FIDO2 Login Support

It would be cool to have FIDO2 support for logging in (and unlocking) your pc.
FIDO2 can be passwordless, or have a master-password.

I personally got 2 YubiKeys, and use FIDO2 to log in to this website.

Yes, in the case of the YubiKey it’s possible to get it working in other ways, but integrations bad into the UI.
Other Platforms like Windows and macOS already have good GUI integration for these features.

I would personally would expect a button under the User-management, where you also change your password:

It is just possible. I have two yubikeys too and i have used it passwordless since Fedora 37, also on debian and on archbased distros (gnome or kde based)
Just for make an example, here is a link how to manage it on ubuntu not only for login but also on terminal for sudo and so on

Possible Yes, but not good integrated, I’m talking about having a Simple GUI Option, and Actually telling the user on the Login screen about.

Shouldn’t be so hard, especially, because we already have 2 PAM modules supporting them.

I personally did the PAM thing, but it just feels kindof out of place.

Also, I’m talking about full FIDO2 support, which empowers the User to have a Master password on the Key.
You can’t do that currently with the PAM modules, because they don’t support FIDO2, but the other protocols of the YubiKey

Fido2 is supported by PAM? Google pam-u2f

I have a FIDO2 only Yubi USB-C/NFC ‘Security’ key which I’ve had setup with PAM for about 18 months now. The PAM side just works after editing a few of the PAM config files (GUI would help a lot here and reduce the scope for mistakes).

Sadly I’ve never managed to get the NFC part working, per my understanding this should be supported by PAM but there’s no real documentation and seemingly very few people even trying to use FIDO2, let alone FIDO2 using NFC.

However I’ve had no end of issues with KDE and password less authentication, particularly with the screen locker. 75% of the time it just won’t unlock when the key is presented. In the other 25% it unlocks but the screen locker background remains and you have to hit return a couple of times to make it disappear.

Another issue with FIDO2 authentication and KDE is that it doesn’t unlock kwallet automatically, so you end up still needing to type in your password which defeats the point. I’d happily get rid of kwallet entirely (it sucks) only it’s used by kmail to store email account passwords with no alternatives seemingly available. If you’re using wifi it’s also used to store wifi passwords encrypted.

On the other hand FIDO2 works great with Chrome based browsers, I’m using it as a 2FA method constantly, even use it to authenticate on these forums.