There has been a longtime request from upstream community to allow usage of Web Authentication in Cockpit, specifically using passkeys. One of the main drawbacks with Cockpit's authentication relates to how limited Cockpit is when it comes to authenticating through the browser. Since browsers cannot use SSH keys, one need to utilize username and password or setup a Single Sign-On server to authenticate through that.

Cockpit has an opportunity to enhance our authentication workflow by using passkeys instead of just username and password. This can also synchronize nicely with both SSH login and in theory also Cockpit Client.

Acceptance criteria

• Users can register non-discoverable passkeys within Cockpit
• Users can authenticate with non-discoverable passkeys without entering a username
• Elevating permissions (sudo) should work with passkeys

Known issues

• Bitwarden cannot register passkeys within iframes, Cockpit should therefore register through Cockpit shell