netresearch / nr-passkeys-fe
Passkey-first TYPO3 frontend authentication for fe_users (WebAuthn/FIDO2). Enables passwordless login with TouchID, FaceID, YubiKey, Windows Hello. By Netresearch.
Maintainers
Package info
github.com/netresearch/t3x-nr-passkeys-fe
Type:typo3-cms-extension
pkg:composer/netresearch/nr-passkeys-fe
Requires
- php: ^8.2
- netresearch/nr-passkeys-be: ^0.6
- typo3/cms-backend: ^13.4 || ^14.1
- typo3/cms-core: ^13.4 || ^14.1
- typo3/cms-extbase: ^13.4 || ^14.1
- typo3/cms-fluid: ^13.4 || ^14.1
- typo3/cms-frontend: ^13.4 || ^14.1
Requires (Dev)
- dg/bypass-finals: ^1.9
- ergebnis/phpstan-rules: ^2.6
- giorgiosironi/eris: ^1.0
- netresearch/typo3-ci-workflows: ^1.1
README
Passkeys Frontend Authentication
TYPO3 extension for passwordless frontend authentication via WebAuthn/FIDO2 Passkeys.
Enables fe_users to log in with TouchID, FaceID, YubiKey, or Windows Hello -- no password
required.
Features
- Passkey-first login -- Discoverable (usernameless) and username-first flows via a standalone plugin
- felogin integration -- Injects a passkey button into the standard felogin plugin
- Self-service management -- Users can enroll, rename, and revoke their own passkeys from the frontend
- Recovery codes -- 10 one-time bcrypt-hashed recovery codes as a fallback
- Per-site RP ID -- Each TYPO3 site has an independent WebAuthn Relying Party configuration
- Per-group enforcement -- Four levels: Off, Encourage, Required, Enforced -- with configurable grace periods
- Post-login interstitial -- Enrollment prompt shown to users without a passkey when enforcement is active
- Backend admin module -- Adoption statistics, credential management, enforcement settings
- 7 PSR-14 events -- Before/after authentication, before/after enrollment, enforcement resolved, passkey removed, recovery codes generated
- Security hardened -- HMAC-signed challenges, nonce replay protection, per-IP rate limiting, account lockout
- Vanilla JavaScript -- Zero runtime npm dependencies; native WebAuthn browser API only
Requirements
- PHP 8.2+
- TYPO3 v13.4 LTS or v14.1+
netresearch/nr-passkeys-be^0.6 (installed automatically)- HTTPS (required by WebAuthn;
localhostworks for development)
DDEV Quick Start
For a working demo environment with preconfigured pages and users:
make up
Visit https://nr-passkeys-fe.ddev.site/ after setup.
Installation
composer require netresearch/nr-passkeys-fe vendor/bin/typo3 extension:activate nr_passkeys_be vendor/bin/typo3 extension:activate nr_passkeys_fe vendor/bin/typo3 database:updateschema
Quick Start
-
Include TypoScript in your site's root template:
@import 'EXT:nr_passkeys_fe/Configuration/TypoScript/setup.typoscript' @import 'EXT:nr_passkeys_fe/Configuration/TypoScript/constants.typoscript' plugin.tx_nrpasskeysfe.settings.loginPageUid = 42 plugin.tx_nrpasskeysfe.settings.managementPageUid = 43 plugin.tx_nrpasskeysfe.settings.enrollmentPageUid = 44 -
Add plugins to your pages:
- Login page: Passkeys Frontend Authentication > Login
- Management page: Passkeys Frontend Authentication > Management
- Enrollment page: Passkeys Frontend Authentication > Enrollment
-
Configure the site in
config/sites/my-site/config.yaml:settings: nr_passkeys_fe: rpId: 'your-domain.example' origin: 'https://your-domain.example' enforcementLevel: 'encourage' enrollmentPageUrl: '/passkey-setup'
Visit the login page and click Sign in with a passkey.
Documentation
Full documentation: docs.typo3.org/p/netresearch/nr-passkeys-fe/main/en-us/
License
GPL-2.0-or-later. See LICENSE.
Contributing
Issues and pull requests: github.com/netresearch/t3x-nr-passkeys-fe
See AGENTS.md for development setup, code style, and test commands.