Changelog 

0.6.0 

Features 

  • Per-group passkey enforcement with 4 levels: Off, Encourage, Required, Enforced
  • Configurable grace periods for Required enforcement (1--365 days)
  • PSR-15 interstitial middleware prompting users to register passkeys (skippable during grace period, mandatory after expiry)
  • Encourage-stage dismissible banner with passkey explanation, docs link, and administrator contact guidance (supports TYPO3 v12/v13/v14)
  • Admin dashboard backend module (Admin Tools > Passkey Management) with adoption statistics, per-group enforcement controls, and user list
  • Admin actions: Send Reminder (nudge), Clear Nudge, Revoke All
  • EnforcementLevel enum, EnforcementStatus DTO, EnforcementService, AdoptionStatsService
  • PasskeyBanner.js, PasskeyDashboard.js JavaScript modules
  • TCA fields passkey_enforcement and passkey_grace_period_days on be_groups
  • 5 new admin AJAX endpoints for enforcement and nudge management
  • 153 i18n translation units across 4 XLF files
  • Context-sensitive help tab in admin module with rollout guide, recovery procedures, MFA coexistence, and FAQ

0.5.0 

Features 

  • Per-user password login enforcement: disablePasswordLogin now blocks passwords only for users who have registered passkeys, enabling gradual onboarding without locking out new users
  • Deployment Scenarios documentation chapter covering multi-environment setup, database sync, user onboarding, and local DDEV development

0.4.0 

Features 

  • TYPO3 12.4 LTS support (PHP 8.2+ required)
  • Event listener registered via Services.yaml tag for v12 compatibility (#[AsEventListener] attribute retained for v13+)
  • PasskeyInfoElement DI-aware FormEngine node with setData() for v12 NodeFactory compatibility
  • CI matrix expanded with TYPO3 v12.4 test jobs
  • DDEV development environment includes v12 installation

0.3.0 

Features 

  • Inline name input for passkey registration -- users can name their passkey before registering (defaults to "Passkey")
  • Accessible aria-label on the name input field
  • Input is disabled during registration and reset after success

Refactoring 

  • Rewrote PasskeyManagement.js from IIFE to ES module using TYPO3 native APIs: AjaxRequest, Notification, Modal, SeverityEnum, sudoModeInterceptor, DocumentService
  • Replaced PageRenderer::addJsFile() with loadJavaScriptModule()
  • Replaced inline style with CSS class

Fixes 

  • Escape label in removal confirmation modal (XSS prevention)
  • Defer DOM initialization with DocumentService.ready()
  • Resolve AjaxRequest responses and check status before showing success notifications

0.2.0 

Features 

  • Warn about short or missing TYPO3 encryption key in the passkey settings panel (minimum 32 characters required)
  • Include exception details in management API error responses for authenticated users

Documentation 

  • Added Troubleshooting section covering encryption key issues, HTTPS requirements, log location, and debug mode

0.1.0 

Initial release.

Features 

  • Passwordless backend authentication via WebAuthn/FIDO2 Passkeys
  • Passkey button injected into the standard TYPO3 login form via PSR-14 event listener (no login provider switching)
  • Support for TouchID, FaceID, YubiKey, Windows Hello, and other FIDO2-compliant authenticators
  • Authentication service at priority 80 (above standard password service)
  • Authentication data packed into userident field as JSON ($GLOBALS['TYPO3_REQUEST'] is null during auth chain)
  • Credential registration, listing, renaming, and removal for users
  • Admin API for listing, revoking credentials and unlocking accounts
  • HMAC-SHA256 signed challenge tokens with nonce replay protection
  • Per-endpoint rate limiting by IP address
  • Account lockout after configurable failed attempt threshold
  • Discoverable login (usernameless, Conditional UI) behind feature flag
  • Option to disable password login entirely (passkey-only mode)
  • Configurable signing algorithms (ES256, ES384, ES512, RS256)
  • Configurable user verification requirement
  • User enumeration prevention with randomized timing
  • Soft delete and admin revocation with audit trails
  • Signature counter tracking for clone detection
  • Passkey-specific error message on failed login attempts via sessionStorage detection
  • Default audit log writer (WARNING+ to typo3temp/var/log/passkey_auth.log)
  • TYPO3 13.4 LTS and TYPO3 14.x compatibility
  • PHP 8.2, 8.3, 8.4, and 8.5 support
  • Comprehensive test suite (unit, fuzz, functional, JavaScript)
  • PSR-3 logging for all significant events