Lib.rs

Command line utilities | Authentication
#password-manager #passkeys #fido2

app passless-rs

FIDO2 security token emulator

by Pando85

32 releases (7 breaking)

Uses new Rust 2024

new 0.7.6 Feb 14, 2026
0.7.1 Jan 18, 2026
0.7.0 Dec 17, 2025
0.5.2 Nov 30, 2025

#287 in Command line utilities

Custom license and AGPL-3.0-or-later

230KB
5K SLoC


logo
passless

Build status passless license

Passless is a software FIDO2 authenticator that emulates hardware security keys. Built with soft-fido2, it runs as a virtual UHID device on Linux.

It also includes client capabilities for interacting with any FIDO2 authenticator.

[!IMPORTANT]

Browsers running in sandboxed environments (for example, installed via the Ubuntu App Center) may not be able to communicate with the authenticator out of the box. To enable this, you can use the credentialsd service provided by the "Credentials for Linux" project to allow sandboxed apps — including browsers — to access FIDO2 / WebAuthn credentials on Linux.

⚠️ Security Warning

Passless is a software FIDO2 authenticator and does not provide the same hardware-backed isolation as dedicated security keys. While Passless applies multiple hardening measures (GPG encryption, memory protection, core dump prevention), credentials stored in software remain more exposed to system-level compromise than non-exportable keys protected by secure hardware.

For many users, this trade-off is acceptable in exchange for better availability, usability, and Linux-native integration. However, hardware FIDO2 authenticators offer stronger guarantees against credential exfiltration and OS-level compromise, and remain the recommended option for high-value accounts or stricter threat models.

Users should choose the solution that best fits their own security and practicality requirements.

Features

  • FIDO2/WebAuthn authentication without hardware tokens
  • Passkey support (resident credentials)
  • User verification via desktop notifications
  • Storage backends:
    • pass (encrypted, git-synced)
    • TPM 2.0 (Experimental)
    • Local filesystem (testing only)
  • Security hardening (memory locking, core dump prevention)
  • Credential management via CTAP commands

Configuration

Passless can be configured using a TOML configuration file. By default, the configuration file is located at ~/.config/passless/config.toml.

To generate a default configuration file:

mkdir -p ~/.config/passless
passless config print > ~/.config/passless/config.toml

You can then edit this file to customize the storage backend, security settings, and other options. Command-line arguments will override settings from the configuration file.

Installation

Cargo

Install from source with full system integration. See DEVELOPMENT.md for required dependencies.

# Clone the repository
git clone https://github.com/pando85/passless.git
cd passless

# Install everything (binary, systemd service, udev rules, sysusers config)
make install

# Follow the post-install instructions to:
# 1. Add yourself to the fido group
# 2. Load the uhid kernel module
# 3. Log out and back in
# 4. Enable the systemd service

Arch Linux

yay -S passless

or the binary from AUR:

yay -S passless-bin

Acknowledgements

A big thank you to the PassKeeZ project for being such a great source of inspiration. Their work on a FIDO2 / Passkey-compatible Linux authenticator gave this project both motivation and direction.

Dependencies

~23–57MB
~1M SLoC