<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.2.0">Jekyll</generator><link href="https://alfioemanuele.io/feed.xml" rel="self" type="application/atom+xml" /><link href="https://alfioemanuele.io/" rel="alternate" type="text/html" /><updated>2026-02-06T23:13:10+00:00</updated><id>https://alfioemanuele.io/feed.xml</id><title type="html">Alfie Fresta’s blog</title><subtitle>All opinions are my own.</subtitle><entry><title type="html">Credentials for Linux (FOSDEM 2026)</title><link href="https://alfioemanuele.io/talks/2026/02/01/fosdem-2026-credentials-for-linux.html" rel="alternate" type="text/html" title="Credentials for Linux (FOSDEM 2026)" /><published>2026-02-01T12:00:00+00:00</published><updated>2026-02-01T12:00:00+00:00</updated><id>https://alfioemanuele.io/talks/2026/02/01/fosdem-2026-credentials-for-linux</id><content type="html" xml:base="https://alfioemanuele.io/talks/2026/02/01/fosdem-2026-credentials-for-linux.html">&lt;h1 id=&quot;bringing-passkeys-to-the-linux-desktop&quot;&gt;Bringing Passkeys to the Linux desktop&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Talk at &lt;a href=&quot;https://fosdem.org/2026/schedule/event/838A8N-credentials-for-linux-bringing-passkeys-to-linux/&quot;&gt;FOSDEM 2026&lt;/a&gt; in Brussels, Belgium.&lt;/strong&gt;&lt;/p&gt;

&lt;iframe width=&quot;560&quot; height=&quot;315&quot; src=&quot;https://www.youtube-nocookie.com/embed/lGHGIlvDPlo?si=SjXcumS8lrLAt7as&quot; title=&quot;YouTube video player&quot; frameborder=&quot;0&quot; allow=&quot;accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share&quot; referrerpolicy=&quot;strict-origin-when-cross-origin&quot; allowfullscreen=&quot;&quot;&gt;&lt;/iframe&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.youtube.com/watch?v=lGHGIlvDPlo&quot;&gt;Watch on YouTube&lt;/a&gt;.&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://fosdem.org/2026/schedule/event/838A8N-credentials-for-linux-bringing-passkeys-to-linux/&quot;&gt;Watch or download on fosdem.org&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;/assets/2026-02-01-fosdem-2026-credentials-for-linux-slides.pdf&quot;&gt;Download the slides (PDF)&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;abstract&quot;&gt;Abstract&lt;/h2&gt;

&lt;p&gt;Passkeys are now first-class citizens on Windows, macOS, Android and iOS - but the Linux desktop still has no standard FIDO2 platform APIs for browsers and native apps.&lt;/p&gt;

&lt;p&gt;This talk presents &lt;strong&gt;Credentials for Linux&lt;/strong&gt; (&lt;a href=&quot;https://github.com/linux-credentials&quot;&gt;github.com/linux-credentials&lt;/a&gt;), a cross-desktop effort to bring Passkeys and other credentials to Linux in a way that works for sandboxed apps and browsers alike.&lt;/p&gt;

&lt;p&gt;We’ll cover:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;strong&gt;Very short refresher on passkeys &amp;amp; platform authenticators&lt;/strong&gt;: Why WebAuthn/FIDO2 passkeys matter, what platform authenticators are, and how this is solved on Windows Hello, Android and Apple platforms today, and the current state on Linux.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Architecture of Credentials for Linux&lt;/strong&gt;
    &lt;ul&gt;
      &lt;li&gt;&lt;a href=&quot;https://github.com/linux-credentials/libwebauthn&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;libwebauthn&lt;/code&gt;&lt;/a&gt;: a Rust FIDO2/U2F platform library with support for USB, BLE and Hybrid authenticators (ie. Android &amp;amp; iOS smartphones), designed with pluggable transports and passkey features such as resident keys and user verification.&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;https://github.com/linux-credentials/credentialsd&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;credentialsd&lt;/code&gt;&lt;/a&gt;: a D-Bus service and proposed XDG portal for credential management, including a reference UI, Firefox integration (web extension + patched Flatpak build) and distro packages via OBS (Fedora/openSUSE).&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;What this looks like for apps and browsers&lt;/strong&gt;: Demo and design walkthrough of a sandboxed Firefox using &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;credentialsd&lt;/code&gt; to talk to hardware security keys and phones, and how native applications can use the same D-Bus API.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Roadmap, open problems and call for collaborators&lt;/strong&gt;: TPM-backed platform authenticators, origin binding and unprivileged APIs for browsers, and how we’d like to work with GNOME, KDE, Flatpak, password managers and distributions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The talk is aimed at people interested in identity and access management on the desktop: browser and desktop maintainers, distribution engineers, security practitioners and anyone who wants to help make passkeys a first-class citizen of the Linux platform.&lt;/p&gt;</content><author><name></name></author><category term="talks" /><category term="linux" /><category term="passkeys" /><category term="fosdem" /><summary type="html">Bringing Passkeys to the Linux desktop</summary></entry><entry><title type="html">A vision for Passkeys on the Linux desktop</title><link href="https://alfioemanuele.io/dev/2024/01/31/a-vision-for-passkeys-on-the-linux-desktop.html" rel="alternate" type="text/html" title="A vision for Passkeys on the Linux desktop" /><published>2024-01-31T12:00:00+00:00</published><updated>2024-01-31T12:00:00+00:00</updated><id>https://alfioemanuele.io/dev/2024/01/31/a-vision-for-passkeys-on-the-linux-desktop</id><content type="html" xml:base="https://alfioemanuele.io/dev/2024/01/31/a-vision-for-passkeys-on-the-linux-desktop.html">&lt;h1 id=&quot;introduction&quot;&gt;Introduction&lt;/h1&gt;

&lt;p&gt;Passwords are a scourge on the modern web, a relic of another time. I’m an advocate of FIDO2 and WebAuthn, and I believe that they will play a crucial role in the future of authentication. I’m excited to see the industry move towards more secure and user-friendly alternatives such as Passkeys.&lt;/p&gt;

&lt;p&gt;However, the Linux desktop has lagged behind other platforms in adopting these technologies. I launched &lt;a href=&quot;https://github.com/AlfioEmanueleFresta/xdg-credentials-portal&quot;&gt;xdg-credentials-portal&lt;/a&gt; in 2020 with the goal of bringing FIDO2 authentication to the Linux desktop.&lt;/p&gt;

&lt;p&gt;In this post I’ll discuss my vision for FIDO2 on Linux, and the main challenges that lie ahead.&lt;/p&gt;

&lt;h1 id=&quot;a-bit-of-history&quot;&gt;A bit of history&lt;/h1&gt;

&lt;p&gt;Skip this section if you’re familiar with FIDO2, WebAuthn, and the limitations surrounding their use in Flatpak apps.&lt;/p&gt;

&lt;h2 id=&quot;fido-universal-second-factor-fido-u2f&quot;&gt;FIDO Universal Second Factor (FIDO U2F)&lt;/h2&gt;

&lt;p&gt;&lt;a href=&quot;https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-overview.html&quot;&gt;FIDO Universal Second Factor (U2F)&lt;/a&gt; was the first, widely-adopted open standard for two-factor authentication (2FA) on the web.&lt;/p&gt;

&lt;p&gt;This allowed users to authenticate to websites using a physical security key, in addition to their password. The security key could be connected via USB, NFC, or Bluetooth Low Energy (BLE).&lt;/p&gt;

&lt;h2 id=&quot;fido2-and-passkeys&quot;&gt;FIDO2 and Passkeys&lt;/h2&gt;

&lt;p&gt;&lt;a href=&quot;https://fidoalliance.org/fido2/&quot;&gt;FIDO2&lt;/a&gt; builds on the success of U2F. It improves upon the original spec in a number of ways. Although it still supports the original use cases of U2F, its main focus is on enabling passwordless authentication scenarios - using a private-key credential as the &lt;em&gt;sole factor&lt;/em&gt; for authentication.&lt;/p&gt;

&lt;p&gt;FIDO2 comprises of two specifications:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.w3.org/TR/webauthn/&quot;&gt;W3C Web Authentication (&lt;strong&gt;WebAuthn&lt;/strong&gt;)&lt;/a&gt;, describing high-level APIs to create and use credentials.&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html&quot;&gt;Client to Authenticator Protocol (&lt;strong&gt;CTAP&lt;/strong&gt;)&lt;/a&gt;, describing the low-level protocol used by the client (eg. a browser, or an operating system) to communicate with authenticator devices.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The FIDO Alliance has selected the term &lt;a href=&quot;https://fidoalliance.org/passkeys/&quot;&gt;Passkeys&lt;/a&gt; to describe the public-key credentials which can be used through these APIs. It’s worth noting the specs predate the term &lt;em&gt;passkey&lt;/em&gt;, and use different terminology to refer to credentials.&lt;/p&gt;

