An update on improving passkey support in Linux
a year ago
- #Linux
- #WebAuthn
- #Security
- The author discusses their work on implementing passkey support for Linux, inspired by announcements from big companies on World Password Day.
- WebAuthn involves four roles: relying party (website), client (browser/app), platform (OS API), and authenticator (security key or device).
- Security models emphasize phishing resistance by ensuring user requests are verified via the relying party's application.
- Windows, macOS/iOS, and Android have integrated platform APIs and authenticators, but Linux lacks native support, leading to fragmented user experiences.
- Current Linux solutions require browsers to handle WebAuthn requests directly, bypassing sandboxing and lacking device-bound passkeys.
- The author's project, linux-credentials, aims to build a portal API for Linux, supporting USB and hybrid/caBLE authenticators, with plans for a platform authenticator using TPM.
- Challenges include origin checking, application identity verification, and hardening credential access against kernel compromises.
- Proposed solutions involve Integrity Digest Cache for package signatures, SELinux/AppArmor policies, and exploring virtualization-based security (VBS) like Windows' VSM.
- Future goals include credential management, password/TOTP APIs, and cross-platform syncing for passkeys.
- The author invites collaboration and sponsorship to advance the project.