Passwordless Authentication with Yubico | RHEL Presents Ep. 80
Episode 80 was a long time coming after some scheduling and health hiccups, but my cohost Nate Lager and I finally got back in the RHEL Presents chair with two guests from Yubico, Jonathan Hanlon and Dave Pham. The topic was a feature that landed with 9.4: adding FIDO-compliant passkeys, including YubiKeys, to centrally managed users in RHEL’s Identity Manager so they can log in without a password. Nate ran the demos and our Yubico friends filled in the security picture.
A few things worth carrying away from the conversation:
- Passkeys are managed right alongside your users in IdM. Nate created a user in the IdM web console, flipped on passkey authentication, then mapped a YubiKey from the command line with
ipa user-add-passkey --register, PIN and a tap on the key and that user was ready to log in with no password at all. - The private key never leaves the hardware, and a PIN gates its use. Dave explained there’s simply no function to extract the private key from a YubiKey, so even a lost or stolen key is very hard to abuse, especially since the PIN unlocks the credential in the first place.
- The same passkey works well beyond the login screen. Nate pointed out it authenticates sudo escalations, the RHEL web console over a mobile browser, and even his personal Bitwarden vault, which is a nice reminder that this isn’t a one-trick feature.
If you’re tired of chasing password rotation and phishing, this episode is a practical look at what passwordless can look like on RHEL today.


