.
The ACS ACR122u has been the staple for the last 10+ years.
For HiD, look at the 'omnikey' line (I don't know what their latest thing is).
Both are available through the usual robbers (the one is 'zon, digi-key, RS)
@Edent I'm not up to speed with the latest NFC 2FA developments, but I've had good experiences with ACR122U-based readers. I mostly talked to them using libnfc, but they seem to be supported by the acsccid lib too?
@Edent Any NFC CCID Reader should works well with Yubikey or any other similar device. For linux compatibility, please see this page:
https://ccid.apdu.fr/ccid/section.html
I decided to go with the ACR1252U-MF purely on the basis that it is USB-C.
I don't need some skanky old cable and a bunch of converters. We live in the future now!
https://www.acs.com.hk/en/products/342/acr1252u-usb-nfc-reader-iii-nfc-forum-certified-reader/
@Edent I have the older USB A version of this and it works with a Yubikey over NFC for GPG, PIV and I think WebAuthn in Chrome (or Firefox... can't remember which 😆)
@asj
Woooooo! Mind if I pick your brains when I inevitably break something?
@Edent Happy to help if I can although it's been a while since I tried it :)
@Edent ACR122u mainly. The omnikey is cumbersome (it takes a lot of space due to its design).
If you want the 'ultimate' card reader, have a look at their offering with 'dual interface' - you will get NFC and chip interfaces.
@ZeugmaFr brilliant thanks!
Does it need much work to get it to talk to a browser for WebAuthn?
I'm able do NFC authentication on Firefox for Android, but would like to add my laptop as well 🙂
@Edent It shouldn't be too much of a hassle? Last time I looked at it (2015/2016) the outliers that didn't support it where Internet Explorer (too old) and Edge (too new) (and both too Microsofty - so they did "something standardized by MS").
For what I know, Yubikeys use the ccid driver, and they do Webauth out of the box, so I recon that it should be quite straightforward. It could also depend on what your token do (active crypto/handshake or just keyring).
@ben
Not all NFC readers can read every type of tag. I am looking for a USB device which can read / write FIDO2 NFC tags.
@Edent I have a FIDO2 NFC token and a NFC usb stick. Will test...
@Edent Couldn't get it to work passing it through into a VM this time. Don't have any Linux running on hardware that I can use for testing at the moment.