[systemd-devel] systemd-crypttab: FIDO2 and passwords

Lennart Poettering lennart at poettering.net
Sun Mar 7 22:34:27 UTC 2021


On So, 07.03.21 19:24, Christian Kastner (ckk at debian.org) wrote:

> Am I reading [1] directly in that the FIDO2 is intended to be as
> 1FA?

FIDO2 can be configured to take a PIN. In fact the FIDO2 support in
systemd-cryptsetup when enrolling specifies that a PIN shall be
necessary.

As the PIN stuff is not an optional FIDO2 feature IIRC this is 2FA in
all cases.

Right now whether to require the FIDO2 PIN is not configurable. We
could make it configurable though, so that you could use it in 1FA
situations.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list