Passwordless Initial Authentication to Kerberos by Hardware Preauthentication

This document specifies an extension to the Kerberos protocol for performing initial authentication of a user without using that user's long-lived password. Any "hardware preauthentication" method may be employed instead of the password, and the key of another principal must be nominated to encrypt the returned credential.