Core types and configuration for Passless

This crate contains the core types and configuration structures used by both the build script (for generating shell completions) and the runtime binary.

passless

Passless is a software FIDO2 authenticator that emulates hardware security keys. Built with soft-fido2, it runs as a virtual UHID device on Linux.

It also includes client capabilities for interacting with any FIDO2 authenticator.

⚠️ Security Warning

Passless is a software FIDO2 authenticator and does not provide the same hardware-backed isolation as dedicated security keys. While Passless applies multiple hardening measures (GPG encryption, memory protection, core dump prevention), credentials stored in software remain more exposed to system-level compromise than non-exportable keys protected by secure hardware.

For many users, this trade-off is acceptable in exchange for better availability, usability, and Linux-native integration. However, hardware FIDO2 authenticators offer stronger guarantees against credential exfiltration and OS-level compromise, and remain the recommended option for high-value accounts or stricter threat models.

Users should choose the solution that best fits their own security and practicality requirements.

• Features
• Configuration
• Installation
  • Cargo
  • Arch Linux
• Acknowledgements

Features

• FIDO2/WebAuthn authentication without hardware tokens
• Passkey support (resident credentials)
• User verification via desktop notifications or PIN
• PIN support with configurable enforcement policies
• Storage backends:
  • pass (encrypted, git-synced)
  • TPM 2.0 (Experimental)
  • Local filesystem (testing only)
• Security hardening (memory locking, core dump prevention)
• Credential management via CTAP commands

PIN Support

Passless supports optional PIN-based user verification. When a PIN is set, the authenticator requires PIN verification for WebAuthn operations based on the configured enforcement policy.

PIN Enforcement Policies

Default: enforcement=optional, always_uv=true

Behavior Matrix

Setting a PIN

# Set a new PIN
passless client pin set 1234

# Change existing PIN
passless client pin change 1234 5678

Configuration

[pin]
# PIN enforcement policy: "never", "optional", "required"
enforcement = "optional"

# Minimum PIN length (4-63 characters)
min_length = 4

# Maximum retry attempts before lockout
max_retries = 8

Note: For enhanced security with hardware-backed protection, consider using the TPM backend which seals credentials to the TPM hardware.

Configuration

Passless can be configured using a TOML configuration file. By default, the configuration file is located at ~/.config/passless/config.toml.

To generate a default configuration file:

mkdir -p ~/.config/passless
passless config print > ~/.config/passless/config.toml

You can then edit this file to customize the storage backend, security settings, and other options. Command-line arguments will override settings from the configuration file.

Installation

Cargo

Install from source with full system integration. See DEVELOPMENT.md for required dependencies.

# Clone the repository
git clone https://github.com/pando85/passless.git
cd passless

# Install everything (binary, systemd service, udev rules, sysusers config)
make install

# Follow the post-install instructions to:
# 1. Add yourself to the fido group
# 2. Load the uhid kernel module
# 3. Log out and back in
# 4. Enable the systemd service

Arch Linux

yay -S passless

or the binary from AUR:

yay -S passless-bin

Acknowledgements

A big thank you to the PassKeeZ project for being such a great source of inspiration. Their work on a FIDO2 / Passkey-compatible Linux authenticator gave this project both motivation and direction.