Using Google Titan Key v2 with Flatpak Brave

Introduction

For security reasons, I prefer using the Flatpak version of web browsers (only verified packages). However, I found that my hardware security key (Google Titan Key) works fine on the host version but fails on the Flatpak version. While a password manager is a good backup, I wanted to make my physical key work. Here is how I solved it.

Environment

OS: NixOS (using Niri - a Wayland compositor)
Browser: Brave (Flatpak)
Security Key: Google Titan Security Key v2

Step 1: Opening the Door on the Host OS (NixOS)

First, the OS must recognize the USB device and allow the logged-in user to access it. On NixOS, you need to define this in your udev rules.

SOURCE_CODE

# configuration.nix
services.udev.extraRules = ''
  # Setup for Google Titan Security Key v2
  # Grant user access to hidraw devices
  KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1|096e", ATTRS{idProduct}=="9470|5026|0858|085b", TAG+="uaccess"
'';

(Note: For the specific ID list, refer to the libfido2 official rules(70-u2f.rules,commit:a94e52c), the standard Linux library. The above settings cover various Titan Key models and those from its OEM,Feitian.)

You can find your idVendor and idProduct by running lsusb. In my case, they were idVendor=="18d1" and idProduct=="9470". After updating the config, run sudo nixos-rebuild switch and re-plug your key.

Step 2: Poking Holes in the Flatpak Sandbox

Brave Flatpak runs in a sandbox, so it cannot see HID devices like the Titan Key by default. You need to grant specific permissions. While you can use Flatseal, I prefer using command-line arguments because I use multiple browser profiles and want to apply settings per profile.

Required Permissions:

--device=all: This is necessary for the browser to see the /dev/hidraw communication path.
--filesystem=/run/udev:ro: This allows Brave to query device metadata from the OS.

Step 3: Launching Brave

This is the most critical part: You must close every single Brave instance, including those running under different profiles. If any Brave session is still active, your new permissions will not take effect.

Launch Command:

SOURCE_CODE

flatpak run \
  --device=all \
  --filesystem=/run/udev:ro \
  com.brave.Browser \
  --profile-directory="Default"

Step 4: Verification

To test the setup, go to a WebAuthn test site like WebAuthn.io.

Enter a random username and click Register.
The browser will ask for your security key PIN.
After entering the PIN, touch your Titan Key. It should register successfully.
Click Authenticate to confirm that the login process also works with the key.

Summary

Set the udev rules on the host OS to grant uaccess.
Open the Flatpak sandbox by allowing device=all and /run/udev.
Close all browser sessions completely before testing to ensure the new settings take effect.