XF 2.3 Passwordless logins with passkeys

First thing's first, don't panic, don't rush to your customer area, there is no Beta 3 release today! We are likely to be moving the remaining HYS posts to Thursday/Friday, coinciding with those features rolling out to this very forum so we get some extended testing and feedback before they appear in a subsequent Beta.

Next order of business, before we get into what's coming in Beta 3, is a big thank you to Shawn, AKA @digitalpoint. We're big fans of Shawn's work and he's genuinely a stand up guy, always very willing to help out. Shawn was kindly willing to give us his Security & Passkeys add-on and this gave us the leg up we needed to introduce this feature at rather short notice. It has morphed slightly, and does not entirely replace the add-on so I suspect it will live on in some form and I'm sure Shawn will communicate that in due course.

So, with all that being said, let's take a look at passkeys support in XenForo 2.3!

What is a passkey?​

Passkeys are a secure replacement for passwords and/or second factor authentication. They take many forms ranging from physical devices (e.g. Yubikeys) to biometric authentication built in to your phone or computer. Some types of passkeys can even be synced across all of your devices, for example I can setup a passkey using my fingerprint on my MacBook Pro which is then synchronised with my iPhone and authenticated using FaceID. Or you may have a password manager such as Bitwarden or Proton Pass which synchronise your passkeys across different browsers and devices.

They are extremely secure, extremely easy to set up and extremely easy to use.

Adding a passkey in XF 2.3​

Passkeys can be managed for your account under Account > Password and security. To kick the process off you simply click "Add passkey" which, in supported browsers, will invoke some sort of interface, usually served by your browser, device, or password manager.

Let's look at the process in more detail via an iPhone:

It's that easy! From that point forward, not only will you be able to use your passkey for logging in, it also enables any of your current or future passkeys to be used as two-factor authentication.

Passwordless login​

It's just as easy using a passkey as it is to add one. Let's take a look at the login flow with the passkey I just created:

No need to enter your password. No need to even enter your username! Just tap "Log in using: Passkey" and follow your device's prompts and you'll be logged in!

We've just rolled this out here so have a play around and let us know your thoughts!

 

[Chris D]

nice button View attachment 300496

??

 

[kick]

??

The text in the button is underlined when hovered when other elements do not.

 

[Chris D]

Perhaps that's the words you should have used instead of being passive agressive?

 

[kick]

I apologize if it seemed that way, but I thought it would be clear and tried to joke. Bad joke

 

[Slavik]

nice button View attachment 300496

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

 

[Chris D]

It's ok. It's a good point though. I don't know why this button in particular is behaving like that.

EDIT: Looks like it's an explicit rule applied because it's in a block-header

 

[BassMan]

But for some reason, I can't use it on desktop. From Bitwarden I always get this when trying to login with Passkey:

But in Bitwarden I can see the passkey is created and I could login with passkey via iPhone, but only once. Now I can't login on iPhone with passkey anymore. When I fill the details from Bitwarden, nothing happens. The login procedure does not continue.

 

[zappaDPJ]

This is the kind functionality that makes me want to migrate my forums back to Xenforo. Now, about that new editor...

 

[Chris D]

But for some reason, I can't use it on desktop. From Bitwarden I always get this when trying to login with Passkey:

View attachment 300497

But in Bitwarden I can see the passkey is created and I could login with passkey via iPhone, but only once. Now I can't login on iPhone with passkey anymore. When I fill the details from Bitwarden, nothing happens. The login procedure does not continue.

We are tracking this internally. We're not quite sure why this is happening yet, though we are looking into it.

This is the kind functionality that makes me want to migrate my forums back to Xenforo. Now, about that new editor...

It's coming in 3.0!

 

[Mike S]

Tested on my Mac. It works very well.

 

[Sim]

This is brilliant.

After recently moving to use passkeys extensively across many sites and devices, and implementing Shawn's addon on several of my XF 2.2 forums, I was thinking this really should be part of the core.

