Passless is a software FIDO2 authenticator that emulates hardware security keys. Built with soft-fido2, it runs as a virtual UHID device on Linux.
It also includes client capabilities for interacting with any FIDO2 authenticator.
Important
Browsers running in sandboxed environments (for example, installed via the Ubuntu App Center) may
not be able to communicate with the authenticator out of the box. To enable this, you can use the
credentialsd service provided by the
"Credentials for Linux" project to allow
sandboxed apps — including browsers — to access FIDO2 / WebAuthn credentials on Linux.
Software authenticators lack the physical isolation of dedicated hardware security keys. While Passless uses GPG encryption, memory protection, and prevents core dumps to minimize exposure, credentials stored in software are inherently more vulnerable to system-level compromise than hardware-isolated keys.
For most use cases, Passless provides a reasonable security model. However, for highly sensitive accounts or threat models requiring protection against local attackers with elevated privileges, dedicated hardware security keys remain the recommended option.
- FIDO2/WebAuthn authentication without hardware tokens
- Passkey support (resident credentials)
- User verification via desktop notifications
- Storage backends:
- pass (encrypted, git-synced)
- TPM 2.0 (Experimental)
- Local filesystem (testing only)
- Security hardening (memory locking, core dump prevention)
- Credential management via CTAP commands
Passless can be configured using a TOML configuration file. By default, the configuration file is
located at ~/.config/passless/config.toml.
To generate a default configuration file:
mkdir -p ~/.config/passless
passless config print > ~/.config/passless/config.tomlYou can then edit this file to customize the storage backend, security settings, and other options. Command-line arguments will override settings from the configuration file.
Install from source with full system integration:
# Clone the repository
git clone https://github.com/pando85/passless.git
cd passless
# Install everything (binary, systemd service, udev rules, sysusers config)
make install
# Follow the post-install instructions to:
# 1. Add yourself to the fido group
# 2. Load the uhid kernel module
# 3. Log out and back in
# 4. Enable the systemd serviceyay -S passlessor the binary from AUR:
yay -S passless-binA big thank you to the PassKeeZ project for being such a great source of inspiration. Their work on a FIDO2 / Passkey-compatible Linux authenticator gave this project both motivation and direction.