&lt;p&gt;For more details on Passkeys, see:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://auth0.com/blog/our-take-on-passkeys//&quot;&gt;Our Take on Passkeys - Vittorio Bertocci (Auth0)&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://fidoalliance.org/passkeys/&quot;&gt;Passkeys - FIDO Alliance&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The advancements in the specs above which power the passkey experience are the following:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#ctap2-hybrid-transport&quot;&gt;CTAP2 Hybrid Transport&lt;/a&gt;&lt;/strong&gt;, previosuly known as Cloud-assisted Bluetooth Low Energy (caBLE v2). This transport builds on BLE - allowing for secure pairing, and proximity detection - but adds a standardised, and more convenient internet-based transport for subsequent communication. This allows phones to receive energy-efficient push notifications, rather than relying on slower, and occasionally less reliable, BLE.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://www.w3.org/TR/webauthn/#client-side-discoverable-credential&quot;&gt;WebAuthn Discoverable credentials&lt;/a&gt;&lt;/strong&gt;, previously known as Resident keys. This allows credentials to be stored on the authenticator or client, rather than by the relying party (ie. the website).&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://fidoalliance.org/white-paper-multi-device-fido-credentials/&quot;&gt;Multi-device FIDO Credentials&lt;/a&gt;&lt;/strong&gt;. This is a relaxation of the requirements on authenticator devices which no longer need to store private keys in &lt;a href=&quot;https://en.wikipedia.org/wiki/Trusted_Platform_Module&quot;&gt;Trusted Platform Modules (TPMs)&lt;/a&gt;. Because of this, software implementations of authenticators can backup credentials to the cloud, as well as sync them across multiple devices.&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;

&lt;h2 id=&quot;linux-and-containerisation&quot;&gt;Linux and Containerisation&lt;/h2&gt;

&lt;p&gt;Containerisation technology such as Flatpak and Snap have become increasingly popular on Linux. Containerisation promises to make software distribution easier, and more secure, by isolating applications from the host system.&lt;/p&gt;

&lt;p&gt;However, in order to reap the security benefits, software must be distributed with the minimum set of permissions required to function. This is a challenge for software which requires access to sensitive resources, such as the user’s USB security keys.&lt;/p&gt;

&lt;p&gt;To allow a Flatpak application to access a USB security key, the user must grant the application access to all devices (&lt;a href=&quot;https://docs.flatpak.org/en/latest/sandbox-permissions.html#device-access&quot;&gt;see Flatpak device access docs&lt;/a&gt;). This has two major security drawbacks:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;It allows the application to access all USB devices on the system, not just the security key.&lt;/li&gt;
  &lt;li&gt;The application communicates with the security key directly, which allows it to bypass &lt;a href=&quot;https://www.w3.org/TR/webauthn-2/#scope&quot;&gt;origin scoping&lt;/a&gt;: an application can use credentials for any website.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;See &lt;a href=&quot;https://github.com/flatpak/xdg-desktop-portal/issues/989&quot;&gt;flatpak/xdg-desktop-portal issue 989&lt;/a&gt; for more details and discussion.&lt;/p&gt;

&lt;h1 id=&quot;a-vision-for-fido2-on-linux&quot;&gt;A vision for FIDO2 on Linux&lt;/h1&gt;

&lt;p&gt;This sections sets out a vision for FIDO2 on Linux, and discusses the challenges that lie ahead.&lt;/p&gt;

&lt;h2 id=&quot;prioritizing-passkey-support&quot;&gt;Prioritizing Passkey support&lt;/h2&gt;

&lt;p&gt;Passkeys are likely to be the most popular form of FIDO2 authentication by far. The convenience of passkeys being automatically synced across devices, and the fact that they don’t require specialised hardware, will make them the go-to choice for the vast majority of users.&lt;/p&gt;

&lt;p&gt;For this reason, I believe that it’s crucial to prioritize passkey support. This means focusing on the CTAP2 Hybrid Transport, and the WebAuthn Discoverable Credentials, above other transports (eg. USB, NFC, etc).&lt;/p&gt;

