On Sun, Feb 15, 2026 at 03:28:23AM -0600, Christopher Byrne wrote: > > > On 2/15/26 2:31 AM, Zoltan Puskas wrote: > > On Sat, Feb 14, 2026 at 09:52:28PM +0100, Andreas Sturmlechner wrote: > > > 3 different USE flags are currently contesting for the same library: > > > > > > - fido2 > > > sys-apps/systemd: Enable FIDO2 support > > > > > > - passkey > > > sys-auth/sssd: Add support for FIDO2 passkeys" [sic] > > > > > > - security-key > > > net-misc/openssh: Include builtin U2F/FIDO support > > > > > > > > > Surely we can do better - so which one should it be? > > > > > > Regards > > > > I think "passkey" is the worst as that's just one of the use cases for > > hardware > > tokens. > > > > "fido2" denotes the current most popular standard in use, though most keys > > also > > support U2F, OTP, PGP, or even smart card functionality. Which one of these > > is > > used by the software in question can vary. What is most popular now might > > change > > in the future, and also could be a bit too technical for some users. > > > > I think probably security-key is the best of these three. It conveys the > > purpose > > for everyone and clearly denotes 2nd factor or some other hardware token > > feature. The description of the USE flag can add further clarification, like > > the one used for the openssh package. > > > > Zoltan > > I disagree. "security-key" is ambiguous, because it can refer to FIDO2 or a > PIV/keycard/PKCS11 device. At least for sys-auth/sssd, "passkey" refers > specifically to enabling FIDO2 passkey support, and not PIV/keycard/pkcs11 > devices, which is built-in and handled by a mandatory dependency to > app-crypt/p11-kit. The ./configure flag is also naed "passkey" > > As far as "fido2" vs "passkey", here's what > https://www.passkeys.com/what-is-fido2-fido-2-explained says: > > Is FIDO2 the Same as Passkeys? > > No, FIDO2 and passkeys [https://www.passkeys.com/what-are-passkeys] are not > the same, though they are closely connected. Passkeys are cryptographic key > pairs used within the FIDO2 standard to enable passwordless authentication. > > In other words, FIDO2 is the framework that supports passwordless login, > while passkeys are the mechanism allowing users to authenticate securely > without passwords. > > So "fido2" is "implementation/framework name" and "passkey" is "what it > enables support for". Either is fine with me. It depends on what how > strongly one feels USE flag should reflect implementation (fido2) vs its > primary implementation (passkey). There are examples of both in portage. >
Keycard != security key. Nobody in the industry calls PKCS11 or even NFC cards as security keys, and definitely not the users. The phrase "security key" pretty much refers only to the Yubikey and alike USB devices. This can be easily confirmed with a simple search in a search engine of your choice. Passkey is just a one of the use cases of the FIDO2 standard, as you've also pointed out, and I think it would be a misleading naming convention. Since we already have a 'pkcs11' use flag, in that spirit even the 'fido2' naming would be over 'passkey'. Zoltan
