Passkeys in GNOME?


Passkeys are an emerging authentication method that promises to replace passwords with something both much more secure, and easier to use as well. They are built from the earlier FIDO2 and WebAuthn standards, but with a lot of polish around the user experience to make them suitable for widespread adoption. They are being heavily pushed by Apple, Google and Microsoft, and are already (or will soon be in the case of Windows) deployed.

There are two major changes over older FIDO methods that make passkeys easier to use: platform authenticators and syncing.

Platform Authenticators

The first way passkeys are easier is by the use of platform authenticators. Instead of needing to go and buy a Yubikey or similar hardware token, you can use your device directly. This is typically backed by the TPM or similar hardware security modules, but could in principle be done in software.


The other major improvement is that the private keys behind passkeys are synced between devices with the user’s platform account (ICloud, Google, Microsoft, etc). This solves a major pain point of FIDO security tokens/TOTP codes in that you will always have the key needed on all your devices. It also removes the worry about what happens if you lose/break your device, as the passkeys can be retrieved again simply by signing back in on a new device.

Linux/GNOME support

While both of these things are wins for the user experience they do require support from the platform itself. For platform authentication there needs to be APIs in place for applications (like browsers) wanting to use an authenticator, and also some program to act as that authenticator. I could see gnome-keyring making a nice authenticator.

Linux doesn’t have a central account for syncing, but in my mind the biggest drawback of passkeys is that they are only synced per ecosystem. This could be resolved by using a separate cross platform application with its own syncing mechanism (similar to most password managers today) as the authenticator. However, this depends on operating systems exposing an API to link authenticators and applications wanting to use passkeys. I foresee an extension to the Secret Service API fitting nicely here.

I’d love to see passkeys gaining greater adoption going forward, in a platform independent way. I would be interested the hear other peoples thoughts on how they should be supported, and the where to go to make it so.


Here are some links to provide additional context.
Apple’s developer documentation:

Google’s developer documentation:

How Dashlane (a closed source password manager) is thinking of doing things:

Discussion around KeePassXC and passkeys:

Thats cool. Do you know what libraries provide support this? Note that GNOME software is written in multiple languages.

There’s some efforts in Mozilla (1529973 - Make the WebAuthn Soft Token a Real Thing (sync, FIDO2, platform DAR, UI)) that look like they are in the right direction. There is also Bulwark Passkey, which is a passkey manager.

Both however work by emulating a USB device, which doesn’t quite give the same experience as platform authenticators on other platforms, hence my thinking that that would need a new API. On the other hand they do work today, which is good.

FWIW, we’re looking at implementing a FIDO2 portal. The implementation of hardware and software authenticators should be somewhere else and the portal just discovers them and does the UI dance to let a user interact with them.

Passkeys are then just another implementation of an authenticator.


That does look like a good effort. I’ll keep an eye on it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.