&lt;p&gt;Mozilla’s &lt;a href=&quot;https://github.com/mozilla/authenticator-rs&quot;&gt;authenticator-rs&lt;/a&gt; currently solely targets USB security keys, and will need significant work to support additional transports such as BLE and Hybrid (CABLE).&lt;/p&gt;

&lt;h2 id=&quot;envisioning-a-windows-hello-experience-on-linux&quot;&gt;Envisioning a Windows Hello experience on Linux&lt;/h2&gt;

&lt;p&gt;&lt;img src=&quot;/assets/passkey-windows-hello-delegation.png&quot; alt=&quot;Windows Hello&quot; /&gt;&lt;/p&gt;

&lt;p&gt;The goal of xdg-credentials-portal, or any other FIDO2 credentials portal on Linux, should be to provide a user experience similar to:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://learn.microsoft.com/en-us/windows/security/identity-protection/passkeys/?tabs=windows&quot;&gt;Passkeys on Windows (Windows Hello)&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://developer.android.com/training/sign-in/passkeys&quot;&gt;Android Credential Manager&lt;/a&gt; - Jetpack APIs superseding &lt;a href=&quot;https://developers.google.com/identity/fido/android/native-apps&quot;&gt;Android FIDO2 APIs&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys/&quot;&gt;Apple Passkeys&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The responsibilities of this portal should include:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Mediating the communication between the application and the authenticator, providing a simple, higher-level API for applications to use, resembling WebAuthn operations;&lt;/li&gt;
  &lt;li&gt;Enforcing security guarantees. For example, ensuring that the application can only access the credentials for domains it has authority over (see &lt;a href=&quot;https://developers.google.com/identity/fido/android/native-apps#interoperability_with_your_website&quot;&gt;Android’s Asset Links&lt;/a&gt;);&lt;/li&gt;
  &lt;li&gt;Providing transparency to the user about which application is requesting access to their credentials, and which authenticator is being used to generate them;&lt;/li&gt;
  &lt;li&gt;Enabling fast reauthentication scenarios. For example, remembering the user’s choice to allow or deny access to credentials for a given application;&lt;/li&gt;
  &lt;li&gt;Sharing little to no information with the application. For example, the application should not be able to determine which authenticator was used to generate the credentials, or whether the authenticator failed to connect or the user denied access to the device.&lt;/li&gt;
  &lt;li&gt;Connecting to credential providers. See section below.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;bridging-fido2-with-password-providers&quot;&gt;Bridging FIDO2 with Password Providers&lt;/h2&gt;

&lt;p&gt;Most users are likely to use Google Password Manager or iCloud to store their Passkeys. Others will prefer third-party password manages with support for passkeys such as BitWarden, Lastpass, and so on. Novel products with even better security guarantees will inevitably appeal to privacy-savy users.&lt;/p&gt;

&lt;p&gt;The Linux desktop should allow users to choose their preferred password managers, and use passkeys created on other devices.&lt;/p&gt;

&lt;p&gt;This is the same approach chosen for Android’s Credential Manager APIs - whenever an application requests the user to authentication, the platform is responsible for querying all registered providers and collect available passkeys. The user will then be presented with a dialog to choose their preferred credential amongst all those available.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets/passkey-enumeration.png&quot; alt=&quot;Android enumerating Passkeys&quot; /&gt;&lt;/p&gt;

&lt;p&gt;The application requesting authentication should not have visibility as to which providers are configured, or the origin of the selected passkey.&lt;/p&gt;

&lt;p&gt;This will require defining an interface between the Linux desktop component and pluggable providers, similar to the &lt;a href=&quot;https://developer.android.com/training/sign-in/credential-provider&quot;&gt;Android Credential Provider APIs&lt;/a&gt;. This interface is necessarily more complex that the WebAuthn and CTAP specs, as it includes enumerating and discovering credentials.&lt;/p&gt;

&lt;h2 id=&quot;delegating-passkeys-to-the-platform&quot;&gt;Delegating Passkeys to the platform&lt;/h2&gt;

&lt;p&gt;Applications, especially browsers, tend to come with their own implementation of passkey management. This is a problem for a number of reasons:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;It couples password managers to specific applications. For example, Google Password Manager is only available in Chrome.&lt;/li&gt;
  &lt;li&gt;It’s a security risk. Applications accessing specialised hardware directly may not be as secure as the platform, and may leak credentials to the application developer, or to other websites and applications.&lt;/li&gt;
  &lt;li&gt;It’s a poor user experience. Users are forced to reauthenticate to each application, and to reconfigure their password manager for each application.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If history is any indication, Google may refuse to provide a Google Password Manager integration outside of the Chrome browser, and Apple may refuse to provide any iCloud integrations outside of its own operating systems.&lt;/p&gt;

