node package manager
Share your code. npm Orgs help your team discover, share, and reuse code. Create a free org »


U2F-Client: Access U2F/USB keys directly, without browser

For a general description, please see Universal Second Factor authentication. This module provides FIDO client functionality: it provides access to available USB/HID hardware keys (role that usually filled by a web browser).

Using this module, you can build a hardware security system with U2F keys authentication, or provide U2F interface in browser emulation.

To create and check register/sign requests, please see other module: u2f.


  • Straightforward, node.js style API: callbacks & events.
  • Supports all OS-es via excellent node-hid module.
  • Supports standard U2F Javascript API for browsers, checking facetId etc.


var u2fc = require('u2f-client');
// High-level API  
// registerRequest and signRequest, as well as returned values are specified in U2F documentation 
u2fc.register(registerRequest, cb)   // Register U2F device, requires user presence 
u2fc.sign(signRequest, cb)           // Signs with U2F device, requires user presence 
u2fc.check(signRequest, cb)          // Check if signRequest is acceptable, doesn't require user presence. Returns true or false. 
u2fc.devices()                       // Returns array of connected deviceInfo-s. 
// Events 
u2fc.on 'waiting-for-device'     // Request user to insert a U2F device, as there's no devices found 
u2fc.on 'user-presence-required' // Request user to touch the U2F device (issued after register or sign requests) 
// U2F Javascript API for Web Browsers  
// Careful, the callback convention is different - both error and result come as first and only argument. 
// Origin of the requesting party must be provided and will be checked according to the spec rules. 
browserU2F = u2fc.browserApi(origin)
browserU2F.register(registerRequests, signRequests, callback, opt_timeout)
browserU2F.sign(signRequests, callback, opt_timeout)
// Options 
u2fc.waitForDevicesTimeout = 10000 // How much time should we wait if no device present. 
u2fc.userPresenceTimeout = 10000   // How much time to wait for pressing the button on device. 



  • it seems linux doesn't provide usage & usagePage information -> use hardcoded vendorId/productId table?
  • provide more consistency with respect to concurrent usage at the driver level (login+insert key fails), + don't close device every time.
  • provide 'disconnected' event on client.
  • test U2FClient, browser api.
  • comprehensive timeouts: low-level and BrowserAPI
  • command-line interface? (u2f sign, u2f register) maybe another module?

License: MIT