An Opinionated WebAuthn Authenticator
Passkeyd is a Linux based WebAuthn authenticator that works with any WebAuthn supported application, including browsers. It supports both TPM and non-TPM devices.
Arch-based distro
The package is available in the passkeyd AUR, which you can install using aur helper, For exmaple
# Using yay
yay -S passkeyd
# Using paru
paru -S passkeyd
# Using aura
aura -A passkeydUbuntu-based distro
curl -fsSL https://github.com/bjn7/passkeyd/releases/latest/download/passkeyd.gpg | sudo tee /usr/share/keyrings/passkeyd.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/passkeyd.gpg] https://github.com/bjn7/passkeyd/releases/latest/download ./' | sudo tee /etc/apt/sources.list.d/passkeyd.list
sudo apt-get update && sudo apt-get install passkeydInitialize Passkeyd
Before initializing the passkeyd service, you may want to configure it properly for your system, Initial Required Configuration.
sudo systemctl enable passkeyd
sudo systemctl start passkeydTesting the Passkey Authentication (optional)
To determine whether the passkey is working properly, you may follow this step.
- Go to the Webauthn Demo Site
- Enter the username "Test" and click Register.
- You should see: "Success! Now try to authenticate..."
- Click authenticate, A passphrase popup will appear, Enter your logged-in Linux user passphrase.
The config for theme can be found at /usr/share/passkeyd/theme.conf
To manage your passkeys, Enter the command passkeyd-manager.
| Keys | Action |
|---|---|
| Enter or Esc | View the selected site’s passkey. Press again to go back. |
| Delete | If a website is selected, deletes all its passkeys. If a specific passkey is selected, deletes only that entry. This only removes it from the system, not from the website. You may still need to remove it from the website separately. |
| Ctrl + C | Exit. |
If you are willing to contribute, refer to CONTRIBUTING.md
-
libwebauthn: TPM 2.0 support is marked as 'planned' and appears to have been in that status since 2020. -
tpm-fido: Likely to work for a long time due to the longevity of TPM 2.0 and protocol considerations, but it was last updated 3 years ago, so it doesn’t appear to be actively maintained.