Abonnez-vous au flux

Red Hat Enterprise Linux 9.4 introduces the ability for centrally managed users to authenticate through passwordless authentication with a passkey, meaning it's an enterprise Linux distribution with Fast Identity Online 2 (FIDO2) authentication for centrally managed users! This is all built on the Identity Management solution already in Red Hat Enterprise Linux, but enhances product security by enabling passwordless, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).

What is Passkey?

A passkey is a FIDO2 compatible device that can be used for user authentication. FIDO2 is an open authentication standard based on public-key cryptography. It is more secure than passwords and one-time passwords, and simpler to use. It is usually provided as a hardware security token like a small Universal Serial Bus (USB) and Near Field Communication (NFC) based device. There are several brands of FIDO2 compliant keys, including NitroKey and SoloKey v2, and we've collaborated with Yubico to create a more seamless integration between RHEL and Yubikey.

The use of new tools to authenticate users, such as FIDO2 and External Identity Providers, is becoming increasingly popular because it improves the security authentication process.

Passwordless authentication is a paradigm shift in authentication. It aims to eliminate the need for traditional passwords, and in this article I outline its benefits compared to traditional password-based authentication.

Password-based authentication

Password authentication poses security risks, including brute force attacks, password reuse, phishing attacks, and more. From a user experience perspective, passwords are cumbersome to remember and prone to user error. Users often use the same password for multiple accounts, or else they rotate between a few different ones, and rarely invent entirely new passwords. Companies attempt to mitigate this by enforcing password policies, rotation, and management. It's up to users to not share accounts and passwords, intentionally or otherwise.

Password managers can help, but many users either aren’t aware of them or find them too complicated to use. This often leads to passwords on sticky-notes or changing passwords by just adjusting a few characters.

It's not uncommon to look at the news and see a major data breach reported by a major company, revealing that malicious actors got access to millions of passwords. As a countermeasure, the company forces its users to reset credentials. That, of course, only displaces the problem and solves nothing!

User authentication terminology

In modern authentication methods, there are some important terms you must understand:

  • Two-factor authentication (2FA): Two distinct forms of identification are needed to authenticate. One of them is usually a password, and the other a code or a biometric reading, such as a fingerprint. The classic adage is, "Something you know, and something you have"
  • Multi-Factor Authentication (MFA): Two or more distinct forms of identification are needed to authenticate. This is similar to 2FA, but in this case it requests two or more factors
  • One-time password (OTP): A password that's valid for only one authentication process. They are often used as a second authentication factor in 2FA/MFA. Two shortcomings are that they can feasibly be intercepted, and they're susceptible to phishing attacks
  • Single Sign-On (SSO): An authentication scheme allowing a user to log in with a single ID to several services and applications
  • Passwordless: An authentication method that allows access to a system without entering a password or answering security questions. Instead, the user provides some other form of evidence, such as a fingerprint, proximity badge, or hardware token code. It's often used alongside MFA and SSO to improve the user experience, strengthen security, and reduce IT operations expense and complexity

Passkey authentication in Identity Management on RHEL

Passkey is a combination of passwordless and MFA mechanism. Furthermore, MFA is provided by requesting a Personal Identification Number (PIN) to unlock the token to process the authentication request. Passwordlessness is provided by using public key cryptography (a key pair is generated during the registration process).

Additionally, as long as the device implements it, other authentication factors (such as a fingerprint) are requested. Finally, along with authentication, a Kerberos ticket is granted. This can be used for further identification on network resources, which enables SSO.

This image shows the flow of a regular user using a FIDO2 device to authenticate in a centralized Identity Management environment

All this together eliminates the need for passwords and enables strong authentication. In addition, it can reduce the risk of a data breach, because passwords aren’t reused, the public key pair is generated for each service, and the private key resides inside the token.

Why is it important?

Passwordless authentication aligns with regulatory requirements for data protection and security, such as General Data Protection Regulation (GDPR) and Payment Service Directive (PSD2). By implementing strong authentication methods, organizations can better safeguard sensitive information and comply with regulatory standards.

A memorandum from the U.S. Government establishes new policies to enhance security by enforcing passwordless authentication, combined with MFA standards and SSO:

  • “Enterprise identity management must be compatible with common applications and platforms. As a general matter, users should be able to sign in once and then directly access other applications and platforms within their agency’s IT infrastructure.” (page 6)
  • “Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government’s Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium (W3C)’s open “Web Authentication” standard, 8 another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services…” (page 7)

Passwordless authentication leverages modern technologies such as biometrics, cryptographic keys, and device-based authentication. These technologies offer higher levels of security and scalability compared to traditional password-based authentication methods.

Passwords are vulnerable to numerous security threats that are challenging to overcome using technology and strategies in use today. The main purpose of the passkey feature is to strengthen security, and at the same time to provide a pleasant user experience. This is achieved by using open and well-established standards that enable passwordlessness, MFA, and SSO.

With passkey functionality, users require only a hardware device, and another authentication factor, such as a PIN or a fingerprint, to eliminate the reliance on passwords while elevating security standards. Additionally, issuing a Kerberos ticket alongside the authentication enables SSO capabilities. By integrating these features all together, the risk of data breaches, phishing threats, man-in-the-middle attacks, and other security threats can be significantly reduced, positioning your organization well on its security journey.

What next?

Identity Management in Red Hat Enterprise Linux 9.4 now offers the passkey feature to leverage all these capabilities: passwordless, MFA, and SSO.

The good news is that it's so easy to use that there are no excuses to not use it! Watch this quick demonstration to see for yourself:

Red Hat solutions architects and sales teams are ready, and more than happy, to guide your organization through this security journey.


À propos des auteurs

I've been building bridges between product strategy and development at Red Hat since 2021, what an amazing journey!

Read full bio

Iker Pedrosa is a Software Engineer working at Red Hat. He joined the company in 2020 and he's been working in Red Hat Enterprise Linux with passion and courage.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Parcourir par canal

automation icon

Automatisation

Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements

AI icon

Intelligence artificielle

Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement

open hybrid cloud icon

Cloud hybride ouvert

Découvrez comment créer un avenir flexible grâce au cloud hybride

security icon

Sécurité

Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies

edge icon

Edge computing

Actualité sur les plateformes qui simplifient les opérations en périphérie

Infrastructure icon

Infrastructure

Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde

application development icon

Applications

À l’intérieur de nos solutions aux défis d’application les plus difficiles

Original series icon

Programmes originaux

Histoires passionnantes de créateurs et de leaders de technologies d'entreprise