netresearch / nr-passkeys-be
Passwordless TYPO3 backend authentication via Passkeys (WebAuthn/FIDO2) - by Netresearch
Maintainers
Package info
github.com/netresearch/t3x-nr-passkeys-be
Type:typo3-cms-extension
pkg:composer/netresearch/nr-passkeys-be
Requires
- php: ^8.2
- typo3/cms-backend: ^12.4 || ^13.4 || ^14.1
- typo3/cms-core: ^12.4 || ^13.4 || ^14.1
- typo3/cms-setup: ^12.4 || ^13.4 || ^14.1
- web-auth/webauthn-lib: ^5.2
Requires (Dev)
- dg/bypass-finals: ^1.9
- ergebnis/phpstan-rules: ^2.6
- friendsofphp/php-cs-fixer: ^3.68
- netresearch/typo3-ci-workflows: ^1.2
- phpat/phpat: ^0.12
- phpstan/extension-installer: ^1.4
- phpstan/phpstan: ^2.1
- phpstan/phpstan-deprecation-rules: ^2.0
- phpstan/phpstan-phpunit: ^2.0
- phpstan/phpstan-strict-rules: ^2.0
- phpunit/phpunit: ^10.5 || ^11.5
- typo3/testing-framework: ^8.2 || ^9.0
- dev-main
- v0.8.2
- v0.8.1
- v0.8.0
- v0.7.0
- v0.6.0
- 0.5.0
- 0.4.1
- 0.4.0
- 0.3.0
- 0.2.0
- 0.1.1
- 0.1.0
- dev-release/v0.8.2
- dev-fix/docs-render-symlink
- dev-release/v0.8.1
- dev-chore/adopt-release-orchestrator
- dev-release/v0.8.0
- dev-feature/skip-mfa-on-passkey-auth
- dev-fix/e2e-triage-fixme-broken-specs
- dev-release/v0.7.0
- dev-fix/phpstan-iconsize-v12-compat
- dev-feature/dashboard-ux-improvements
- dev-chore/centralize-ci-workflows
This package is auto-updated.
Last update: 2026-04-23 12:35:47 UTC
README
Passkeys Backend Authentication
Passwordless TYPO3 backend login via WebAuthn/FIDO2 Passkeys.
One-click authentication with TouchID, FaceID, YubiKey, and Windows Hello.
Overview
nr_passkeys_be replaces traditional password authentication in the TYPO3 backend with modern passkeys. It registers as a TYPO3 authentication service at priority 80, intercepting login requests before the standard password service. When passkey data is present, it performs full WebAuthn assertion verification. Otherwise, it falls through to password login (unless disabled).
| Extension key | nr_passkeys_be |
| Package | netresearch/nr-passkeys-be |
| TYPO3 | 12.4 LTS, 13.4 LTS, 14.x |
| PHP | 8.2, 8.3, 8.4, 8.5 |
| License | GPL-2.0-or-later |
Features
- Primary authentication -- Passkeys replace passwords, not just augment them
- Discoverable login -- Optional username-less login via resident credentials
- Per-group enforcement -- 4 levels (Off, Encourage, Required, Enforced) with configurable grace periods for gradual rollout
- Onboarding banner -- Dismissible banner with passkey explanation, docs link, and administrator contact for encouraged users
- Setup interstitial -- PSR-15 middleware prompts users to register passkeys after login (skippable during grace period)
- Admin dashboard -- Backend module with adoption stats, per-group enforcement controls, user list, and bulk actions
- Admin management -- Admins can list, revoke passkeys, send reminders, and unlock locked accounts
- Self-service -- Users register, rename, and remove their own passkeys in User Settings
- Rate limiting -- Per-endpoint and per-account lockout protection
- Replay protection -- HMAC-signed challenge tokens with single-use nonces
Supported Authenticators
| Platform | Authenticator |
|---|---|
| macOS / iOS | TouchID, FaceID |
| Windows | Windows Hello |
| Cross-platform | YubiKey, other FIDO2 security keys |
Installation
composer require netresearch/nr-passkeys-be
Activate the extension in the TYPO3 Extension Manager or via CLI:
vendor/bin/typo3 extension:activate nr_passkeys_be
Quick Start
After installation, follow these steps:
-
Review extension settings — Go to Admin Tools > Settings > Extension Configuration > nr_passkeys_be and verify the Relying Party settings (
rpId,rpName,origin). The defaults auto-detect from your domain, which works for most single-domain setups. -
Open the Passkey Management module — Navigate to Admin Tools > Passkey Management. The Dashboard shows adoption statistics and the Help tab provides a full rollout guide with recovery procedures and FAQ.
-
Register your own passkey — Go to User Settings > Passkeys and register a passkey to verify the setup works on your device.
-
Enable enforcement for a pilot group — On the Dashboard, set a small group (e.g., your admin team) to Encourage. Users will see a dismissible banner prompting them to set up a passkey.
