On 2/15/26 2:31 AM, Zoltan Puskas wrote:
On Sat, Feb 14, 2026 at 09:52:28PM +0100, Andreas Sturmlechner wrote:
3 different USE flags are currently contesting for the same library:
- fido2
sys-apps/systemd: Enable FIDO2 support
- passkey
sys-auth/sssd: Add support for FIDO2 passkeys" [sic]
- security-key
net-misc/openssh: Include builtin U2F/FIDO support
Surely we can do better - so which one should it be?
Regards
I think "passkey" is the worst as that's just one of the use cases for hardware
tokens.
"fido2" denotes the current most popular standard in use, though most keys also
support U2F, OTP, PGP, or even smart card functionality. Which one of these is
used by the software in question can vary. What is most popular now might change
in the future, and also could be a bit too technical for some users.
I think probably security-key is the best of these three. It conveys the purpose
for everyone and clearly denotes 2nd factor or some other hardware token
feature. The description of the USE flag can add further clarification, like
the one used for the openssh package.
Zoltan
I disagree. "security-key" is ambiguous, because it can refer to FIDO2
or a PIV/keycard/PKCS11 device. At least for sys-auth/sssd, "passkey"
refers specifically to enabling FIDO2 passkey support, and not
PIV/keycard/pkcs11 devices, which is built-in and handled by a mandatory
dependency to app-crypt/p11-kit. The ./configure flag is also naed "passkey"
As far as "fido2" vs "passkey", here's what
https://www.passkeys.com/what-is-fido2-fido-2-explained says:
Is FIDO2 the Same as Passkeys?
No, FIDO2 and passkeys [https://www.passkeys.com/what-are-passkeys] are
not the same, though they are closely connected. Passkeys are
cryptographic key pairs used within the FIDO2 standard to enable
passwordless authentication.
In other words, FIDO2 is the framework that supports passwordless login,
while passkeys are the mechanism allowing users to authenticate securely
without passwords.
So "fido2" is "implementation/framework name" and "passkey" is "what it
enables support for". Either is fine with me. It depends on what how
strongly one feels USE flag should reflect implementation (fido2) vs its
primary implementation (passkey). There are examples of both in portage.
