XF 2.3 Passwordless logins with passkeys

First thing's first, don't panic, don't rush to your customer area, there is no Beta 3 release today! We are likely to be moving the remaining HYS posts to Thursday/Friday, coinciding with those features rolling out to this very forum so we get some extended testing and feedback before they appear in a subsequent Beta.

Next order of business, before we get into what's coming in Beta 3, is a big thank you to Shawn, AKA @digitalpoint. We're big fans of Shawn's work and he's genuinely a stand up guy, always very willing to help out. Shawn was kindly willing to give us his Security & Passkeys add-on and this gave us the leg up we needed to introduce this feature at rather short notice. It has morphed slightly, and does not entirely replace the add-on so I suspect it will live on in some form and I'm sure Shawn will communicate that in due course.

So, with all that being said, let's take a look at passkeys support in XenForo 2.3!

What is a passkey?​

Passkeys are a secure replacement for passwords and/or second factor authentication. They take many forms ranging from physical devices (e.g. Yubikeys) to biometric authentication built in to your phone or computer. Some types of passkeys can even be synced across all of your devices, for example I can setup a passkey using my fingerprint on my MacBook Pro which is then synchronised with my iPhone and authenticated using FaceID. Or you may have a password manager such as Bitwarden or Proton Pass which synchronise your passkeys across different browsers and devices.

They are extremely secure, extremely easy to set up and extremely easy to use.

Adding a passkey in XF 2.3​

Passkeys can be managed for your account under Account > Password and security. To kick the process off you simply click "Add passkey" which, in supported browsers, will invoke some sort of interface, usually served by your browser, device, or password manager.

Let's look at the process in more detail via an iPhone:

It's that easy! From that point forward, not only will you be able to use your passkey for logging in, it also enables any of your current or future passkeys to be used as two-factor authentication.

Passwordless login​

It's just as easy using a passkey as it is to add one. Let's take a look at the login flow with the passkey I just created:

No need to enter your password. No need to even enter your username! Just tap "Log in using: Passkey" and follow your device's prompts and you'll be logged in!

We've just rolled this out here so have a play around and let us know your thoughts!

 

[Lee]

Is it planned to connect Face ID from Apple?

Already does. I am using it here now.

 

[Imgbi]

Login with Passkey not working.
Saying this

 

[Chris D]

Known issue. I believe @Naz is on the case

 

[Opus X]

2) I know it's pedantic, but this isn't exactly "passwordless". Yes, we don't need to enter our password to log in - and I especially like the not even needing to enter our username to get into the forums. But my password still exists in your user database, and ideally we should include an option to remove the password completely.

one problem i can see with doing that is if you are connecting via remote to a headless device.
if you do not have access to the device i have ran into a couple of times that using the yubi key i was given does not transfer across the remote connection.
if it is made as a preference option a warning about this being possible might be appropriate and the ability to fall back to a different method should be allowed. i do not know if 2FA uses the password of your account in addition to the 6 digits.

 

[Sim]

10? 5 is probably enough for a lot. I could have, at most, 3 that I can think of (Win11 laptop if I implement Hello and an Android phone and tab). Not sure what else I would set up as a key. Anything else I use belongs to work or is shared with my spouse.

For the important sites I use, I have the following passkeys set up:

• 1Password (most convenient because it will sync to all devices)
• Windows Hello on my desktop
• Windows Hello on my laptop (fingerprint unlock!)
• YubiKey Nano that lives in my desktop
• YubiKey USB-C / NFC that lives on my keyring and gets used for my laptop and phone when I'm away from the office
• YubiKey USB-A / NFC that lives in a fireproof safe

It's overkill - especially since 1Password gets used 99% of the time given the convenience, but some of the sites/services I use I have moved to true passwordless operation (there is no password - cannot log in without a passkey), so I wanted to make sure there was some redundancy in place.

If my house burns down and my desktop/laptop/phone get destroyed, I could potentially be locked out of some critical sites and systems - which would make a traumatic experience even worse.

I have come across at least one site which only allows you to add a couple of passkeys and that was very frustrating. It's almost as bad if they don't allow you to set a description of what the passkey is from - because I need to be able to identify which is which if I ever need to deactivate them.

As an aside - I'm equally frustrated with the number of sites that insist on using SMS for 2FA, even when passkeys are in place - because cases of SIM swapping have skyrocketed in recent years. SMS should never be used for 2FA for any critical systems.

 

[Mendalla]

s an aside - I'm equally frustrated with the number of sites that insist on using SMS for 2FA, even when passkeys are in place - because cases of SIM swapping have skyrocketed in recent years. SMS should never be used for 2FA for any critical systems.

Tell me about it. Give me an authenticator or passkey system please. I am increasingly frustrated by our governments up here who either don't have 2FA or insist on SMS or phone-based 2FA. How hard can it be to support authenticator apps when a fairly inexpensive, off-the-rack piece of forum software like Xenforo can do it? Ditto passkeys.