-
Roll out gradually — Progress through Encourage → Required → Enforced as adoption grows. See the Help tab in the backend module for the complete rollout guide.
Full documentation: docs.typo3.org/p/netresearch/nr-passkeys-be · Configuration reference
Passkeys & MFA
Passkeys are inherently multi-factor: they combine something you have (your device) with something you are (biometric) or something you know (device PIN). They are also phishing-resistant — the credential is cryptographically bound to the origin.
For most TYPO3 backends, passkeys alone are more secure than password + TOTP. The FIDO Alliance and W3C consider passkeys a stronger replacement for password + OTP. Adding TYPO3's MFA on top is optional defence-in-depth, not a requirement.
Consider keeping MFA enabled alongside passkeys only if:
- Your security policy explicitly mandates independent factors (e.g., PCI-DSS)
- Your threat model includes authenticator device compromise
See the Help tab in Admin Tools > Passkey Management for details on MFA coexistence and middleware processing order.
Configuration
Extension settings are available in Admin Tools > Settings > Extension Configuration > nr_passkeys_be:
| Setting | Default | Description |
|---|---|---|
rpId |
(auto-detect) | Relying Party domain (e.g., example.com) |
rpName |
TYPO3 Backend |
Display name shown during passkey registration |
origin |
(auto-detect) | Full origin URL (e.g., https://example.com) |
challengeTtlSeconds |
120 |
Challenge token lifetime in seconds |
discoverableLoginEnabled |
true |
Allow username-less login via resident credentials |
disablePasswordLogin |
false |
Block password login for users with registered passkeys |
rateLimitMaxAttempts |
10 |
Requests per IP per endpoint before rate limiting |
rateLimitWindowSeconds |
300 |
Rate limit window duration in seconds |
lockoutThreshold |
5 |
Failed login attempts (per IP) before account lockout |
lockoutUserThreshold |
15 |
Failed login attempts (per username, all IPs) before account lockout |
lockoutDurationSeconds |
900 |
Lockout duration in seconds (15 min) |
userVerification |
required |
WebAuthn user verification requirement |
allowedAlgorithms |
ES256 |
Comma-separated signing algorithms |
See the Configuration documentation for detailed descriptions of each setting.
How It Works
The extension registers a TYPO3 authentication service at priority 80 (above SaltedPasswordService at 50). When passkey assertion data is present in the login request, it verifies the WebAuthn assertion. When no passkey data is present, it passes through to the next auth service (standard password login) unless password login is disabled.
API Endpoints
Login (public):
POST /passkeys/login/options-- Generate authentication challengePOST /passkeys/login/verify-- Verify passkey assertion
Self-Service (authenticated, AJAX routes):
POST /ajax/passkeys/manage/registration/options-- Generate registration challenge *POST /ajax/passkeys/manage/registration/verify-- Complete passkey registration *GET /ajax/passkeys/manage/list-- List own passkeysPOST /ajax/passkeys/manage/rename-- Rename a passkey label *POST /ajax/passkeys/manage/remove-- Remove a passkey *
Admin (admin-only, AJAX routes):
GET /ajax/passkeys/admin/list?beUserUid=N-- List any user's passkeysPOST /ajax/passkeys/admin/remove-- Revoke a user's passkey *POST /ajax/passkeys/admin/revoke-all-- Revoke all passkeys for a user *POST /ajax/passkeys/admin/unlock-- Unlock a locked-out user *POST /ajax/passkeys/admin/update-enforcement-- Update group enforcement level *POST /ajax/passkeys/admin/send-reminder-- Send passkey setup reminder *POST /ajax/passkeys/admin/clear-nudge-- Clear active nudge for a user *
Enforcement (authenticated, AJAX route):
GET /ajax/passkeys/enforcement/status-- Get enforcement status for banner
* Protected by TYPO3 Sudo Mode -- write operations require password re-verification (15 min grant lifetime).
Documentation
- Online documentation: docs.typo3.org/p/netresearch/nr-passkeys-be
- In the backend: Admin Tools > Passkey Management > Help tab (rollout guide, recovery, FAQ)
- Source: Documentation/ directory (RST format)
Development
composer install # Code quality composer ci:test:php:cgl # Check code style (PER-CS3.0) composer ci:cgl # Fix code style composer ci:test:php:phpstan # PHPStan level 10 # Tests composer ci:test:php:unit # Unit tests composer ci:test:php:functional # Functional tests (requires MySQL) composer ci:test:php:all # All test suites composer ci:mutation # Mutation testing (MSI >= 80%) # Or use make make ci # Run lint + stan + unit + fuzz locally make up # Start DDEV with all TYPO3 versions make help # Show all available targets
Security
If you discover a security vulnerability, please report it responsibly. See SECURITY.md for details.
License
GPL-2.0-or-later. See LICENSE.
Developed and maintained by Netresearch DTT GmbH