The world is moving toward more modern and secure authentication methods. This transition is driven by a global push for Zero Trust Architecture (ZTA), which many organizations are adopting as a security mandate.

In this context, the FreeIPA, SSSD, and GNOME Display Manager (GDM) ecosystems have been working to meet these evolving demands.

As a result, GDM has received several improvements to enhance the authentication experience. Two new mechanisms have been added: passkeys and external IdP (web login). Users can now choose among the supported authentication mechanisms, and the PAM conversation has been extended to support this new scenario with multiple authentication options.

In this talk, we’ll cover what the GDM authentication architecture looks like and how it handles PAM conversations. We will discuss the new PAM extension that uses JSON messages to support these mechanisms, the changes made in GDM to allow selecting different authentication methods, upcoming enhancements, and provide a demonstration of the current implementation.