Introduction 

What does it do? 

Passkeys Backend Authentication provides passwordless authentication for the TYPO3 backend using the WebAuthn/FIDO2 standard (Passkeys). Backend users can log in with a single touch or glance using biometric authenticators such as TouchID, FaceID, Windows Hello, or hardware security keys like YubiKey.

The passkey button is injected directly into the standard TYPO3 login form via a PSR-14 event listener -- no login provider switching needed. Users see the familiar login page with a Sign in with a passkey button below the Login button.

Passkeys are a modern, phishing-resistant replacement for passwords. They use public-key cryptography: the private key never leaves the user's device, and the server only stores a public key. This eliminates the risk of credential theft through phishing or database breaches.

Features 

Passwordless login 

Authenticate with TouchID, FaceID, YubiKey, or Windows Hello instead of a password. Injected directly into the standard TYPO3 login form.

Primary credential 

Passkeys are a first-class authentication method (not MFA). The extension registers at priority 80, above the standard password service.

Credential management 

Users can register, rename, and remove their own passkeys through the TYPO3 User Settings module.

Admin panel 

Administrators can list, revoke, and manage passkeys for any backend user, and unlock locked-out accounts.

Discoverable login 

Optional usernameless login (Conditional UI) where the browser auto-suggests available passkeys. Controlled via extension settings.

Security hardened 

HMAC-signed challenges with nonce replay protection, rate limiting by IP, account lockout, user enumeration prevention, and audit logging.

Configurable algorithms 

Supports ES256, ES384, ES512, and RS256 signing algorithms. Configurable user verification requirement.

TYPO3 v13 and v14 

Compatible with TYPO3 13.4 LTS and TYPO3 14.x. PHP 8.2, 8.3, 8.4, and 8.5 supported.

Supported authenticators 

Any FIDO2/WebAuthn-compliant authenticator works, including:

  • Apple TouchID and FaceID (macOS, iOS, iPadOS)
  • Windows Hello (fingerprint, face, PIN)
  • YubiKey 5 series and newer
  • Android fingerprint and face unlock
  • Any FIDO2-compliant hardware security key

Browser support 

WebAuthn is supported by all modern browsers:

Browser Version
Chrome / Edge 67+
Firefox 60+
Safari 14+
Chrome for Android 70+
Safari for iOS 14.5+