&lt;p&gt;FOSS groups should insist on a platform-level integration, and participate in adequate forums to ensure that their voices are heard.&lt;/p&gt;

&lt;p&gt;Both Chrome and Firefox already delegate password management to the platform on Windows and macOS. Both browser vendors should be engaged to ensure that they do the same on Linux.&lt;/p&gt;

&lt;p&gt;My limited attempts to engage with Mozilla on this issue have &lt;a href=&quot;https://github.com/AlfioEmanueleFresta/xdg-credentials-portal/issues/32&quot;&gt;not proven successful&lt;/a&gt; so far. Google have informally indicated they are open to delegating FIDO2 to the platform.&lt;/p&gt;

&lt;h1 id=&quot;the-challenge-of-origin-scoping&quot;&gt;The challenge of origin scoping&lt;/h1&gt;

&lt;p&gt;The WebAuthn spec requires that credentials are scoped to the origin of the website. This means that a credential created for &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;https://example.com&lt;/code&gt; cannot be used by &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;https://example.org&lt;/code&gt;. This is a crucial security guarantee, as it prevents a compromised or malicious website from using credentials to impersonate the user on other websites.&lt;/p&gt;

&lt;p&gt;As Linux desktop applications request access to credentials, they must be forbidden from accessing credentials belonging to other applications. Two challenges need to be solved for this enforcement to occur: identifying allowed origins for an app, and authenticating the app.&lt;/p&gt;

&lt;h2 id=&quot;identifying-allowed-origins&quot;&gt;Identifying allowed origins&lt;/h2&gt;

&lt;p&gt;Two modes of operation can be identified when accessing WebAuthn credentials:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;&lt;strong&gt;Restricted scope&lt;/strong&gt;, for most applications that are allowed access to credentials scoped to their respective origin. User interaction is only required for verification purposes, or selecting between credentials when multiple exist.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Privileged access&lt;/strong&gt;, for applications that act on behalf of other origins, such as web browsers and remote desktop applications. An additional user interaction step must be required to validate the application should be able to access credentials for the specific origin.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3 id=&quot;privileged-access&quot;&gt;Privileged access&lt;/h3&gt;

&lt;p&gt;Privileged access scenarios is the easiest mode to implement without compromising credential security - although this may sound counter intuitive at first.&lt;/p&gt;

&lt;p&gt;The choice of allowing the web browser to access a specific credential can be given to the user, who should be able to easily identify whether the request is legitimate. I propose including user interaction in two key flows:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;&lt;strong&gt;Granting privileged access at install time&lt;/strong&gt;. The user acknowledges the privileged status of the app, for example by granting a &lt;em&gt;“permission to access credentials for all apps and websites”&lt;/em&gt; - or other wording to the same effect;&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Granting access to the specific origin&lt;/strong&gt;. The platform requires the user to mediate access to credentials, explicitly indicating which origin the credential belongs to, for example: &lt;em&gt;“&lt;strong&gt;Firefox&lt;/strong&gt; is trying to use a credential for &lt;strong&gt;https://example.org&lt;/strong&gt;.”&lt;/em&gt;. The user may choose for this preference to be remembered, ie. “&lt;em&gt;Always allow for this website&lt;/em&gt;”.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;A relevant example is provided by the &lt;a href=&quot;https://developers.google.com/identity/fido/android/native-apps&quot;&gt;Android FIDO2 APIs&lt;/a&gt;. On Android, different subsets of these APIs are available to privileged (&lt;a href=&quot;https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2PrivilegedApiClient&quot;&gt;Fido2PrivilegedApiClient&lt;/a&gt;) and non-privileged applications (&lt;a href=&quot;https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient&quot;&gt;Fido2ApiClient&lt;/a&gt;). Only applications that have the necessary web browser permissions can access the privileged APIs. Google reviews applications declaring this permission to verify they are indeed web browsers, before allowing them to be listed on Google Play Store. This solution effectively delegate trust to the distribution platform, which may not be desirable on the Linux desktop.&lt;/p&gt;

