AuthenTrend ATKey.Pro: a forensic look at the CTAP 2.0 variant on Arch Linux
The ATKey.Pro from AuthenTrend is a FIDO2 hardware security key with an onboard capacitive fingerprint sensor. This review tests the device thoroughly on Linux and is quite explicit about what was verified by direct command output, what was confirmed by manufacturer documentation, and what remains genuinely unknown.
Test environment
Device information verified
Full output of fido2-token -I /dev/hidraw6 2>&1 | head -30. It is worth noting that this command hangs at a PIN prompt when a PIN is configured; piping through head captures the capabilities without blocking.
| AAGUID | e1a96183-5016-4f24-b55b-e3ae23614cc6 Identified as "ATKey.Pro CTAP2.0" per passkey developer AAGUID registry |
| Firmware | 0x01 (bcdDevice 1.00) |
| FIDO versions | U2F_V2, FIDO_2_0, FIDO_2_1_PRE PRE signifies a draft implementation, not the ratified CTAP2.1 standard |
| Algorithms | es256 (P-256) + eddsa (Ed25519) |
| Extensions | credBlob, credProtect, hmac-secret |
| Transport | USB only. No NFC, no USB-C on this unit. |
| maxcredcntlst | 20 Credential management enumeration limit; actual on-device storage capacity is not confirmed |
| Non-resident credentials | Up to 160 per manufacturer Key-wrapped, stored server-side, consuming no device storage |
| Max message size | 2048 bytes |
| Max large blob | 1024 bytes |
| PIN protocol | 1 only Protocol 2, as required by ratified CTAP2.1, is absent. Protocol 1 sends the PIN as a SHA-256 hash rather than using an encrypted exchange. |
| PIN retries | 8 (minimum length 4, change not required at present) |
| UV retries | 5 before fingerprint lockout |
| Sensor | Touch type 1, 12 samples per enrolment, up to 10 fingerprints stored |
| MCU | Broadcom BCM5810X, FIPS 140-2 Level 3 certified Per FIDO Alliance certification listing; not directly verifiable from Linux userspace |
| USB interfaces | hidraw6 (FIDO, uaccess tagged); hidraw7 (enrolment channel, root-only) |
systemd-cryptenroll compatibility verified
Output of systemd-cryptenroll --fido2-device=list on Arch Linux:
The ALWAYSUV ✗ result indicates that the device supports fingerprint verification but does not enforce it unconditionally. A PIN is accepted as a fallback for user verification. Fingerprint lockout after 5 failed attempts does not render the key unusable, as the PIN path remains open. The PIN retry counter resets to 8 after a successful PIN change via fido2-token -C.
Linux access: udev verified on Arch Linux
On Arch Linux with current systemd, the FIDO interface enumerates on hidraw6 and is automatically tagged ID_FIDO_TOKEN=1, ID_SECURITY_TOKEN=1, and uaccess. No entry in /etc/udev/rules.d/ is required. Stable symlinks are created at /dev/input/by-id/...-fido and ...-hidraw. The fingerprint management interface remains at 0600 root, as is proper for the enrolment channel. Do note that this zero-configuration behaviour is specific to Arch with its current udev rule set; other distributions may well require manual rules.
SSH key generation verified
Both non-resident and resident Ed25519-SK keys generated and signed successfully. A critical distinction applies to what the device actually does at each stage, and one must not conflate the two modes.
LUKS2 disk encryption enrolment verified
Lennart Poettering's systemd 248 post explicitly names the ATKey.Pro as a tested device for systemd-cryptenroll; AuthenTrend sent him three units for the purpose. The required capability is hmac-secret, which is confirmed present in this device's fido2-token -I output. Enrolment was verified using a throwaway loopback image so as not to touch any real volumes:
sudo systemd-cryptenroll --fido2-device=auto /tmp/test_luks.imgThe resulting LUKS2 token header, as confirmed by cryptsetup luksDump:
The test machine also carries an AMD firmware TPM2 (/dev/tpmrm0, tpm_crb driver, SHA-256 PCR banks active). TPM2 and FIDO2 can each be enrolled into the same LUKS2 header as independent unlock paths: TPM2 for automated boot, the ATKey.Pro as a portable fallback requiring physical possession.
PAM integration package verified
pam-u2f 1.4.0-2 is installed and pam_u2f.so is present at /usr/lib/security/pam_u2f.so. The ATKey.Pro is quite visible to pamu2fcfg. Full PAM enrolment (generating a working u2f_keys entry and verifying sudo unlock) was not completed in this review, as pamu2fcfg returned FIDO_ERR_RX during the test run, most likely on account of a PIN prompt interaction. The Arch Wiki U2F article documents the full configuration procedure quite well.