I can now log in to xenforo.com forums very easily using:

• a single click when I'm already logged in to 1Password
• using my fingerprint on my laptop
• using my YubiKey nano that lives in my desktop workstation
• using my YubiKey USB-C that lives on my keychain (includes NFC support for use with my Android device)
• using my YubiKey USB-A that lives in a fireproof safe just in case

A couple of points @Chris D:

1) it would be useful to have this additional passkey option for 2FA in the XenForo customer area. I did just discover you've implmemented Google Authenicator in the customer area, which is great (and I've now turned enabled) - so I'm hopeful you'll be able to add support for passkeys in due course as well?

2) I know it's pedantic, but this isn't exactly "passwordless". Yes, we don't need to enter our password to log in - and I especially like the not even needing to enter our username to get into the forums. But my password still exists in your user database, and ideally we should include an option to remove the password completely.

I get that there's a lot of potential for increased customer support issues with a true passwordless setup - so perhaps this is something that could be made optional so that I can at least set up my admin users on my forums to not use passwords? You could combine it with an option to reset 2FA and/or change the admin password from the XF CLI as a backup.

To be fair - given I use 1Password extensively, all of my passwords are long and random and I have no idea what they are, so having any of the forums I use be compromised has minimal impact if someone was able to discover what my password actually is. But true passwordless means no passwords at all.

Just a thought.

Either way - I am very happy to see this implemented, congratulation and thanks @digitalpoint for your initial implementation - I was very impressed when I installed it on some of my sites recently.

 

[zappaDPJ]

It's coming in 3.0!

That's really good to hear, thanks @Chris D

 

[Chris D]

1) it would be useful to have this additional passkey option for 2FA in the XenForo customer area. I did just discover you've implmemented Google Authenicator in the customer area, which is great (and I've now turned enabled) - so I'm hopeful you'll be able to add support for passkeys in due course as well?

Yes, we will probably add it to "XFS" at some point, though the set up there is a little different.

2) I know it's pedantic, but this isn't exactly "passwordless". Yes, we don't need to enter our password to log in - and I especially like the not even needing to enter our username to get into the forums. But my password still exists in your user database, and ideally we should include an option to remove the password completely.

To be pedantic also, we are claiming it's a "passwordless login" not an entirely passwordless environment. But I take your point.

I'm not sure that's exactly the route we want to go down, but technically XF does support passwordless accounts. We have the NoPassword authentication scheme, so an add-on developer could find it is trivial to completely force a passwordless environment if they wanted to.

Thanks for the feedback either way!

 

[Alpha1]

I like that you are accepting code from an exceptional developer and using it as a basis for implementation of the functionality. It would be nice if this could be repeated in very specific cases.

 

[Sim]

I'm not sure that's exactly the route we want to go down, but technically XF does support passwordless accounts. We have the NoPassword authentication scheme, so an add-on developer could find it is trivial to completely force a passwordless environment if they wanted to.

Yes, I discovered that a few years ago and used it in my Archive Site addon - I've used it to remove all passwords from a site that we made read-only. I was quite impressed that someone had the forethought to include this option.

 

[Chris D]

It exists entirely due to the connected accounts stuff. If you sign up with, e.g. Facebook, we don't ask customers to set a password as well, we just set XF:NoPassword as the auth scheme.

 

[Sim]

I like that you are accepting code from an exceptional developer and using it as a basis for implementation of the functionality. It would be nice if this could be repeated in very specific cases.

This is by no means the first time it has happened. @Chris D's own Xen Media Gallery addon became XenForo Media Gallery and they took cues from my own Composer Tutorial to implement Composer support in addons for XF 2.1

 

[Chris D]

Won't be the first or last time I'm sure.

 

[Wildcat Media]

I've always had a little strangeness with the addon (not Shawn's fault--more like the way it's handled in different environments). This is what happens for me:

Targeting Windows Hello:

Que pasa? No Windows Hello.

Closing this dialog or pressing Cancel leaves me nowhere, with a greyed out "Add passkey" button:

I have a couple other sites (non-XF) that use Hello similarly and they work OK but I can't remember what they are, at the moment.

I get the same result in Chrome as I do in MS Edge. I could use one of the linked phones as a passkey (which I do with Shawn's addon for other XF installations I manage) but it would of course be easier to have this part working.

(Feel free to move this post to the Bug Reports area if not appropriate.)

 

[Mendalla]

So, a former admin from my site has his own site now using Discourse. I joined for a while and was commenting that he had passkeys which we did not. Lo and behold...