&lt;h3 id=&quot;restricted-scope&quot;&gt;Restricted scope&lt;/h3&gt;

&lt;p&gt;In order to use the requirement for the user to validate the scope of the request, it must be possible to automatically validate an origin for a given application.&lt;/p&gt;

&lt;p&gt;A basic approach is that of requiring origin owners to enumerate application identifiers to be allowed access to their credentials. Android employs &lt;a href=&quot;https://developers.google.com/identity/fido/android/native-apps#interoperability_with_your_website&quot;&gt;a manifest published at a well-known URI (&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;.well-known/assetlinks.json&lt;/code&gt;)&lt;/a&gt; for this very purpose, although DNS could be used as well.&lt;/p&gt;

&lt;p&gt;The platform may retrieve the manifest, or perform a DNS query, at the time of the request. However, this has two disadvadvantages:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;It doesn’t allow for offline (or limited connectivity) scenarios. This would be quite unfortunate as WebAuthn can be useful in offline scenarios, such as using the &lt;a href=&quot;https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension&quot;&gt;PRF extension&lt;/a&gt; for symmetric data encryption.&lt;/li&gt;
  &lt;li&gt;Requests can be tracked. The application owner can determine when the user is using their application, and which origin they are accessing. This may be undesirable for privacy reasons.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;These problems can be mitigated by the platform caching the origin validation information. However, this is not a perfect solution, as the application owner can still determine whether the user is using their application, and it doesn’t provide a good user experience for offline scenarios.&lt;/p&gt;

&lt;p&gt;A better approach is to delegate the origin validation to the distribution platform. For example, Flathub could validate the allowed origins for a given application, and provide this information to the platform in a way that can be verified cryptographically. This would allow for offline scenarios, and would prevent the application owner from tracking the user.&lt;/p&gt;

&lt;p&gt;The downside of this approach is that it requires the distribution platform to be trusted. This may not be desirable for some users, and may be a blocker for some distributions.&lt;/p&gt;

&lt;p&gt;It’s unclear to me what approach is used on Android.&lt;/p&gt;

&lt;h3 id=&quot;avoiding-the-good-enough-trap&quot;&gt;Avoiding the good-enough trap&lt;/h3&gt;

&lt;p&gt;A privileged mode is the easiest to implement, and may be good enough for many use cases. However, it’s important to ensure that a restricted mode is not forgotten, and that it’s implemented as soon as possible.&lt;/p&gt;

&lt;p&gt;I fear that if the privileged mode is implemented first, applications that do not require privileged access may never be updated to use the restricted mode. This would be a major setback for the security of FIDO2 on Linux.&lt;/p&gt;

&lt;h2 id=&quot;authenticating-the-app&quot;&gt;Authenticating the app&lt;/h2&gt;

&lt;p&gt;The solutions proposed in the section above assumes that the user can be presented with a dialog that includes the origin of the credential, and the application requesting access to it, e.g.:&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;&lt;strong&gt;Firefox&lt;/strong&gt; is trying to use a credential for https://example.org&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;This requires the platform to be able to authenticate the application, and to verify that the application is indeed the one requesting access to the credential.&lt;/p&gt;

&lt;p&gt;On Android, each application has a unique identifier and a signing key. FIDO2 requests are signed by the application, and the platform can verify that the application requesting access to the credential is indeed the one that created it, and that it’s not a malicious application impersonating the original one.&lt;/p&gt;

&lt;p&gt;On Linux, this may be trickier to implement. D-Bus requests are not signed but may it may be possible to trace them back to the process that created them (eg. via &lt;a href=&quot;https://dbus.freedesktop.org/doc/dbus-java/api/org/freedesktop/DBus.html#GetConnectionUnixProcessID(java.lang.String)&quot;&gt;GetConnectionUnixProcessID&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;It would then be necessary to map the process ID to the Flatpak application, and in turn to the list of allowed origins (or a privileged status). This may be possible via existing Flatpak APIs, or by extending them.&lt;/p&gt;

&lt;h1 id=&quot;what-next&quot;&gt;What next?&lt;/h1&gt;

&lt;p&gt;Development for xdg-credentials-portal has been slow, partly because of the changing nature of the FIDO2 specs. However, I’m optimistic about the future of FIDO2 on Linux. FOSS groups have a strong track record of collaborating to solve complex problems, and for-profit contributors are bound to emerge as the technology becomes more popular.&lt;/p&gt;

