Opened 8 weeks ago
Closed 8 weeks ago
#64735 closed enhancement (duplicate)
Add optional Passkey (WebAuthn/FIDO2) login support to WordPress
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
WordPress core authentication is still password-first. I’m requesting optional Passkey (WebAuthn/FIDO2) support in core so site owners can offer phishing-resistant login without relying on a plugin for the security-critical wp-login.php path.
Many users now have passkeys available via platform authenticators (Windows Hello / Touch ID / Android) and hardware security keys. Today, enabling passkeys in WordPress typically requires installing and trusting a third-party plugin that handles enrollment, verification, and login flow. A minimal core implementation (or at least a core WebAuthn service + hooks) would improve baseline security and provide a stable integration point for plugins.
Passkeys are increasingly the default login UX across platforms (Apple/Google/Microsoft ecosystems) and provide strong protection against credential phishing, password reuse, and many account-takeover vectors. For WordPress—powering a large portion of the web—first-class support would materially improve baseline security and user experience.
Proposed scope (MVP):
- Passkey registration in user profile
- Add a “Passkeys” (or “Security keys / Passkeys”) section to /wp-admin/profile.php (and optionally user-edit.php)
- Allow users to register one or more credentials
- Allow basic management: list, rename/label, remove
- Persist the minimum metadata needed for verification:
- credential ID
- public key
- signature counter (sign count)
- transports (optional)
- created time / last used time (optional)
- Passkey login on wp-login.php
- Add a secondary “Sign in with passkey” option on wp-login.php
- Perform WebAuthn assertion and establish the normal WP auth session on success
- Keep password login unchanged as fallback (at least initially)
- Extensibility hooks
- Provide actions/filters so plugins can:
- enforce passkey-only for certain roles/users
- require passkey as step-up for sensitive actions (profile/email/password changes, etc.)
- integrate with existing 2FA/security policy plugins without re-implementing WebAuthn verification
Notes / constraints:
- RP ID/origin handling must be correct (including multisite and subdirectory installs).
- Avoid user enumeration (login responses should not reveal whether a username has passkeys).
- Site migration where the RP ID changes will likely require re-enrollment; that’s acceptable but should be documented.
- Rate limiting should be considered similar to existing login protections (or via hooks).
Reference:
- WebAuthn Level 2 spec: https://www.w3.org/TR/webauthn-2/(https://www.w3.org/TR/webauthn-2/)
Thanks for the report @haozi . I'll close this as a duplicate of #55950 although there's yet to be any real discussion on this being added to core. There are links to several plugins on that ticket.