Credentials for Linux: Bridging the Passkey Gap at FOSDEM 2026

At FOSDEM 2026 in Brussels, Alfie Fresta presented a compelling case for bringing passkey support to the Linux desktop, addressing a significant gap in the platform's authentication capabilities. While Windows, macOS, Android, and iOS have established FIDO2 platform APIs, Linux remains without a standard solution for browsers and native applications to leverage passkeys and other credentials.

The presentation, available on YouTube and fosdem.org, introduced Credentials for Linux, a cross-desktop effort designed to make passkeys first-class citizens on Linux systems. The project aims to work seamlessly with sandboxed applications and browsers, addressing a critical need in the Linux ecosystem.

The Current State of Linux Authentication

Fresta began with a refresher on passkeys and platform authenticators, explaining why WebAuthn/FIDO2 passkeys matter in today's security landscape. The talk highlighted how other platforms have solved this problem: Windows Hello provides native biometric authentication, Android offers fingerprint and face recognition, and Apple platforms integrate seamlessly with their ecosystem. Linux, however, lacks this unified approach.

The absence of standard FIDO2 platform APIs on Linux creates fragmentation and security concerns. Applications and browsers must implement their own authentication mechanisms or rely on third-party solutions, leading to inconsistent user experiences and potential vulnerabilities.

The Credentials for Linux Architecture

The core of the solution consists of two main components:

libwebauthn is a Rust-based FIDO2/U2F platform library that supports USB, BLE, and Hybrid authenticators (including Android and iOS smartphones). The library is designed with pluggable transports and includes passkey features such as resident keys and user verification. Rust was chosen for its memory safety guarantees and performance characteristics, critical for security-sensitive code.

credentialsd is a D-Bus service and proposed XDG portal for credential management. This component includes a reference UI, Firefox integration through both a web extension and a patched Flatpak build, and distribution packages via Open Build Service (OBS) for Fedora and openSUSE. The D-Bus interface allows sandboxed applications to communicate securely with the credential management service.

Practical Implementation and Integration

The talk demonstrated how this architecture works in practice. A sandboxed Firefox instance can use credentialsd to communicate with hardware security keys and mobile devices, while native applications can use the same D-Bus API. This unified approach ensures consistency across different types of applications while maintaining the security benefits of sandboxing.

Firefox integration is particularly noteworthy, as it addresses one of the most common use cases for passkeys: web authentication. The combination of a web extension and a patched Flatpak build ensures that both traditional installations and containerized applications can benefit from the new authentication capabilities.

The Road Ahead

Fresta outlined several challenges and opportunities for the project:

• TPM-backed platform authenticators: Integrating with Trusted Platform Modules to provide hardware-backed authentication on systems that support it
• Origin binding: Ensuring that credentials are properly scoped to their intended origins, preventing phishing attacks
• Unprivileged APIs for browsers: Designing interfaces that work within browser sandbox constraints without requiring elevated privileges
• Cross-desktop collaboration: Working with GNOME, KDE, Flatpak, password managers, and distributions to ensure broad adoption

Community Involvement

The project actively seeks collaborators from various parts of the Linux ecosystem. Browser maintainers can contribute to the integration work, desktop environment developers can help with the user interface components, and distribution engineers can assist with packaging and deployment.

The talk emphasized that this is not just a technical challenge but a community effort. Success requires coordination between different projects and stakeholders to create a cohesive authentication experience for Linux users.

Why This Matters

Passkeys represent a significant improvement over traditional passwords, offering better security through public-key cryptography and improved usability through biometric authentication and device-based verification. For Linux to remain competitive as a desktop platform, it needs to support these modern authentication methods.

The Credentials for Linux project represents a pragmatic approach to this challenge, building on existing standards and leveraging the strengths of the Linux ecosystem. By focusing on cross-desktop compatibility and sandboxed application support, it addresses the unique constraints and requirements of the Linux environment.

As the project moves forward, it will be interesting to see how the Linux community responds to this initiative and whether it can achieve the widespread adoption necessary to make passkeys a first-class citizen on the Linux desktop. The success of this effort could significantly impact Linux's viability as a secure, modern desktop operating system for both individual users and enterprise environments.

For those interested in contributing or learning more, the GitHub repository provides detailed documentation, and the FOSDEM talk slides are available as a PDF download.