Corporate usage with Entra ID Passwordless authentication

[SimbiotVenom]

Hi, guys!
We want to implement "autd" in our corporate environment, but the first problem is the issue of logging into the system of a user who has the Passwordless mode enabled in Entra ID.
The question is: whether in this mode it will be possible to create a PIN or a local password that policies can change, say, once every three months. This is necessary since the user initially does not have a password.
On a Windows PC, this problem is overcome using Web sign-in and the initial setup of Windows Hello,
i.e. the user can use a PIN, fingerprint, and Face ID to log in.
Is it possible to have a similar solution using "autd"?

[adombeck]

Hi, thanks for reaching out!

I'm not sure I understand your question. When a user logs in via authd, they are asked to set a local password, which they can use to authenticate in subsequent login attempts. Does that solve your use case?

Regarding password expiration policies, we currently don't plan to support such policies for the local password. Note that password expiration policies are usually not considered beneficial for security (unless there is evidence of a compromise) and harmful for user experience (see for example this article).

[adombeck]

My question is, is there a mechanism for resetting this local password on the device if the user forgets it?

Yes, when you log in via SSH, you can set a new local password by entering r in the password prompt, then selecting the authentication method "Device Authentication" and completing the authentication. You will then be asked to set a new local password.

[SimbiotVenom]

And what if, the user sitting in front of the device and trying to sign in , and of course the SSH is not configured on that device?
I think we need a button, that will activate the password reset function?

[adombeck]

You can also already reset the password in GDM (GNOME's display/login manager). When you see the "Enter your local password" prompt, click on the back button and choose "Device Authentication". Same as with SSH, you will be asked to set a new local password after successful authentication.

[SimbiotVenom]

That's great solution!
Thanks!

[3v1n0]

In GDM / lockscreen views you can switch authentication method also from the bottom-right "key" icon.