XF 2.3 Passwordless logins with passkeys

First thing's first, don't panic, don't rush to your customer area, there is no Beta 3 release today! We are likely to be moving the remaining HYS posts to Thursday/Friday, coinciding with those features rolling out to this very forum so we get some extended testing and feedback before they appear in a subsequent Beta.

Next order of business, before we get into what's coming in Beta 3, is a big thank you to Shawn, AKA @digitalpoint. We're big fans of Shawn's work and he's genuinely a stand up guy, always very willing to help out. Shawn was kindly willing to give us his Security & Passkeys add-on and this gave us the leg up we needed to introduce this feature at rather short notice. It has morphed slightly, and does not entirely replace the add-on so I suspect it will live on in some form and I'm sure Shawn will communicate that in due course.

So, with all that being said, let's take a look at passkeys support in XenForo 2.3!

What is a passkey?​

Passkeys are a secure replacement for passwords and/or second factor authentication. They take many forms ranging from physical devices (e.g. Yubikeys) to biometric authentication built in to your phone or computer. Some types of passkeys can even be synced across all of your devices, for example I can setup a passkey using my fingerprint on my MacBook Pro which is then synchronised with my iPhone and authenticated using FaceID. Or you may have a password manager such as Bitwarden or Proton Pass which synchronise your passkeys across different browsers and devices.

They are extremely secure, extremely easy to set up and extremely easy to use.

Adding a passkey in XF 2.3​

Passkeys can be managed for your account under Account > Password and security. To kick the process off you simply click "Add passkey" which, in supported browsers, will invoke some sort of interface, usually served by your browser, device, or password manager.

Let's look at the process in more detail via an iPhone:



It's that easy! From that point forward, not only will you be able to use your passkey for logging in, it also enables any of your current or future passkeys to be used as two-factor authentication.

Passwordless login​


It's just as easy using a passkey as it is to add one. Let's take a look at the login flow with the passkey I just created:




No need to enter your password. No need to even enter your username! Just tap "Log in using: Passkey" and follow your device's prompts and you'll be logged in!

We've just rolled this out here so have a play around and let us know your thoughts!
 
Click to expand...
Slavik said:
So after some work with Proton direct, the majority if not all issues with their app should be sorted.

If anyone is still having issues with Passkeys and Proton on mobile with XF, let me know and I should be able to run through some steps to sort it, or locate a different issue.

For now it will just cover signing in here at XenForo.com
Click to expand...
I just tested it again and it seems to work. This was via the pwa on my phone.

I deleted the old passkey, and I started setting up a new one on my pixel 8 pro with proton pass.

The passkey created fine, on mobile vs limited to desktop app creation.
 
We supporrt logging in to the admin control panel with passkeys starting with Beta 4:

1712856300656.webp
 
Slavik said:
So after some work with Proton direct, the majority if not all issues with their app should be sorted.

If anyone is still having issues with Passkeys and Proton on mobile with XF, let me know and I should be able to run through some steps to sort it, or locate a different issue.

For now it will just cover signing in here at XenForo.com
Click to expand...

All good for me - seems to have sorted two issues I was having: 1) I can now create a Windows Hello passkey for xenforo.com on my laptop which was previously refusing to work, 2) I was able to create new xenforo.com passkeys for each of my 3 yubikeys and use them to log in - including using one of them to log in on a different device.
 
Slavik said:
I have confirmed this, I have reported it to proton as I think its a chrome integration issue.
Click to expand...
Update. It seems that Proton Pass and Firefox Android are doing the same thing as before.

KensonPlays

XF 2.3 Post in thread 'Passwordless logins with passkeys'

Chris D said:
@Slavik is using Proton Pass and Android and while he ran into an issue initially, after refreshing the page it works fine. He is just testing another device.

Are you able to try again and document the steps or even screen record them?
Click to expand...
Tried both Chrome and Edge, both only give these options here in this site:

Screenshot_20240329-141637.webp


I usually create them with Proton on PC, but it's not showing Proton as an option for any of those 4 choices.

Same menu as my error with Edge and Proton Pass on my Pixel 8 Pro.
 
Now if only using Passkeys (or any other two-step method) didn't unsubscribe PWA app from push notifications... 😕

digitalpoint

Post in thread '"Lost" push subscriptions for iOS PWA'

I was able to pinpoint another place that push notifications are being forcibly unsubscribed when they shouldn't be... When a user needs to redo their two-step authentication, the two-step page has no XF.config.userId set, so the browser (and PWA) is told to unsubscribe from push notifications.

JavaScript: 
if (XF.config.userId && isExpectedServerKey(subscription))
{
    XF.Push.updateUserSubscription(subscription, 'update');
}
else
{
    subscription.unsubscribe();
    XF.Push.updateUserSubscription(subscription, 'unsubscribe');
}

The browser/PWA is left in a state where...
  • Like
 
I was listening to @Steve Gibson talk about about passkeys on Security Now this week and he discussed this recent article:

Passkeys: A shattered dream | Hacker News

news.ycombinator.com news.ycombinator.com

The segment of the podcast, which is worth listening to, is this following episode starting at 1hr 19min 15sec

If you want to skip the background intro about the author and concept of enshittification, they discuss the article itself at 1hr 33min 50sec

twit.tv

Passkeys: A Shattered Dream? | TWiT.TV

GCHQ: No more default passwords for consumer IoT devices!What happened with Chrome and 3rd-party cookies?Race conditions and multi-threadingGM 'accidentally' enrolled millions into…
twit.tv

I think it's wonderful that XF & DP have helped make this work on XF so that those who want to use them, can, but it does seem the concept as a whole may not last the test of time, at least not in it's current state.

The potential vendor lock in to manage passkeys, combined with the inability for users to easily visualise a mental model of how they're actually working, really hinders adoption.

The lack of a clear mental model of how they work and what's being stored is the key thing for me, and I think it's that, which has caused my hesitation in using them at all and so I have firmly stuck with passwords and 2FA for anything important. Reading in the article linked about about Apple keychain losing passkeys is also incredibly concerning (even though I'd be keeping mine in a platform agnostic manager such as Bitwarden).

If Apple can't make this work reliably even though it's supposed to be tried, tested and ready for the mainstream, how are tech savvy people such as ourselves supposed to help explain and onboard friends, family and members of our forums to this wonderful new passwordless system? A system which has been altered and had key functionality removed from the initial spec, purely because Chrome and Google chose not to implement it for their own biased business reasons.

It's a shame SQRL (Secure Quick Reliable Login) never really came to the attention of those who decided passkeys should be the successors to passwords, as it seems that system could potentially be more robust and user friendly in the long run.
 
Top Bottom