 

[Sim]

For the important sites I use, I have the following passkeys set up:

• 1Password (most convenient because it will sync to all devices)
• Windows Hello on my desktop
• Windows Hello on my laptop (fingerprint unlock!)
• YubiKey Nano that lives in my desktop
• YubiKey USB-C / NFC that lives on my keyring and gets used for my laptop and phone when I'm away from the office
• YubiKey USB-A / NFC that lives in a fireproof safe

I've only been using passkeys for a month or so - got them set up after I was alerted to someone trying what looked like a credential-stuffing attack on my Microsoft account (Microsost have a really good UI for managing this type of alert!).

But just thinking about my passkeys for a bit, based on my experience using them with 1Password + Windows + YubiKeys, I'd make the following recommendations for anyone considering getting passkeys set up:

• 1Password really is very convenient - it takes over the web UI for 2FA and does all the heavy lifting for you. It's especially easy if you have it integrated with Windows Hello for fingerprint authentication making it really easy to log in to 1Password.
  • The fact that it will sync to all your devices and your 1Password cloud account means that you naturally have backup for all your passkeys - you'll have access to them on your phone if you can't get into your desktop, etc
  • Just make sure you have a backup passkey in place for your 1Password account!
• Windows Hello is also very easy to use - I don't have fingerprint or face scanning on my desktop, but I do have a PIN set up, which makes it very easy to log in and authenticate passkeys etc. The fact that the passkeys are tied to the physical computer makes it relatively secure.
  • Did I mention how much I love fingerprint scanning for log in. My laptop makes it so easy to use!
• The workflow for accessing YubiKeys is a bit convoluted - to the point where I almost never use them in day-to-day operation. I'm glad I bought them as backup, but three of them was probably unnecessary given how much of the heavy lifting is done by 1Password and/or Windows Hello. I'd still recommend at least one YubiKey as a backup device - especially if you don't have multiple computers with Windows Hello passkeys set up.

I will also note that I don't use my phone that much to access these critical systems - so I have limited experience in using passkeys in that environment at this point. I do have 1Password on my phone and I carry an NFC YubiKey with me, so in theory it should be pretty straight forward.

I'm about to go on a 2 week road trip, so we'll see what my experience is with passkeys while I'm away.

 

[Neilski]

1Password really is very convenient - it takes over the web UI for 2FA

I recently watched (via screen sharing) someone connecting to a site and logging in - including the 2FA - with 1Password, and my main thought was "OK, very convenient, but that just defeated the 2FA".

 

[Sim]

I recently watched (via screen sharing) someone connecting to a site and logging in - including the 2FA - with 1Password, and my main thought was "OK, very convenient, but that just defeated the 2FA".

Not really - you've had to authenticate with 1Password already - so at that point, the interaction is "trusted". Setting up 1Password on a new device is very much NOT trivial - so once you've set it up and authenticated, there is already a very high level of trust established. You cannot access 1Password with only a username and password - not even via their website.

Similarly with Windows Hello - you set up the trust ahead of time, secured by a PIN, fingerprint, facescan, etc, and tied to your physical computer - you can't access the site without already being logged in to your computer, so the trust is already established.

 

[Neilski]

Not really - you've had to authenticate with 1Password already - so at that point, the interaction is "trusted". Setting up 1Password on a new device is very much NOT trivial - so once you've set it up and authenticated, there is already a very high level of trust established. You cannot access 1Password with only a username and password - not even via their website.

Similarly with Windows Hello - you set up the trust ahead of time, secured by a PIN, fingerprint, facescan, etc, and tied to your physical computer - you can't access the site without already being logged in to your computer, so the trust is already established.

Mmm, yes but... I still feel like it removes at least part of the second layer. Will ponder it some more... (I have used 1Password already btw, just not for 2FA.)

 

[Sim]

Mmm, yes but... I still feel like it removes at least part of the second layer. Will ponder it some more... (I have used 1Password already btw, just not for 2FA.)

I had the same questions before I started using it, so I get it.

You do need to be comfortable with finding the right balance between convenience and security.

As I mentioned previously - the key is "trust". You need to decide what bits you are happy to trust and then build on that.

 

[Mouth]

I recently watched (via screen sharing) someone connecting to a site and logging in - including the 2FA - with 1Password, and my main thought was "OK, very convenient, but that just defeated the 2FA".

Over and over again, I see the vast number of people using 2FA having both their 2FA and their credentials manager together on the same device(s). That's not true 2FA, and no difference than if they're both in the same system/service. If you're using 2FA then you already have digital security principles in use, and the idiom of what you have and what you know is still met with 2FA inside the same system/service.

 

[Sim]

I think we also need to be a bit careful about differentiating passkeys from 2FA. Yes, passkeys can be used for 2FA, but they can also be used to bypass login completely (as per the passwordless login option in XF 2.3), which means no 2FA.

So, if you have an unprotected passkey (for example, a YubiKey without a PIN), then anyone in possession of that device can log into your accounts.

As such, passkeys do need protection as well.

For the three types of passkey I use, they all have another layer of protection:

• 1Password requires my secret key and login credentials to get access to my vaults, and then once set up, requires either my password or my fingerprint to access
• Windows Hello requires access to the physical computer, but then also requires one of my Windows Hello authentication options: my PIN or my fingerprint
• YubiKeys require the physical device, but I also have a PIN set on them.

So even if I'm using a passkey to bypass login - I'm still getting 2FA protection because there is always a second factor required to be able to access the passkeys.

 

[Sim]

Yay - just used one of my YubiKeys to log into my Microsoft account on a PC I'm installing a fresh copy of Windows 11 on - saves me typing in my very long and random password, which is always the most painful part of setting up a new PC. This alone has made the cost of the YubiKey worthwhile in my opinion

 

[Neilski]

For many years I carried a SecurID dongle (went through 2 or 3 variations in shape and size) and I was pleased when my organisation moved to software tokens on smartphones instead, even if it feels (and I think, is) a little less secure.
Thankfully the dongles didn't suffer when put through a wash cycle but even still, having an extra device to remember is quite undesirable for the forgetful... So I think I'll be quite happy for a while yet to stay with the many phone-compatible variants for providing extra factors, given the level of security that I deem appropriate for what I do.

 

[Sim]

So I think I'll be quite happy for a while yet to stay with the many phone-compatible variants for providing extra factors, given the level of security that I deem appropriate for what I do

Does your phone based 2FA authenticator get backed up? Have you considered what happens if you lose access to your phone (lost/stolen/broken)?

I know Google Authenticator is now supposed to be stored in your Google account as backup, which is a big step forwards compared to the previously - although I've not been in the situation where I've needed to test it since they implemented it around this time last year.

Either way, do you also have 2FA set up on your Google account that doesn't require Google Authenticator to access so you can still access your Google account without your phone?

These are the types of questions that I lose sleep over - will losing access to my phone lock me out of my accounts?

 

[JamesBrown]

I shall be ensuring this feature is switched off. For some reason I am now restricted to laptop access only, phone or ipad need a key and wants me to scan barcodes, and even then won't let me in. If I don't understand it then my senior membership don't stand a chance.

 

[eva2000]

Next order of business, before we get into what's coming in Beta 3, is a big thank you to Shawn, AKA @digitalpoint. We're big fans of Shawn's work and he's genuinely a stand up guy, always very willing to help out. Shawn was kindly willing to give us his Security & Passkeys add-on and this gave us the leg up we needed to introduce this feature at rather short notice. It has morphed slightly, and does not entirely replace the add-on so I suspect it will live on in some form and I'm sure Shawn will communicate that in due course.

So, with all that being said, let's take a look at passkeys support in XenForo 2.3!

Awesome addition. Thanks @digitalpoint for your donated code

Recently upgraded my phone so have been setting up passkey along with existing Yubikeys. Using both 1password with Proton Pass as backup

edit: nothing happens when i use Opera One 108.0.5067.29 browser when adding passkey so far

edit2: ah ha not enabled by default in Opera One

Unfortunately still not working in Opera One browser on Windows 10. But I can add my mobile device as Passkey and Yubikey 5 NFC Keysvia my mobile on Brave browser. But they don't authenticate properly to login saying no security Passkey found on mobile and Yubikey authenticates but doesn't redirect to logged in page and sits there and not logged it

 

[Neilski]

Does your phone based 2FA authenticator get backed up? Have you considered what happens if you lose access to your phone (lost/stolen/broken)?

I know Google Authenticator is now supposed to be stored in your Google account as backup, which is a big step forwards compared to the previously - although I've not been in the situation where I've needed to test it since they implemented it around this time last year.

Either way, do you also have 2FA set up on your Google account that doesn't require Google Authenticator to access so you can still access your Google account without your phone?

These are the types of questions that I lose sleep over - will losing access to my phone lock me out of my accounts?

Yup, I have lost sleep over this kind of thing a couple of times myself. I think that I've currently got things set up in such a way that I could lose my phone and still have multiple backup options to recover everything, but now and then I experience doubts! (So I think I need to sit down and really think it through properly again some day soon...)

 

[KensonPlays]

I'm not one of those people who needs everything to be the most secure ever. Simply having passkeys, a password manager with long, secure random passwords, is already miles better than the vast majority of Earth. I tend to have 30 char passwords generated minimum, unless a site doesn't allow more than like 12, 20, etc.