<ahref="https://en.wikipedia.org/wiki/Universal_2nd_Factor"class="urlextern"title="https://en.wikipedia.org/wiki/Universal_2nd_Factor"rel="nofollow">Universal 2nd Factor</a> (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices.
This feature uses <ahref="https://metacpan.org/pod/Crypt::U2F::Server::Simple"class="urlextern"title="https://metacpan.org/pod/Crypt::U2F::Server::Simple"rel="nofollow">Crypt::U2F::Server::Simple</a> that is only available on CPAN repository for now. Before compiling it, you must install Yubico's C library headers (called libu2f-server-dev on Debian).
<liclass="level1"><divclass="li"> U2F ⇒ Authentication level: you can overwrite here auth level for U2F registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only for enrolled users</strong></div>
<divclass="noteimportant">If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: <code>$_2fDevices =~ /“type”:\s*“U2F”/s</code>, else U2F will be required even if users are not registered. This is automatically done when “activation” is set to “on”.
<liclass="level2"><divclass="li"> 38 to 56 with <ahref="https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/"class="urlextern"title="https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/"rel="nofollow">U2F Support Add-on</a></div>
<liclass="level2"><divclass="li"> 57 to 59, with “security.webauth.u2f” set to “true” in “about:config” <em>(see <ahref="https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/"class="urlextern"title="https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/"rel="nofollow">Yubico explanations</a>)</em></div>
If you have enabled self registration, users can register their U2F keys using <ahref="https://portal/2fregisters"class="urlextern"title="https://portal/2fregisters"rel="nofollow">https://portal/2fregisters</a>
If a user loses its key, you can delete it from the manager Second Factor module. To enable manager Second Factor Administration Module, set <code>enabledModules</code> key in your <code>lemonldap-ng.ini</code> file :
If you have another U2F registration interface, you have to set these keys in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute <em>(see <ahref="exportedvars.html"class="wikilink1"title="documentation:2.0:exportedvars">exported variables</a>)</em>: