netresearch / nr-passkeys-be
Passwordless TYPO3 backend authentication via Passkeys (WebAuthn/FIDO2) - by Netresearch
Maintainers
Package info
github.com/netresearch/t3x-nr-passkeys-be
Type:typo3-cms-extension
pkg:composer/netresearch/nr-passkeys-be
Requires
- php: ^8.2
- typo3/cms-backend: ^12.4 || ^13.4 || ^14.1
- typo3/cms-core: ^12.4 || ^13.4 || ^14.1
- typo3/cms-setup: ^12.4 || ^13.4 || ^14.1
- web-auth/webauthn-lib: ^5.2
Requires (Dev)
- captainhook/captainhook: ^5.28
- captainhook/hook-installer: ^1.0
- dg/bypass-finals: ^1.9
- ergebnis/phpstan-rules: ^2.6
- friendsofphp/php-cs-fixer: ^3.68
- infection/infection: ^0.32
- phpat/phpat: ^0.12.2
- phpstan/extension-installer: ^1.4
- phpstan/phpstan: ^2.1
- phpunit/phpunit: ^11.5
- saschaegerer/phpstan-typo3: ^3.0
- typo3/testing-framework: ^8.2 || ^9.0
- dev-main
- v0.6.0
- 0.5.0
- 0.4.1
- 0.4.0
- 0.3.0
- 0.2.0
- 0.1.1
- 0.1.0
- dev-fix/merge-group-trigger
- dev-chore/update-agents-v0.6.0
- dev-dependabot/github_actions/github-actions-c08ba737d8
- dev-fix/ter-publish-v-prefix
- dev-docs/release-0.6.0
- dev-feature/onboarding-ux
- dev-chore/harmonize-scripts
- dev-chore/centralize-ci-workflows
- dev-feat/openssf-silver-gold
- dev-feat/openssf-badge
- dev-fix/deployment-docs-per-user-accuracy
- dev-chore/bump-version-0.5.0
- dev-docs/deployment-scenarios
- dev-feat/per-user-password-enforcement
This package is auto-updated.
Last update: 2026-03-02 21:23:21 UTC
README
Passkeys Backend Authentication
Passwordless TYPO3 backend login via WebAuthn/FIDO2 Passkeys.
One-click authentication with TouchID, FaceID, YubiKey, and Windows Hello.
Overview
nr_passkeys_be replaces traditional password authentication in the TYPO3 backend with modern passkeys. It registers as a TYPO3 authentication service at priority 80, intercepting login requests before the standard password service. When passkey data is present, it performs full WebAuthn assertion verification. Otherwise, it falls through to password login (unless disabled).
| Extension key | nr_passkeys_be |
| Package | netresearch/nr-passkeys-be |
| TYPO3 | 12.4 LTS, 13.4 LTS, 14.x |
| PHP | 8.2, 8.3, 8.4, 8.5 |
| License | GPL-2.0-or-later |
Features
- Primary authentication -- Passkeys replace passwords, not just augment them
- Discoverable login -- Optional username-less login via resident credentials
- Per-group enforcement -- 4 levels (Off, Encourage, Required, Enforced) with configurable grace periods for gradual rollout
- Onboarding banner -- Dismissible banner with passkey explanation, docs link, and administrator contact for encouraged users
- Setup interstitial -- PSR-15 middleware prompts users to register passkeys after login (skippable during grace period)
- Admin dashboard -- Backend module with adoption stats, per-group enforcement controls, user list, and bulk actions
- Admin management -- Admins can list, revoke passkeys, send reminders, and unlock locked accounts
- Self-service -- Users register, rename, and remove their own passkeys in User Settings
- Rate limiting -- Per-endpoint and per-account lockout protection
- Replay protection -- HMAC-signed challenge tokens with single-use nonces
Supported Authenticators
| Platform | Authenticator |
|---|---|
| macOS / iOS | TouchID, FaceID |
| Windows | Windows Hello |
| Cross-platform | YubiKey, other FIDO2 security keys |
Installation
composer require netresearch/nr-passkeys-be
Activate the extension in the TYPO3 Extension Manager or via CLI:
vendor/bin/typo3 extension:activate nr_passkeys_be
Configuration
Extension settings are available in Admin Tools > Settings > Extension Configuration > nr_passkeys_be:
| Setting | Default | Description |
|---|---|---|
challengeTtlSeconds |
120 |
Challenge token lifetime in seconds |
discoverableLoginEnabled |
true |
Allow username-less login via resident credentials |
disablePasswordLogin |
false |
Block password login for users with registered passkeys |
rateLimitMaxAttempts |
10 |
Requests per IP per endpoint before rate limiting |
rateLimitWindowSeconds |
300 |
Rate limit window duration in seconds |
lockoutThreshold |
5 |
Failed login attempts before account lockout |
lockoutDurationSeconds |
900 |
Lockout duration in seconds (15 min) |
userVerification |
required |
WebAuthn user verification requirement |
allowedAlgorithms |
ES256 |
Comma-separated signing algorithms |
See Configuration documentation for all settings including rpId, rpName, and origin.
How It Works
The extension registers a TYPO3 authentication service at priority 80 (above SaltedPasswordService at 50). When passkey assertion data is present in the login request, it verifies the WebAuthn assertion. When no passkey data is present, it passes through to the next auth service (standard password login) unless password login is disabled.
API Endpoints
Login (public):
POST /passkeys/login/options-- Generate authentication challengePOST /passkeys/login/verify-- Verify passkey assertion
Self-Service (authenticated, AJAX routes):
POST /ajax/passkeys/manage/registration/options-- Generate registration challenge *POST /ajax/passkeys/manage/registration/verify-- Complete passkey registration *GET /ajax/passkeys/manage/list-- List own passkeysPOST /ajax/passkeys/manage/rename-- Rename a passkey label *POST /ajax/passkeys/manage/remove-- Remove a passkey *
Admin (admin-only, AJAX routes):
GET /ajax/passkeys/admin/list?beUserUid=N-- List any user's passkeysPOST /ajax/passkeys/admin/remove-- Revoke a user's passkey *POST /ajax/passkeys/admin/revoke-all-- Revoke all passkeys for a user *POST /ajax/passkeys/admin/unlock-- Unlock a locked-out user *POST /ajax/passkeys/admin/update-enforcement-- Update group enforcement level *POST /ajax/passkeys/admin/send-reminder-- Send passkey setup reminder *POST /ajax/passkeys/admin/clear-nudge-- Clear active nudge for a user *
Enforcement (authenticated, AJAX route):
GET /ajax/passkeys/enforcement/status-- Get enforcement status for banner
* Protected by TYPO3 Sudo Mode -- write operations require password re-verification (15 min grant lifetime).
Documentation
Full documentation is available in the Documentation/ directory, covering installation, configuration, administration, and developer guides.
Development
composer install # Code quality composer ci:test:php:cgl # Check code style (PER-CS3.0) composer ci:cgl # Fix code style composer ci:test:php:phpstan # PHPStan level 10 # Tests composer ci:test:php:unit # Unit tests composer ci:test:php:functional # Functional tests (requires MySQL) composer ci:test:php:all # All test suites composer ci:mutation # Mutation testing (MSI >= 80%) # Or use make make ci # Run lint + stan + unit + fuzz locally make up # Start DDEV with all TYPO3 versions make help # Show all available targets
Security
If you discover a security vulnerability, please report it responsibly. See SECURITY.md for details.
License
GPL-2.0-or-later. See LICENSE.
Developed and maintained by Netresearch DTT GmbH