This is a standalone service which aims to offer FIDO2 platform functionality (FIDO U2F, and WebAuthn) on Linux, over a D-Bus Portal interface.
The project is composed of multiple crates:
USB (HID) | Bluetooth Low Energy (BLE) | NFC | TPM 2.0 (Platform) | |
---|---|---|---|---|
FIDO U2F | 🟢 Supported (via hidapi) | 🟢 Supported (via bluez) | 🟠Planned (#5) | 🟠Planned (#4) |
WebAuthn (FIDO2) | 🟢 Supported (via hidapi) | 🟢 Supported (via bluez) | 🟠Planned (#5) | 🟠Planned (#4) |
This is a very early stage idea, no proposed spec exists yet.
Here is an high-level architecture diagram of the proposed service and how it will interact with its clients:
Footnotes:
Sandboxed Browsers. A modern solutions is required to allow sandboxed applications (Flatpaks, Snaps) to access U2F and FIDO2 devices, without granting blanket access to all devices.
Passwordless Authentication. FIDO2/WebAuthn brings the promise of a world without passwords, and related security incidents, which is worth pursuing. A platform API would make it easier for applications to support stronger authentication.
Platform Authenticators are an important part of the FIDO2 specification, and fundamental for widespread adoption of passwordless authentication. Windows Hello, Android's FIDO2 support, Apple's TouchID and FaceID, are all examples of platform authenticators. There is no reason why the Linux desktop community could not enjoy similar benefits
Native Apps FIDO2 Support. FIDO2 should not be segregated to web applications.
Here is a list of related APIs available on other platforms, which offer similar functionality:
Further references:
If you'd like to contribute but you don't know where to start, take a look at available tasks in the Issues tab.
Alternatively, any investigation or expertise on the following would be very helpful. Please reach out!
Platform Authenticator support. Similarly to Android devices, and Windows Hello. In order to implement this (and request FIDO2 certification), support for the following is needed:
Unprivileged access. FIDO2 credentials are scoped to an origin (e.g. https://example.org
). The proposed API allows applications to specify any origin (as needed by browsers). Hence, it requires an additional user confirmation step for security purposes. This extra step may not be needed if the request sender could be verified, as the legitimate owner of the specified origin.
PAM, and passwordless login (long-term goal). A PAM module would allow using FIDO2 for user login purposes, e.g. using the platform authenticator (similar to Windows Hello).
D-Bus Portal API design
Proposal and contribution processes (Flatpak, GNOME, etc.)
UI/UX