netresearch / nr-passkeys-be
Passwordless TYPO3 backend authentication via Passkeys (WebAuthn/FIDO2) - by Netresearch
Installs: 4
Dependents: 0
Suggesters: 0
Security: 0
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 2
Type:typo3-cms-extension
pkg:composer/netresearch/nr-passkeys-be
Requires
- php: ^8.2
- typo3/cms-backend: ^13.4 || ^14.1
- typo3/cms-core: ^13.4 || ^14.1
- typo3/cms-setup: ^13.4 || ^14.1
- web-auth/webauthn-lib: ^5.2
Requires (Dev)
- captainhook/captainhook: ^5.28
- captainhook/hook-installer: ^1.0
- dg/bypass-finals: ^1.9
- ergebnis/phpstan-rules: ^2.6
- friendsofphp/php-cs-fixer: ^3.68
- infection/infection: ^0.32
- phpat/phpat: ^0.12.2
- phpstan/extension-installer: ^1.4
- phpstan/phpstan: ^2.1
- phpunit/phpunit: ^11.5
- saschaegerer/phpstan-typo3: ^2.0
- typo3/testing-framework: ^9.0
- dev-main
- 0.3.0
- 0.2.0
- 0.1.1
- 0.1.0
- dev-chore/docs-js-ci-update
- dev-feat/passkey-name-input
- dev-refactor/10-typo3-native-js-apis
- dev-fix/7-error-handling-diagnostics
- dev-fix/error-visibility-7
- dev-feat/typed-dtos-final-classes
- dev-feature/admin-passkey-management
- dev-fix/inline-passkey-label-input
- dev-dependabot/composer/dependencies-3ac12bfd80
- dev-renovate/configure
This package is auto-updated.
Last update: 2026-02-12 22:48:45 UTC
README
Passkeys Backend Authentication
Passwordless TYPO3 backend login via WebAuthn/FIDO2 Passkeys.
One-click authentication with TouchID, FaceID, YubiKey, and Windows Hello.
Overview
nr_passkeys_be replaces traditional password authentication in the TYPO3 backend with modern passkeys. It registers as a TYPO3 authentication service at priority 80, intercepting login requests before the standard password service. When passkey data is present, it performs full WebAuthn assertion verification. Otherwise, it falls through to password login (unless disabled).
| Extension key | nr_passkeys_be |
| Package | netresearch/nr-passkeys-be |
| TYPO3 | 13.4 LTS, 14.x |
| PHP | 8.2, 8.3, 8.4, 8.5 |
| License | GPL-2.0-or-later |
Features
- Primary authentication -- Passkeys replace passwords, not just augment them
- Discoverable login -- Optional username-less login via resident credentials
- Admin management -- Admins can list, revoke passkeys and unlock locked accounts
- Self-service -- Users register, rename, and remove their own passkeys
- Rate limiting -- Per-endpoint and per-account lockout protection
- Replay protection -- HMAC-signed challenge tokens with single-use nonces
Supported Authenticators
| Platform | Authenticator |
|---|---|
| macOS / iOS | TouchID, FaceID |
| Windows | Windows Hello |
| Cross-platform | YubiKey, other FIDO2 security keys |
Installation
composer require netresearch/nr-passkeys-be
Activate the extension in the TYPO3 Extension Manager or via CLI:
vendor/bin/typo3 extension:activate nr_passkeys_be
Configuration
Extension settings are available in Admin Tools > Settings > Extension Configuration > nr_passkeys_be:
| Setting | Default | Description |
|---|---|---|
challengeTtl |
120 |
Challenge token lifetime in seconds |
maxFailedAttempts |
5 |
Failed login attempts before account lockout |
lockoutDuration |
900 |
Lockout duration in seconds (15 min) |
disablePasswordLogin |
false |
Block password login when passkey is registered |
discoverableLoginEnabled |
true |
Allow username-less login via resident credentials |
How It Works
The extension registers a TYPO3 authentication service at priority 80 (above SaltedPasswordService at 50). When passkey assertion data is present in the login request, it verifies the WebAuthn assertion. When no passkey data is present, it passes through to the next auth service (standard password login) unless password login is disabled.
API Endpoints
Login (public):
POST /passkeys/login/options-- Generate authentication challengePOST /passkeys/login/verify-- Verify passkey assertion
Self-Service (authenticated, AJAX routes):
POST /ajax/passkeys/manage/registration/options-- Generate registration challenge *POST /ajax/passkeys/manage/registration/verify-- Complete passkey registration *GET /ajax/passkeys/manage/list-- List own passkeysPOST /ajax/passkeys/manage/rename-- Rename a passkey label *POST /ajax/passkeys/manage/remove-- Remove a passkey *
Admin (admin-only, AJAX routes):
GET /ajax/passkeys/admin/list?beUserUid=N-- List any user's passkeysPOST /ajax/passkeys/admin/remove-- Revoke a user's passkey *POST /ajax/passkeys/admin/unlock-- Unlock a locked-out user *
* Protected by TYPO3 Sudo Mode -- write operations require password re-verification (15 min grant lifetime).
Documentation
Full documentation is available in the Documentation/ directory, covering installation, configuration, administration, and developer guides.
Development
composer install # Code quality composer ci:lint:php # Check code style (PER-CS3.0) composer ci:lint:php:fix # Fix code style composer ci:stan # PHPStan level 10 # Tests composer ci:test:php:unit # Unit tests composer ci:test:php:functional # Functional tests (requires MySQL) composer ci:test:php:all # All test suites composer ci:mutation # Mutation testing (MSI >= 80%) # Or use make make ci # Run lint + stan + unit + fuzz locally make up # Start DDEV with all TYPO3 versions make help # Show all available targets
Security
If you discover a security vulnerability, please report it responsibly. See SECURITY.md for details.
License
GPL-2.0-or-later. See LICENSE.
Developed and maintained by Netresearch DTT GmbH