Deactivating FIDO2 Authentication on Ubuntu: A Step-by-Step Guide

Introduction: In recent years, FIDO2 authentication has gained popularity as a secure and convenient method for logging into systems. However, there are situations where users may want to revert to traditional password-based authentication. In this blog post, we'll explore how to deactivate FIDO2 authentication on Ubuntu, providing users with a step-by-step guide to revert to their regular login method.

Understanding FIDO2 Authentication

FIDO2 (Fast Identity Online 2) authentication is a modern authentication standard that enables users to securely log in to their systems without the need for passwords. Instead, FIDO2 relies on hardware security keys or biometric authentication methods for identity verification. While FIDO2 offers enhanced security and convenience, some users may prefer to disable it for various reasons, such as compatibility issues or personal preference.

Deactivating FIDO2 Authentication on Ubuntu

If you've previously configured FIDO2 authentication on your Ubuntu system but now wish to revert to traditional password-based authentication, you can follow these simple steps:

1. Edit common-auth PAM Configuration:

   • Open the /etc/pam.d/common-auth file in a text editor.

   • Comment out or remove any lines related to pam_u2f.so, ensuring that FIDO2 authentication is no longer referenced for common authentication.

2. Adjust GDM (GNOME Display Manager) Configuration:

   • Open the /etc/pam.d/gdm-password file.

   • Comment out or remove any lines related to pam_u2f.so to disable FIDO2 authentication for the GNOME Display Manager.

3. Review sudo PAM Configuration:

   • Open the /etc/pam.d/sudo file.

   • Ensure that there are no references to pam_u2f.so, ensuring that FIDO2 authentication is not configured for sudo access.

4. Reboot Your System:

   • After making the necessary changes, reboot your Ubuntu system to apply the modifications.

Verification and Troubleshooting

After rebooting your system, you should be able to log in using your regular password without encountering FIDO2 authentication prompts. Additionally, you should verify that sudo commands do not require FIDO2 authentication.

If you encounter any issues during the process, ensure that you've correctly edited the PAM configuration files and that there are no residual references to FIDO2 authentication.

Additional Cleanup (Optional)

If you want to clean up the configuration files created for FIDO2, you can delete the U2F configuration directory and files:

rm -r ~/.config/Yubico

Troubleshooting

• Check Permissions: If you face any issues logging in, make sure the PAM configuration files are correctly edited, and no unnecessary lines are left that might block authentication.

• Backup Files: Before making any changes, it's always a good idea to back up the original PAM configuration files.

sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak

sudo cp /etc/pam.d/gdm-password /etc/pam.d/gdm-password.bak

sudo cp /etc/pam.d/sudo /etc/pam.d/sudo.bak

By following these steps, you should be able to deactivate FIDO2 authentication and revert to your regular login method on Ubuntu. If you encounter any issues or need further assistance, feel free to ask.

Including this detailed guide will ensure that readers have all the necessary information and steps to successfully deactivate FIDO2 authentication on their Ubuntu systems.