Identity and Access Management
Credentials for Linux: Bringing Passkeys to the Linux desktop
February 1, 2026
12:05 PM – 12:30 PM Add to calendar
12:05 PM – 12:30 PM Add to calendar
H.2214
<p>Passkeys are now first-class citizens on Windows, macOS, Android and iOS - but the Linux desktop still has no standard FIDO2 platform APIs for browsers and native apps. </p>
<p>This talk presents <strong>Credentials for Linux</strong> (<a href="https://github.com/linux-credentials">github.com/linux-credentials</a>), a cross-desktop effort to bring Passkeys and other credentials to Linux in a way that works for sandboxed apps and browsers alike.</p>
<p>We’ll cover:</p>
<ul>
<li><strong>Very short refresher on passkeys & platform authenticators</strong>: Why WebAuthn/FIDO2 passkeys matter, what platform authenticators are, and how this is solved on Windows Hello, Android and Apple platforms today, and the current state on Linux. </li>
<li><strong>Architecture of Credentials for Linux</strong></li>
<li><a href="https://github.com/linux-credentials/libwebauthn"><code>libwebauthn</code></a>: a Rust FIDO2/U2F platform library with support for USB, BLE and Hybrid authenticators (ie. Android & iOS smartphones), designed with pluggable transports and passkey features such as resident keys and user verification. </li>
<li><a href="https://github.com/linux-credentials/credentialsd"><code>credentialsd</code></a>: a D-Bus service and proposed XDG portal for credential management, including a reference UI, Firefox integration (web extension + patched Flatpak build) and distro packages via OBS (Fedora/openSUSE). </li>
<li><strong>What this looks like for apps and browsers</strong>: Demo and design walkthrough of a sandboxed Firefox using <code>credentialsd</code> to talk to hardware security keys and phones, and how native applications can use the same D-Bus API. </li>
<li><strong>Roadmap, open problems and call for collaborators</strong>: TPM-backed platform authenticators, origin binding and unprivileged APIs for browsers, and how we’d like to work with GNOME, KDE, Flatpak, password managers and distributions. </li>
</ul>
<p>The talk is aimed at people interested in identity and access management on the desktop: browser and desktop maintainers, distribution engineers, security practitioners and anyone who wants to help make passkeys a first-class citizen of the Linux platform.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/h2214 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 2/1/26 |
<p>Welcome to the devroom, rules and initial setup.</p>
|
| 2/1/26 |
<p>As security threats become more sophisticated, the need for efficient, real-time communication between identity providers and relying parties is essential. The Shared Signals Framework (SSF) and related specifications such as CAEP and RISC address this challenge by providing a standardised way for systems to exchange security related signals, such as session revocations, credential breaches, and other identity-related incidents, in a secure and scalable manner. This talk introduces the Shared ...
|
| 2/1/26 |
<p>We introduce the <a href="https://github.com/nextcloud/scim_client">SCIM client app</a> for <a href="https://nextcloud.com/">Nextcloud</a> that allows Nextcloud users and groups to be automatically synced to external services that support the <a href="https://tools.ietf.org/wg/scim/">SCIM</a> standard. This enables Nextcloud to act as an authoritative store of user identity information, simplifying user management across multiple connected services.</p> <p>This talk will discuss the ...
|
| 2/1/26 |
<p>OAuth 2.0 and OpenID Connect have been around for years to secure web and mobile applications alike with growing popularity.</p> <p>To keep your applications and their data secure, these standards are evolving to align with security best practices.</p> <p>Join this talk to see how the FAPI 2.0 Security Profile and the upcoming OAuth 2.1 standard promotes and enforces best practices, how to adapt your applications, and how Keycloak as an Open Source IAM can help you. Expect a demo and examples ...
|
| 2/1/26 |
<p><a href="https://www.proconnect.gouv.fr">ProConnect</a> is an open-source Federated Identity Provider written mainly in TypeScript and designed to connect professionals with government services. Developed by the French Interministerial Digital Directorate (<a href="https://www.numerique.gouv.fr/numerique-etat/dinum/">DINUM</a>), it builds on the experience of <a href="https://franceconnect.gouv.fr/">FranceConnect</a> while introducing a lightweight, modern architecture.</p> <p>This talk will ...
|
| 2/1/26 |
<p>Each month it seems we are made aware of a break in security. Some report of a data base of identity information that is reported as captured by an entity of some type. Lists of passwords, ID numbers, bank account information, credit card information. And these are only the ones we hear about, since many of these break-ins are not reported, or kept quiet.</p> <p>Often we hope that the data is encrypted, but as we all know quantum computers are coming quickly and quantum computers can take ...
|
| 2/1/26 |
<p>SUSE’s IAM evolution mirrors its corporate journey, beginning with deep dependency on Novell (later MicroFocus) Access Manager, following its transition to independence.As the organization grew, individual departments adopted several tools to solve immediate authentication needs.</p> <p>This led to a proliferation of unmanageable authentication silos across customer portals, partner networks, and internal employee systems.Recognizing the inefficiencies and risks of this fragmented ...
|