Standalone fingerprint enrolment vendor-confirmed
The device supports enrolling fingerprints without any software or internet connection whatsoever. One inserts the key into any powered USB port, presses the side button three times to enter enrolment mode, then touches the sensor repeatedly until the LED signals completion. The device accepts up to 12 good touches per finger, which is consistent with the max samples: 12 value returned by fido2-token -I and is documented in the vendor quick-start guide. This path was not personally tested in the present review.
What is absent from this model verified absent
It is worth noting, however, that AuthenTrend does maintain open-source Linux tooling for their PIV-capable products (notably the ATKey.Card NFC). Their piv-cli-tool (C, MIT licence) is modelled on Yubico's yubico-piv-tool, includes a ykcs11/ PKCS#11 module, and builds on Linux via CMake. Separately, piv-pairing-scripts (Shell, MIT, updated February 2025) provides pairing automation. Neither was tested against the ATKey.Pro in this review, as pcsc_scan confirms no CCID enumeration on this unit. Readers who also own the ATKey.Card or Badge products will find these repositories quite useful.
Scores
Scores are subjective assessments rather than measurements. Authentication speed was not benchmarked.
What works well
- +Zero udev configuration on Arch Linux with systemd
- +Ed25519-SK verified working, not merely advertised
- +Resident SSH: uvToken enables fingerprint-as-UV during keygen
- +hmac-secret confirmed; LUKS2 enrolment via systemd-cryptenroll verified
- +Both FIDO2 and AMD fTPM enrollable into the same LUKS2 header
- +FIDO 2.1 PRE features present: credMgmt, bioEnroll, uvToken, hmac-secret, credBlob, credProtect
- +UV lockout recoverable via PIN path; counter resets on PIN change
- +Standalone fingerprint enrolment requiring no software whatsoever
- +FIPS 140-2 Level 3 certified MCU (Broadcom BCM5810X)
- +pam-u2f package present for sudo and login integration
Worth knowing
- xThis is the CTAP2.0 SKU; the CTAP2.1 variant carries a different AAGUID
- xPIN protocol 1 only, which is weaker than protocol 2's encrypted PIN exchange
- xLUKS2 default is PIN plus touch rather than fingerprint; UV requires an explicit flag
- xssh-keygen requests UP (touch) rather than UV (biometric) at key generation time
- xAlwaysUV is disabled; fingerprint verification is not unconditionally enforced
- xNo PIV, no CCID, no NFC, no USB-C on this model
- xResident credential storage capacity is not published by the manufacturer
- xfido2-token -I hangs at the PIN prompt when a PIN is set; pipe output through head
- xpamu2fcfg enrolment was not fully verified in this review
- xFirmware 0x01; no ATKey.Pro-specific update or management tooling found for Linux
- xPIV tooling (piv-cli-tool, MIT) exists on GitHub but applies to ATKey.Card, not this model
Verdict
On the whole, the ATKey.Pro CTAP2.0 is a quite well-specified FIDO2 key that works correctly on Linux with no configuration effort. SSH-SK key generation and signing are verified. LUKS2 enrolment via systemd-cryptenroll is verified. The fingerprint sensor does indeed perform biometric matching when the application explicitly requests UV, as is the case during resident SSH keygen via uvToken and during browser-based WebAuthn authentication. It does not, however, perform biometric matching during standard non-resident keygen or LUKS2 enrolment unless one opts in with the appropriate flag. Should one require the ratified CTAP2.1 feature set, it would be prudent to verify the AAGUID of one's unit before purchase, as AuthenTrend sells both variants under the same product name.
Further reading
- AuthenTrend on GitHub (18 public repositories including MIT-licensed Linux tooling)
- AuthenTrend: piv-cli-tool (C, MIT; PIV CLI and ykcs11 PKCS#11 module for Linux; applies to ATKey.Card, not ATKey.Pro)
- AuthenTrend: flutter_passkey (Flutter plugin for passkey operations on iOS and Android)
- Lennart Poettering: Unlocking LUKS2 with TPM2, FIDO2, PKCS#11 on systemd 248 (names ATKey.Pro as a tested device)
- Arch Wiki: systemd-cryptenroll (covers eddsa credential algorithm and multi-token enrolment)
- Arch Wiki: Universal 2nd Factor (pam-u2f setup, nouserok, biometric PAM caveats)
- Fedora Magazine: systemd-cryptenroll with FIDO U2F or TPM2 (practical walkthrough including LUKS1 to LUKS2 migration)
- Yubico: CTAP2 hmac-secret deep dive (explains how systemd-cryptenroll's key derivation works at the protocol level)
- FIDO Alliance: ATKey.Pro certified product listing (MCU certification details)
- Key9 Identity: 2025 security key shootout (independent comparison using ed25519-sk as an evaluation criterion)
- Florentin Putz: Bring Your Own FIDO2 Extensions (academic survey of the CTAP2 extension landscape)
- William Brown: How Hype Will Turn Your Security Key Into Junk (clear explanation of resident versus non-resident credential storage)
Comments
Post a Comment