this post was submitted on 21 Apr 2024
45 points (97.9% liked)

Linux

48067 readers
701 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
45
submitted 6 months ago* (last edited 6 months ago) by [email protected] to c/[email protected]
 

Passkeys seem like a great idea, and we are at a point where, although things are still very much in flux, software passkeys managed by password managers are starting to be usable. I thought I'd share the workflow that's working for me on Linux with some sites, and ask the community for more tips & tricks.

A passkey is a client certificate - which is an old idea, but now there are some new standards in place*. When you log into a website, instead of sending a password you send a message signed using the private key on your hardware security device, or stored in your password manager. If you use a password manager the flow is about the same as with passwords: your password manager pops up and asks if you want to log in to the given website. But instead of sending a password to the browser, message signing takes place in the password manager. Unlike passwords those signed messages can't be replayed. Arguably you can skip sending MFA codes and get about the same (or maybe better) security with passkeys than you were getting with passwords + MFA.

Complications come up because support for passkey APIs is still patchy. On Linux I think there is system-level support for hardware keys, but not for passkey managers (password managers that can do passkey signing). But you can close that gap using browser extensions! I'm using Enpass with it's Firefox extension. Signing into websites in Firefox using passkeys works quite well in some of the sites I've tried. (I've also tested with Bitwarden's browser extension, and it works just as well.**) Although creating passkeys doesn't work on all of those sites.

  • I was able to create a passkey on Github, and sign in with it.
  • I was able to create a passkey for the demo at https://www.passkeys.io/, and sign in with it.
  • I couldn't create passkeys for Google, but I could log in with passkeys created on another device, and synced by Enpass to my Linux machine.
  • I can use a passkey for MFA on Discord, but they don't seem to be using them for logins yet.
  • I'm not getting options to use my passkeys on Amazon or Paypal, but I was able to create passkeys for these sites on Android.

Without using a browser extension Chrome on Linux does have a feature to sign in with passkeys on mobile devices. I don't think this works with third-party passskey managers. On some sites Chrome gave me the option to log in using the automatically-generated, Google-managed passkey on my phone. It didn't actually worked for me - my phone showed a message saying "connecting to device" but never actually connected.

That brings me to the Android side. Since some sites will let me log in with passkeys but not create them it's helpful to have another option for creating passkeys. Android is further along in implementing system level passkey support (only in Android 14 or later). But it's not perfect yet. Firefox for Android is not working with passkey managers yet, but there is a ticket to track this. Third-party passkey managers work in Chrome for Android, but only if you enable an experimental flag:

  • open chrome://flags/
  • find the setting "Android Credential Management for passkeys"
  • set the value to "Enabled for Google Password Manager and 3rd party passkeys"

* "Passkey" seems to be an umbrella term for WebAuthn or FIDO U2F. It looks like WebAuthn is a part of FIDO2.

** From a cursory look at the two I feel more comfortable with Enpass' browser extension than with Bitwarden's. I'm not positive, but it looks like Bitwarden loads credentials in the extension itself which puts all of your secrets in the browser process. OTOH the Enpass extension uses IPC to send requests to the Enpass desktop app. But as many will point out, Bitwarden's clients are open-source and audited while Enpass' software is closed-source.

all 7 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 6 months ago

I am able to fully use passkey with Firefox and KeePassXC on Linux.

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago)

* "Passkey" seems to be an umbrella term for WebAuthn or FIDO U2F. It looks like WebAuthn is a part of FIDO2.

In fact, Passkeys are considered passwordless, and rely specifically on discoverable credentials and resident keys to store the identity alongside the certificate for the authentication.

U2F is the previous standard, also known as FIDO. WebAuthn is basically another name for Passkeys, relying on CTAP2 as the protocol to interface between the website and the authentication token.

[–] [email protected] 4 points 6 months ago

iOS also supports third-party passkey managers so that's an alternative to Android for helping to fill gaps creating passkeys.

[–] [email protected] 1 points 6 months ago

I forgot to mention that to use a passkey manager on Android in addition to setting that Chrome feature flag you also need to set the app as your passkey manager. That's done at the system level in Settings > Passwords & accounts > Passwords, passkeys, and data services