Setting up a YubiKey on Linux is a mess, and it really shouldn’t be
One of the things I've always wanted to experiment with on my computers is logging in and authenticating things like sudo requests with a hardware tool - a fingerprint reader, a smart card, or a USB hardware security device like a YubiKey. There's really no solid reason for me to want this other than that it just feels cool and futuristic to me (yes, even in this, the year of our lord 2024). I have no state secrets, no secret Swiss bank accounts, no whistleblower material to protect, and my computers rarely leave the house - I just want it because it's possible and cooler than typing in my password.
Due to the flexibility and feature set of the YubiKey, I think it's the best choice to go for. A no-name USB fingerprint reader would probably be ugly, cumbersome to position, and Linux support would be difficult to determine. A USB smart card reader would bring the same issues as the fingerprint reader, and combined with a smart card it seems like it's just a Yubikey with extra steps. I do have to admit the idea of sliding a smart card in a slot and have it authorise you sounds really, really satisfying.
Anyway, YubiKeys come in all shapes and sizes, but I want one of the USB-A ones with a fingerprint reader built-in, since I can plug it in at the bottom of my monitor, perfectly positioned to put my thumb on it to authenticate. This way, it's easily accessible to be used to log into my desktop session, authorise sudo requests when I'm configuring things, log into websites with Firefox, and so on.
But there's a problem: setting up a YubiKey on Linux seems like it's a huge ordeal.
Just look a the official instructions on the YubiKey website, or the instructions on the Fedora website, my distribution of choice. That's absolutely insane, and nobody should be expected to understand any of this nonsense to use what is being marketed as a consumer product. It's important to note that this is not a hardware, software, or driver issue - all the necessary support is there, and Linux can make full use of the functionality tools like the YubiKey offers. The problem is that you're expected to set this up manually, package by package, configuration file by configuration file, PAM module by PAM module.
When I first looked into getting a YubiKey, I expected biometric and advanced authentication tools like these to be fully integrated into modern Linux distributions and desktop environments. I figured that once you plugged one of these tools into your PC, additional options would become available in GNOME's or KDE's user account settings, but apparently, this isn't the case. This means that even if you manually set everything up using the official arcane incantations, your graphical user interface won't be aware of any of that, and changing anything will mean you have to go through those official arcane incantations again.
This is entirely unacceptable. The moment you plug in an an advanced hardware security tool like a YubiKey, GNOME and KDE should recognise it, and the settings, tools, and setup wizards' relevant to it should become available. All the hardware and software support is there - and in 2024, biometric and advanced security devices like these should not be so complicated and unforgiving to set up. Smart cards and fingerprint readers have been supported by Linux for literally decades. Why isn't this easier?
For now, I'm still in doubt about going through with buying a YubiKey. I definitely have the skills to go through with this whole insane setup process, but I really shouldn't have to.