Brussels / 4 & 5 February 2023


Passwordless Linux -- where are we?

Passwordless authentication is making a lot noise. Use of FIDO2/WebAuthn tokens and other passwordless means to login to web services is all the rage but there isn't that much available to make the technology usable without troubles for 'traditional' Linux systems, locally and remotely.

For past several years FreeIPA and SSSD teams have been working on enabling end to end passwordless access in centralized and local environment, be it corporate or home deployment. This talk will go into details of our progress in passwordless access implementation for Linux systems.

In 2022 FreeIPA project introduced ability to authenticate users against OAuth2 identity providers (IdPs). This functionality allows to obtain Kerberos credentials after authentication and authorization has been done by the external IdP. As many OAuth2 IdPs allow passwordless authentication with WebAuthn tokens, a true passwordless transition across Linux systems is now available, from login to console, raising privileges within PAM services (e.g. sudo access), to accessing remote systems over SSH. We hope to expand this support with native FIDO2/WebAuthn integration as well.

The work is not complete yet and needs a lot of collaboration across multiple open source projects. Come to this talk to see a demo and discuss how we can improve our passwordless experience together.


Photo of Alexander Bokovoy Alexander Bokovoy