XF 2.3 Passwordless logins with passkeys

First thing's first, don't panic, don't rush to your customer area, there is no Beta 3 release today! We are likely to be moving the remaining HYS posts to Thursday/Friday, coinciding with those features rolling out to this very forum so we get some extended testing and feedback before they appear in a subsequent Beta.

Next order of business, before we get into what's coming in Beta 3, is a big thank you to Shawn, AKA @digitalpoint. We're big fans of Shawn's work and he's genuinely a stand up guy, always very willing to help out. Shawn was kindly willing to give us his Security & Passkeys add-on and this gave us the leg up we needed to introduce this feature at rather short notice. It has morphed slightly, and does not entirely replace the add-on so I suspect it will live on in some form and I'm sure Shawn will communicate that in due course.

So, with all that being said, let's take a look at passkeys support in XenForo 2.3!

What is a passkey?​

Passkeys are a secure replacement for passwords and/or second factor authentication. They take many forms ranging from physical devices (e.g. Yubikeys) to biometric authentication built in to your phone or computer. Some types of passkeys can even be synced across all of your devices, for example I can setup a passkey using my fingerprint on my MacBook Pro which is then synchronised with my iPhone and authenticated using FaceID. Or you may have a password manager such as Bitwarden or Proton Pass which synchronise your passkeys across different browsers and devices.

They are extremely secure, extremely easy to set up and extremely easy to use.

Adding a passkey in XF 2.3​

Passkeys can be managed for your account under Account > Password and security. To kick the process off you simply click "Add passkey" which, in supported browsers, will invoke some sort of interface, usually served by your browser, device, or password manager.

Let's look at the process in more detail via an iPhone:

It's that easy! From that point forward, not only will you be able to use your passkey for logging in, it also enables any of your current or future passkeys to be used as two-factor authentication.

Passwordless login​

It's just as easy using a passkey as it is to add one. Let's take a look at the login flow with the passkey I just created:

No need to enter your password. No need to even enter your username! Just tap "Log in using: Passkey" and follow your device's prompts and you'll be logged in!

We've just rolled this out here so have a play around and let us know your thoughts!
So after some work with Proton direct, the majority if not all issues with their app should be sorted.

If anyone is still having issues with Passkeys and Proton on mobile with XF, let me know and I should be able to run through some steps to sort it, or locate a different issue.

For now it will just cover signing in here at XenForo.com
I just tested it again and it seems to work. This was via the pwa on my phone.

I deleted the old passkey, and I started setting up a new one on my pixel 8 pro with proton pass.

The passkey created fine, on mobile vs limited to desktop app creation.
We supporrt logging in to the admin control panel with passkeys starting with Beta 4:

So after some work with Proton direct, the majority if not all issues with their app should be sorted.

If anyone is still having issues with Passkeys and Proton on mobile with XF, let me know and I should be able to run through some steps to sort it, or locate a different issue.

For now it will just cover signing in here at XenForo.com

All good for me - seems to have sorted two issues I was having: 1) I can now create a Windows Hello passkey for xenforo.com on my laptop which was previously refusing to work, 2) I was able to create new xenforo.com passkeys for each of my 3 yubikeys and use them to log in - including using one of them to log in on a different device.
I have confirmed this, I have reported it to proton as I think its a chrome integration issue.
Update. It seems that Proton Pass and Firefox Android are doing the same thing as before.

Same menu as my error with Edge and Proton Pass on my Pixel 8 Pro.
Now if only using Passkeys (or any other two-step method) didn't unsubscribe PWA app from push notifications... 😕

I was listening to @Steve Gibson talk about about passkeys on Security Now this week and he discussed this recent article:

The segment of the podcast, which is worth listening to, is this following episode starting at 1hr 19min 15sec

If you want to skip the background intro about the author and concept of enshittification, they discuss the article itself at 1hr 33min 50sec

I think it's wonderful that XF & DP have helped make this work on XF so that those who want to use them, can, but it does seem the concept as a whole may not last the test of time, at least not in it's current state.

The potential vendor lock in to manage passkeys, combined with the inability for users to easily visualise a mental model of how they're actually working, really hinders adoption.

The lack of a clear mental model of how they work and what's being stored is the key thing for me, and I think it's that, which has caused my hesitation in using them at all and so I have firmly stuck with passwords and 2FA for anything important. Reading in the article linked about about Apple keychain losing passkeys is also incredibly concerning (even though I'd be keeping mine in a platform agnostic manager such as Bitwarden).

If Apple can't make this work reliably even though it's supposed to be tried, tested and ready for the mainstream, how are tech savvy people such as ourselves supposed to help explain and onboard friends, family and members of our forums to this wonderful new passwordless system? A system which has been altered and had key functionality removed from the initial spec, purely because Chrome and Google chose not to implement it for their own biased business reasons.

It's a shame SQRL (Secure Quick Reliable Login) never really came to the attention of those who decided passkeys should be the successors to passwords, as it seems that system could potentially be more robust and user friendly in the long run.
This is an excellent feature.

There's a significant implementation detail, though: I just enabled it here, and didn't notice any warning before doing so. However, if I didn't know what I was doing, I might've been an idiot with just one security key, and might've not checked for backup methods. The result would be I'd have one key or TOTP device (which could get lost or broken), and only backup codes (which I might not have checked and recorded anywhere) as secondary.

Enabling 2FA needs to come with a big warning, because inevitably, people are going to enable it without having enabled adequate alternative access methods. They'll get locked out, and then create administrative headaches. If a forum's staff disables 2FA for anyone who claims to have lost their second factor, 2FA doesn't do any good anymore, except against low-end fully-automated attacks which can almost always be prevented, without 2FA, simply by a decent password that's not been reused. On the other hand, if a forum's staff refuses to help someone who's lost a 2FA key, they're mean totalitarians.

High-value sites are different, but the vast majority of forum accounts are relatively low-interest for hackers, and won't be subject to phishing attacks, or have custom malware exfiltrating users' passwords. Therefore, impressing upon users the gravity of enabling 2FA, and the need for reliable backup methods, seems like it might be called for, by default, even if it scares a few out of enabling it.
Last edited:
Is Xenforo 2.3 using the wrong fido2/webauthn mode to configure authentication? (note: this is in regard to 2FA, see addendum below.) I have a yubikey (regular fido, not the 5-series) set up for several other sites, and this is the only one with a credential listed.

> ykman fido credentials list
WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
Enter your PIN:
hexhexhex...    xenforo.com  abc@domain.com

That's the only credential listed, but this forum isn't the only (nor even the most recently configured) site I've set up to use the security key. Something's amiss.

Forgot to mention: I'm talking about the security key as 2FA login mechanism. I know there's the password-substitute functionality of fido2, as well, but what I'm concerned about is using up a slot for 2FA (and writing to flash unnecessarily?) when as far as I can tell it's unnecessary and highly non-standard.

Further testing: the security key I thought I had added (and only ever used before) for 2FA only, really functions as 1FA if I click the use passkey link instead of using username and password. The account security page says 2FA is enabled via passkeys or backup codes; that appears to be misleading. Setting up 2FA ends up with 1FA using only the security key, as far as I can tell. It misleadingly appears to be 2FA if you go to the trouble of using username and password first, instead of clicking on the passkey link (which I'd ignored before, I thought all those links were 3rd party SSO options and never paused to read each one).

Security key setup needs to be explicitly for 1FA or 2FA, not both (both implies 1FA, but misleads about 2FA). And please check how 2FA is initialized and used for security keys; I think credentials are mistakenly being used for that, as mentioned above.
Last edited:
Top Bottom