Chapter 17. Enabling passkey authentication in IdM environment

download PDF

The Fast IDentity Online 2 (FIDO2) standard is based on public key cryptography and adds the option of a passwordless flow with PIN or biometrics. The passkey authentication in the IdM environment uses FIDO2 compatible devices supported by the libfido2 library.

The passkey authentication method provides an additional security layer to comply with regulatory standards by including passwordless and multi-factor authentication (MFA) that require a PIN or a fingerprint. It uses a combination of special hardware and software, such as passkey device and passkey enablement in an Identity Management (IdM) environment, to strengthen the security in the environment where data protection plays a key role.

If your system is connected to a network with the IdM environment, the passkey authentication method issues a Kerberos ticket automatically, which enables single sign-on (SSO) for an IdM user.

You can use passkey to authenticate through the graphical interface to your operating system. If your system allows you to authenticate with passkey and password, you can skip passkey authentication and authenticate with the password by pressing Space on your keyboard followed by the Enter key. If you use GNOME Desktop Manager (GDM), you can press Enter to bypass the passkey authentication.

Note that, currently, the passkey authentication in the IdM environment does not support FIDO2 attestation mechanism, which allows for the identification of the particular passkey device.

The following procedures provide instructions on managing and configuring passkey authentication in an IdM environment.

17.1. Prerequisites

  • You have a passkey device.
  • Install the fido2-tools package:

    # dnf install fido2-tools
  • Set the PIN for the passkey device:

    1. Connect the passkey device to the USB port.
    2. List the connected passkey devices:

      # fido2-token -L
    3. Set the PIN for your passkey device by following the command prompts.

      # fido2-token -C passkey_device

17.2. Registering a passkey device

As a user you can configure authentication with a passkey device. A passkey device is compatible with any FIDO2 specification device, such as YubiKey 5 NFC. To configure this authentication method, follow the instructions below.


  • The PIN for the passkey device is set.
  • Passkey authentication is enabled for an IdM user:

    # ipa user-add user01 --first=user --last=01 --user-auth-type=passkey

    Use the ipa user-mod with the same --user-auth-type=passkey parameter for an existing IdM user.

  • Access to the physical machine to which the user wants to authenticate.


  1. Insert the passkey device in the USB port.
  2. Register the passkey for the IdM user:

    # ipa user-add-passkey user01 --register

    Follow the application prompts:

    1. Enter the PIN for the passkey device.
    2. Touch the device to verify your identity. If you are using a biometric device, ensure to use the same finger with which you registered the device.

It is good practice for users to configure multiple passkey devices as a backup that allows authentication from multiple locations or devices. To ensure the Kerberos ticket is issued during authentication, do not configure more than 12 passkey devices for a user.


  1. Log in to the system with the username you have configured to use passkey authentication. The system prompts you to insert the passkey device:

    Insert your passkey device, then press ENTER.
  2. Insert the passkey device into the USB port and enter your PIN when prompted:

    Enter PIN:
    Creating home directory for
  3. Confirm the Kerberos ticket is issued:

    $ klist
    Default principal: user01@IPA.EXAMPLE.COM

Note, to skip passkey authentication, enter any character in the prompt or enter an empty PIN if user authentication is enabled. The system redirects you to password based authentication.

17.3. Authentication policies

Use authentication policies to configure the available online and local authentication methods.

Authentication with online connection
Uses all online authentication methods that the service provides on the server side. For IdM, AD, or Kerberos services, the default authentication method is Kerberos.
Authentication without online connection
Uses authentication methods that are available for a user. You can tune the authentication method with the local_auth_policy option.

Use the local_auth_policy option in the /etc/sssd/sssd.conf file to configure the available online and offline authentication methods. By default, the authentication is performed only with the methods that the server side of the service supports. You can tune the policy with the following values:

  • The match value enables the matching of offline and online states. For example, the IdM server supports online passkey authentication and match enables offline and online authentications for the passkey method.
  • The only value offers only offline methods and ignores the online methods.
  • The enable and disable values explicitly define the methods for offline authentication. For example, enable:passkey enables only passkey for offline authentication.

The following configuration example allows local users to authenticate locally using smart card authentication:

id_provider = proxy
proxy_lib_name = files
auth_provider = none
local_auth_policy = only

The local_auth_policy option applies to the passkey and smart card authentication methods.

17.4. Retrieving an IdM ticket-granting ticket as a passkey user

To retrieve a Kerberos ticket-granting ticket (TGT) as a passkey user, request an anonymous Kerberos ticket and enable Flexible Authentication via Secure Tunneling (FAST) channel to provide a secure connection between the Kerberos client and Kerberos Distribution Center (KDC).


  • Your IdM client and IdM servers use RHEL 9.1 or later.
  • Your IdM client and IdM servers use SSSD 2.7.0 or later.
  • You registered your passkey device and configured your authentication policies.


  1. Initialize the credentials cache by running the following command:

    [root@client ~]# kinit -n @IDM.EXAMPLE.COM -c FILE:armor.ccache

    Note that this command creates the armor.ccache file that you need to point to whenever you request a new Kerberos ticket.

  2. Request a Kerberos ticket by running the command:

    [root@client ~]# kinit -T FILE:armor.ccache <username>@IDM.EXAMPLE.COM
    Enter your PIN:


  • Display your Kerberos ticket information:

    [root@client ~]# klist -C
    Ticket cache: KCM:0:58420
    Default principal: <username>@IDM.EXAMPLE.COM
    Valid starting     Expires            Service principal
    05/09/22 07:48:23  05/10/22 07:03:07  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
    config: fast_avail(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = yes
    08/17/2022 20:22:45  08/18/2022 20:22:43  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
    config: pa_type(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = 153

    The pa_type = 153 indicates passkey authentication.

Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.