Red Hat Enterprise Linux 9.4 introduces the ability for centrally managed users to authenticate through passwordless authentication with a passkey, meaning it's an enterprise Linux distribution with Fast Identity Online 2 (FIDO2) authentication for centrally managed users! This is all built on the Identity Management solution already in Red Hat Enterprise Linux, but enhances product security by enabling passwordless, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).
What is Passkey?
A passkey is a FIDO2 compatible device that can be used for user authentication. FIDO2 is an open authentication standard based on public-key cryptography. It is more secure than passwords and one-time passwords, and simpler to use. It is usually provided as a hardware security token like a small Universal Serial Bus (USB) and Near Field Communication (NFC) based device. There are several brands of FIDO2 compliant keys, including NitroKey and SoloKey v2, and we've collaborated with Yubico to create a more seamless integration between RHEL and Yubikey.
The use of new tools to authenticate users, such as FIDO2 and External Identity Providers, is becoming increasingly popular because it improves the security authentication process.
Passwordless authentication is a paradigm shift in authentication. It aims to eliminate the need for traditional passwords, and in this article I outline its benefits compared to traditional password-based authentication.
Password-based authentication
Password authentication poses security risks, including brute force attacks, password reuse, phishing attacks, and more. From a user experience perspective, passwords are cumbersome to remember and prone to user error. Users often use the same password for multiple accounts, or else they rotate between a few different ones, and rarely invent entirely new passwords. Companies attempt to mitigate this by enforcing password policies, rotation, and management. It's up to users to not share accounts and passwords, intentionally or otherwise.
Password managers can help, but many users either aren’t aware of them or find them too complicated to use. This often leads to passwords on sticky-notes or changing passwords by just adjusting a few characters.
It's not uncommon to look at the news and see a major data breach reported by a major company, revealing that malicious actors got access to millions of passwords. As a countermeasure, the company forces its users to reset credentials. That, of course, only displaces the problem and solves nothing!
User authentication terminology
In modern authentication methods, there are some important terms you must understand:
- Two-factor authentication (2FA): Two distinct forms of identification are needed to authenticate. One of them is usually a password, and the other a code or a biometric reading, such as a fingerprint. The classic adage is, "Something you know, and something you have"
- Multi-Factor Authentication (MFA): Two or more distinct forms of identification are needed to authenticate. This is similar to 2FA, but in this case it requests two or more factors
- One-time password (OTP): A password that's valid for only one authentication process. They are often used as a second authentication factor in 2FA/MFA. Two shortcomings are that they can feasibly be intercepted, and they're susceptible to phishing attacks
- Single Sign-On (SSO): An authentication scheme allowing a user to log in with a single ID to several services and applications
- Passwordless: An authentication method that allows access to a system without entering a password or answering security questions. Instead, the user provides some other form of evidence, such as a fingerprint, proximity badge, or hardware token code. It's often used alongside MFA and SSO to improve the user experience, strengthen security, and reduce IT operations expense and complexity
Passkey authentication in Identity Management on RHEL
Passkey is a combination of passwordless and MFA mechanism. Furthermore, MFA is provided by requesting a Personal Identification Number (PIN) to unlock the token to process the authentication request. Passwordlessness is provided by using public key cryptography (a key pair is generated during the registration process).
Additionally, as long as the device implements it, other authentication factors (such as a fingerprint) are requested. Finally, along with authentication, a Kerberos ticket is granted. This can be used for further identification on network resources, which enables SSO.
All this together eliminates the need for passwords and enables strong authentication. In addition, it can reduce the risk of a data breach, because passwords aren’t reused, the public key pair is generated for each service, and the private key resides inside the token.
Why is it important?
Passwordless authentication aligns with regulatory requirements for data protection and security, such as General Data Protection Regulation (GDPR) and Payment Service Directive (PSD2). By implementing strong authentication methods, organizations can better safeguard sensitive information and comply with regulatory standards.
A memorandum from the U.S. Government establishes new policies to enhance security by enforcing passwordless authentication, combined with MFA standards and SSO:
- “Enterprise identity management must be compatible with common applications and platforms. As a general matter, users should be able to sign in once and then directly access other applications and platforms within their agency’s IT infrastructure.” (page 6)
- “Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government’s Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium (W3C)’s open “Web Authentication” standard, 8 another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services…” (page 7)
Passwordless authentication leverages modern technologies such as biometrics, cryptographic keys, and device-based authentication. These technologies offer higher levels of security and scalability compared to traditional password-based authentication methods.
Passwords are vulnerable to numerous security threats that are challenging to overcome using technology and strategies in use today. The main purpose of the passkey feature is to strengthen security, and at the same time to provide a pleasant user experience. This is achieved by using open and well-established standards that enable passwordlessness, MFA, and SSO.
With passkey functionality, users require only a hardware device, and another authentication factor, such as a PIN or a fingerprint, to eliminate the reliance on passwords while elevating security standards. Additionally, issuing a Kerberos ticket alongside the authentication enables SSO capabilities. By integrating these features all together, the risk of data breaches, phishing threats, man-in-the-middle attacks, and other security threats can be significantly reduced, positioning your organization well on its security journey.
What next?
Identity Management in Red Hat Enterprise Linux 9.4 now offers the passkey feature to leverage all these capabilities: passwordless, MFA, and SSO.
The good news is that it's so easy to use that there are no excuses to not use it! Watch this quick demonstration to see for yourself:
Red Hat solutions architects and sales teams are ready, and more than happy, to guide your organization through this security journey.
À propos des auteurs
I've been building bridges between product strategy and development at Red Hat since 2021, what an amazing journey!
Iker Pedrosa is a Software Engineer working at Red Hat. He joined the company in 2020 and he's been working in Red Hat Enterprise Linux with passion and courage.
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit