Enforcement 

The enforcement system controls how strongly passkeys are required for frontend users. Enforcement can be set at the site level and overridden per frontend user group.

Enforcement levels 

Four levels are available:

Off
Passkeys are completely optional. No prompts, banners, or interstitials. Users can log in with a password as normal.
Encourage
Users without a passkey see a dismissible banner after login suggesting they enroll one. No access is blocked. The banner can be dismissed and will not re-appear for the session.
Required
Users without a passkey see an enrollment interstitial after login. They can skip the interstitial during the grace period (configurable, default 14 days). After the grace period expires, they must enroll to continue.
Enforced
Users without a passkey cannot bypass the enrollment interstitial. Grace period skipping is disabled. This level is suitable for high-security sites.

Enforcement resolution 

The effective enforcement level for a user is determined by:

  1. Site configuration -- The site-level enforcementLevel setting (see Site Configuration).
  2. User group overrides -- Each frontend user group can have an enforcement level. The strictest level across all groups the user belongs to wins.
  3. Grace period -- The shortest grace period across applicable groups wins.

The EnforcementLevelResolvedEvent PSR-14 event allows listeners to further override the resolved level (see PSR-14 Events).

Configuring per-group enforcement 

In the TYPO3 backend:

  1. Go to Web > List and open the fe_groups record.
  2. The TCA record shows a Passkey Enforcement section.
  3. Set the enforcement level and grace period for the group.

Or use the backend module:

  1. Go to Admin Tools > Passkey Management FE.
  2. In the Enforcement tab, select a site.
  3. Adjust enforcement levels per group.

Interstitial behaviour 

When a user triggers the enrollment interstitial (level required or enforced):

  • The full-page interstitial is shown.
  • It explains why a passkey is required.
  • It shows the enrollment form (links to the enrollment page).
  • For required level: a Skip for now button is shown with the remaining grace period.
  • For enforced level: no skip button.
  • API endpoints, AJAX requests, and the login/logout pages are exempted from the interstitial.

Grace period tracking 

Grace periods are stored per user in the tx_nrpasskeysfe_credential table (first login timestamp). The enforcement middleware computes the expiry from firstLoginWithoutPasskey + gracePeriodDays.