&lt;p&gt;If you’re interested in the cause, but you’re unsure where to start, please get in touch.&lt;/p&gt;

&lt;p&gt;Engaging with the FIDO Alliance, Mozilla, Google, the GNOME Foundation, and other stakeholders is going to be crucial to ensure that the Linux desktop is not left behind. If you represent an organisation that may be interested in contributing to this effort, please consider reaching out to me, and I’d be happy to help you get started and connect you with the right people.&lt;/p&gt;

&lt;h1 id=&quot;feedback&quot;&gt;Feedback&lt;/h1&gt;

&lt;p&gt;If you have any feedback, please reach out to me on GitHub, LinkedIn, or via e-mail.&lt;/p&gt;</content><author><name></name></author><category term="dev" /><category term="fido2" /><category term="webauthn" /><category term="linux" /><category term="passkeys" /><summary type="html">Introduction</summary></entry><entry><title type="html">No Place to Hide</title><link href="https://alfioemanuele.io/thougts/2022/01/30/no-place-to-hide.html" rel="alternate" type="text/html" title="No Place to Hide" /><published>2022-01-30T14:50:00+00:00</published><updated>2022-01-30T14:50:00+00:00</updated><id>https://alfioemanuele.io/thougts/2022/01/30/no-place-to-hide</id><content type="html" xml:base="https://alfioemanuele.io/thougts/2022/01/30/no-place-to-hide.html">&lt;p&gt;The UK Home Office is &lt;a href=&quot;https://web.archive.org/web/20231216083656/https://noplacetohide.org.uk/&quot;&gt;running a campaign&lt;/a&gt; named “No Place to Hide”. Once more Priti Patel’s department is trying to undermine public support for end-to-end encryption.&lt;/p&gt;

&lt;p&gt;The goal of reducing online child abuse is most noble, but it cannot be achieved by breaking encryption. It cannot be achieved at the cost of the privacy of all.&lt;/p&gt;

&lt;p&gt;End-to-end encryption means that texting or calling your friend can be as private as whispering in their ears. It means you don’t have to entrust corporations with your secrets, nor their disgruntled employees. It means that in a day and age when large scale data breaches are scarily commonplace, you can sleep well, knowing that your most private conversations won’t fall in the hands of hackers so easily. It allows journalists to report safely on injustices and advance democracy. It means that billions of people who live under questionably democratic governments can express their opinions freely. Even for those who currently live under a government they trust, encryption means they can speak their mind without fear of repercussions, worrying about a repressive leader being elected 20 years from now.&lt;/p&gt;

&lt;p&gt;The primary argument of the government is unchanged: if you have nothing to hide, you have nothing to fear. As Edward Snowden said, “&lt;em&gt;Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.&lt;/em&gt;”&lt;/p&gt;

&lt;p&gt;What’s new about this campaign is that it states the government is “&lt;em&gt;not opposed to end-to-encryption in principle&lt;/em&gt;”, as long as it’s implemented in a way that allows access to your data when required. I expect this is because they don’t want to be seen to oppose end-to-end encryption, which has gained wider public support in recent years.&lt;/p&gt;

&lt;p&gt;However, this new argument is fundamentally flawed. It’s just &lt;a href=&quot;https://www.theguardian.com/technology/2015/may/01/encryption-wont-work-if-it-has-a-back-door-only-the-good-guys-have-keys-to-&quot;&gt;not how end-to-end encryption works&lt;/a&gt;. There is no way to place a backdoor to user’s texts and guarantee it is not abused. Backdoors are not wiretaps - targeted intelligence devices requiring pre-approval - they’re mass surveillance devices. They’re master keys that can end up in the wrong hands. They’re a gift to undemocratic governments, hackers, and those disgruntled employees.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;We must find other ways to combat crime. The UK must lead the way, recognising that digital privacy is a fundamental human right. It is a link in the chain of civil liberties that define democracy.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally &lt;a href=&quot;https://www.facebook.com/alfio.emanuele/posts/10222893530060713&quot;&gt;posted on Facebook&lt;/a&gt;, on 2021-01-19.&lt;/em&gt;&lt;/p&gt;</content><author><name></name></author><category term="thougts" /><category term="crypto" /><category term="privacy" /><summary type="html">The UK Home Office is running a campaign named “No Place to Hide”. Once more Priti Patel’s department is trying to undermine public support for end-to-end encryption.</summary></entry></feed>