Passless is a software FIDO2 authenticator that emulates hardware security keys. Built with soft-fido2, it runs as a virtual UHID device on Linux.
It also includes client capabilities for interacting with any FIDO2 authenticator.
Important
Browsers running in sandboxed environments (for example, installed via the Ubuntu App Center) may
not be able to communicate with the authenticator out of the box. To enable this, you can use the
credentialsd service provided by the
"Credentials for Linux" project to allow
sandboxed apps — including browsers — to access FIDO2 / WebAuthn credentials on Linux.
Passless is a software FIDO2 authenticator and does not provide the same hardware-backed isolation as dedicated security keys. While Passless applies multiple hardening measures (GPG encryption, memory protection, core dump prevention), credentials stored in software remain more exposed to system-level compromise than non-exportable keys protected by secure hardware.
For many users, this trade-off is acceptable in exchange for better availability, usability, and Linux-native integration. However, hardware FIDO2 authenticators offer stronger guarantees against credential exfiltration and OS-level compromise, and remain the recommended option for high-value accounts or stricter threat models.
Users should choose the solution that best fits their own security and practicality requirements.
- FIDO2/WebAuthn authentication without hardware tokens
- Passkey support (resident credentials)
- User verification via desktop notifications or PIN
- PIN support with configurable enforcement policies
- Storage backends:
- pass (encrypted, git-synced)
- TPM 2.0 (Experimental)
- Local filesystem (testing only)
- Security hardening (memory locking, core dump prevention)
- Credential management via CTAP commands
Passless supports optional PIN-based user verification. When a PIN is set, the authenticator requires PIN verification for WebAuthn operations based on the configured enforcement policy.
| Policy | always_uv=false |
always_uv=true |
|---|---|---|
never |
Notification | Notification |
optional |
Notification | PIN required |
required |
PIN required | PIN required |
Default: enforcement=optional, always_uv=true
| PIN Set | enforcement |
always_uv |
User Verification Method |
|---|---|---|---|
| No | any | any | Desktop notification |
| Yes | never |
false |
Desktop notification |
| Yes | never |
true |
Desktop notification |
| Yes | optional |
false |
Desktop notification |
| Yes | optional |
true |
PIN required |
| Yes | required |
false |
PIN required |
| Yes | required |
true |
PIN required |
# Set a new PIN
passless client pin set 1234
# Change existing PIN
passless client pin change 1234 5678[pin]
# PIN enforcement policy: "never", "optional", "required"
enforcement = "optional"
# Minimum PIN length (4-63 characters)
min_length = 4
# Maximum retry attempts before lockout
max_retries = 8Note: For enhanced security with hardware-backed protection, consider using the TPM backend which seals credentials to the TPM hardware.
Passless can be configured using a TOML configuration file. By default, the configuration file is
located at ~/.config/passless/config.toml.
To generate a default configuration file:
mkdir -p ~/.config/passless
passless config print > ~/.config/passless/config.tomlYou can then edit this file to customize the storage backend, security settings, and other options. Command-line arguments will override settings from the configuration file.
Install from source with full system integration. See DEVELOPMENT.md for required dependencies.
# Clone the repository
git clone https://github.com/pando85/passless.git
cd passless
# Install everything (binary, systemd service, udev rules, sysusers config)
make install
# Follow the post-install instructions to:
# 1. Add yourself to the fido group
# 2. Load the uhid kernel module
# 3. Log out and back in
# 4. Enable the systemd serviceyay -S passlessor the binary from AUR:
yay -S passless-binA big thank you to the PassKeeZ project for being such a great source of inspiration. Their work on a FIDO2 / Passkey-compatible Linux authenticator gave this project both motivation and direction.