Passwordless-GDM authentication integration #7069
Description
Problem statement
Passwordless authentication is becoming increasingly popular. SSSD and FreeIPA already provide several authentication mechanisms which make use of it: Smart Cards, External Identity Providers (EIdP) and Passkeys. Unfortunately, the integration of these mechanisms into the graphical interface leaves much to be desired. Some of them may work in a degraded mode, while others can’t be used at all.
SSSD and the GUI should be better integrated to make all these authentication mechanisms effortless for the user. This would increase the overall security of the system, by providing the benefits of these authentication mechanisms, i.e. passwordless, MFA, etc.
SSSD and GDM are working together to provide a set of interfaces that can be used to enable these authentication mechanisms in Linux’s GUI. While the initial work targets SSSD-GDM integration, the objective is that these interfaces can be used by any other desktop environment.
Use cases
- As a centrally managed user, I want to choose the authentication mechanism to login from the graphical interface so that I can select the one that best suits my needs.
- As a centrally managed user, I want to use an external identity provider (IdP) to login from the graphical interface so that the user interface is easy to use and consistent across all authentication mechanisms in the distribution.
- As a centrally managed user, I want to select the smart card identity to login from the graphical interface so that the authentication is performed with the correct credentials.
- As a centrally managed user, I want to use a passkey to login from the graphical interface so that the user interface is easy to use and consistent across all authentication mechanisms in the distribution.
- As a centrally managed user, I want to get notified when the passkey authentication has been performed locally so that I am aware that the user experience might be affected.