My Experience as of March 2024.
I tested all the methods below on a passkey demo site https://www.passkeys.io/ . This site allows you to create an account with an email address as the userID and a passkey. It also allows you to create additional passkeys using different hardware/software.
TL;DR
KeePassXC seems like the best way to create, store and manage passkeys for Ubuntu, among those I have tried.
Ubuntu OS level support
My computers do not have fingerprint scanners. Without additional hardware or software neither Chrome nor Firefox gives me the option to generate passkeys on the webpages that support it. As far as I can tell there is no OS level support outside the browsers for passkeys.
Passkey official device support page has the following table:
The latest KeePassXC from the PPA can store and use passkeys. See the Additional Software section below.
Additional Hardware
Google Titan Security Key
This is another alternative to Yubikeys described in the accepted answer. I use a Google Titan Security Key (USB C one).
This key can store up to 250 passkeys in it. As far as I know, there is no way to copy, move, delete, or otherwise manually manage the passkeys stored in this USB key.
Android Phone
Passkey official page says: Passkeys created in iOS, iPadOS, and Android can be used on Ubuntu devices in Edge and Chrome using FIDO cross device authentication
Passkeys created using a phone are stored online in the Google Password Manager. However, just Chrome in Ubuntu without an Android phone can't use this option, as far as I can tell.
Update September 26, 2024: Now google Chrome can create and/or reuse the passkeys already created using a phone directly in Ubuntu. First time you use an existing passkey in Chrome, it will ask you to create a six digit pin. This only works for sites that use passkeys instead of passwords. For sites that use passkeys as a 2FA method, one has to still use the phone as the second factor of authentication, as described below.
I use a Google Pixel phone as a nearby passkey authentication device. But any recent version of iOS or Android phone should work.
Some websites allow passkey authentication using a nearby device. In this case, the phone. Once the phone is set up for a particular website for passkey authentication, the website sends a message to the phone and authentication is completed with bio-metric authentication like face recognition or fingerprint using the phone's
camera/sensor.
A QR code from the website may need to be scanned using the phone to crate passkey using a phone.
Bluetooth must work on both the phone and the Ubuntu computer for this to work.
Reference: https://www.passkeys.io/#How-to-use-a-passkey
Additional Software
Instead of using an USB-key like the Google Titan or the Yubikey, or a phone or tablet as additional hardware, You could use a password management software. The only one I have tried is KeePassXC.
KeePassXC (version 2.7.7 and above)
I installed KeePassXC from the PPA and the browser extensions for Chrome and Firefox. In the Settings page of the KeePassXC-Browser Extension, scroll down in the General Tab till you see the Passkeys section. Make sure both
- Enable Passkeys
- Enable PassKeys Fallback
boxes are checked.
I tried this in Firefox and Chrome. The KeePassXC application (and the database) was open in the background and the browser extension was active. I already created the first passkey and took the screenshots during creation of a second passkey under the same account. When I clicked on the Create a passkey button on the web, the following popup showed up from the KeePassXC browser:
Pressing the Cancel button gave me the "Fall back option" of using the USB-Key by showing the Enter PIN popup window:
By entering the PIN of my USB-key, I could create a new passkey and store it in the Google Titan Security Key.
In chrome I could press Use a different passkey button instead of the PIN, and get another popup to store the passkey on my phone:
This option was not available in Firefox.
See the official KeePassXC guide for passkey for more details.
Browser Experiences
I have only tried Chrome and Firefox.
Chrome
I found that it is easier to create new passkeys in Chrome as compared with Firefox. In some sites Firefox won't give me the option to create a passkey, while it would in Chrome.
The creation of a passkey on the USB-key involves entering the PIN and touching the touch-pad on the USB-key when prompted. Chrome also allows creation of a passkey to be kept online by selecting the phone or nearby authentication device. Finally, I could also create a passkey using KeePassXC as long as I had the password database open in the app and the browser extension installed and configured for passkeys.
Once the passkey is created for a website and is stored in the USB-key, the Google Password Manager, or in KeePassXC, I can login to that site by either:
- Plugging in the USB-key, entering the PIN, and touching the touch
pad on the USB-key.
- Selecting my Phone from list of devices and following the
instructions on the phone.
- Clicking on the Authenticate button on the popup from the KeePassXC browser extension.
Note, different websites have taken different approaches to using passkeys. Some use it instead of password. Others use it along with the password as a form of second factor in a two factor authentication process.
Firefox
My experience with Firefox has been flaky. In most sites I can use the passkey in Firefox once it is created using Chrome. One exception I have found is Amazon. I can use the passkey stored in the USB-key or KeePassXc to log into Amazon using Chrome. This option is not offered by Amazon in Firefox.
Firefox does not give me the opportunity to use my phone as the passkey storage and manager.
A list of sites I have tried:
Updated on May 4, 2024
| Site |
Titan Key |
Titan Key |
Phone |
KeepPassXC |
KeepPassXC |
|
Chrome |
Firefox |
Chrome |
Chrome |
Firefox |
| Synology |
Yes |
Yes |
Yes |
Yes |
Yes |
| Amazon |
Yes |
Yes |
Yes |
Yes |
Yes |
| Dropbox |
Yes |
Yes |
Yes |
Yes |
Yes |
| Google |
Yes |
Yes |
Yes |
Yes |
Yes |
| Microsoft |
Yes |
Yes |
Yes |
No |
No |
| Yahoo |
Yes |
Yes |
Yes |
Yes |
Yes |
| Bank of America |
No |
No |
Yes |
|
|
| CVS |
No |
Yes |
No |
No |
No |
| Caremark |
No |
No |
No |
No |
No |
| Home Depot |
No |
No |
No |
No |
No |
| LinkedIn |
No |
No |
No |
No |
No |
Screenshot of the old table
Passkeys should work in all the sites mentioned in the table (and screenshot) above. However, those towards the bottom of the list did not offer the passkey option when I tried to create one.
Home Depot allowed me to create a passkey using KeePassXC, but I didn't get the option to use the passkey when I tried to login.
Summary
I have tried three options for Ubuntu to create and store passkeys for passkey enabled websites:
- Security Key (USB): Disadvantages: There is no way to manually manage or export/import the stored passkeys.
- Nearby Device (Phone): Disadvantages: The passkeys are stored online. There is no way to export/import passkeys. Does not work with Firefox.
- Password Manager (KeePassXC): Advantage: Passkeys are stored locally.
Hope this helps
