After receiving a hardware authentication token for the New Year, I’ve spent quite a lot of time on the configuration. Even though I’d already modified my security model by the end of 2021, I needed to reconsider it once again. Now my password management framework comprises three elements:

1. Hardware security token (OnlyKey) for most sensitive credentials and 2FA (two facto authentication like OTP, FIDO2 / U2F)
2. Self-hosted cloud storage (Vaultwarden) for less sensitive credential
3. Encrypted password database (Pass-Tomb) on a USB

Each of these elements requires a separate post, but for now I’ll focus only on the first part. What is more, I’ll separate the content into several parts: in this particular part I’ll describe how it’s possible to configure the OnlyKey as second factor authentication for Linux system login (or sudo).