Passwordless login

Work is happening to support additional login methods in GNOME. This may require changes to the login screen design.

Goals

Authentication methods to support:

General goals and requirements:

People generally have a single authentication method that they want to use - focus the user experience on that
Handle hardware capabilities coming and going:
- Laptop with docking station case - camera and fingerprint reader might disappear
- Smartcard readers can be removed
Handle changes in physical environment which may affect login options:
- Low lighting might affect facial recognition
- Wearing gloves might affect fingerprint
- Being offline will result in 0Auth2 being unavailable
- For passkey on phone, Bluetooth off or phone unavailable
What should happen when smartcards and FIDO2 keys are inserted and removed?
Treat password authentication as optional - some organisations will want to disable it, and require more secure authentication methods instead
Allow organisations to roll out new authentication methods (like smartcard/FIDO2/OAuth2) alongside existing ones - new methods might appear and existing ones might disappear.
Cases where a user might want to use a different authentication method than the default:
- Fingerprint or facial recognition is failing (should automatically switch to another method, but maybe you want to prempt that)
- Your organisation is migrating to a new authentication method - choose the new one
- Your organisation is migrating between authentication methods, and the new one stopped working
- Developers/admins - switching between authentication methods for testing
- ...

Smartcard, FIDO2, and OAuth2 login are only available in managed deployments, where they are setup and configured by an admin
Outside of managed deployments, we assume that there is a password for the user account and that this is going to be one of the login authentication methods

In the future, we may want to make additional login options more generally available. This might include:

Login with a passkey on a mobile device
Login with a FIDO2 key
- FIDO2 without PIN might be interesting for accessibility purposes - if you struggle to remember or input passwords
- FIDO2 with PIN would be a good option for those wanting a higher level of security. However, this would require:
  - A way to disable password login
  - A recovery mechanism for if you lose your key, or it breaks

The current login screen has the following UI elements:

Current auth methods include password, fingerprint, smart card. One authentication method is always "foreground". Others are background.

Password entry field is only shown when password authentication is available.
Message area only shows messages from the foreground auth method.
GNOME 2 had a graphical switcher to change the foreground method.
If the shield is down and a smart card is inserted, we lift the shield and make it foreground.
Fingerprint only activates when the shield is lifted (we should change that).
It is possible to configure login to disable password and require smart card.

There are a couple of other modules that can show messages in the message area: