TYPO3 Logo
Passkeys Frontend Authentication
Options
Give feedback View source How to edit Edit on GitHub Full documentation (single file)

Passkeys Frontend Authentication

  • Introduction
  • Installation
  • Configuration
    • Extension Settings
    • Site Configuration
    • TypoScript Reference
  • Quick Start
  • Usage
    • Login
    • Enrollment
    • Recovery
    • Management
  • Administration
    • Dashboard
    • Enforcement
    • User Management
  • Developer Guide
    • PSR-14 Events
    • Extension Points
    • eID API Reference
  • Security
    • WebAuthn Compliance
    • Threat Model
  • Multi-Site
  • Troubleshooting
  • Architecture Decision Records
    • ADR-001: Depend on nr-passkeys-be as Composer Dependency
    • ADR-002: Both felogin Extension and Standalone Plugin
    • ADR-003: Triple Recovery Mechanisms (Password + Codes + Magic Link)
    • ADR-004: Enrollment Only, No User Registration
    • ADR-005: Site-Configurable RP ID with Storage PID Credential Isolation
    • ADR-006: Dual Enforcement Model (Site + FE Groups, Strictest Wins)
    • ADR-007: Post-Login Enrollment Interstitial via Middleware
    • ADR-008: Credential-ID-to-UID Resolution (Not Username)
    • ADR-009: Vanilla JavaScript for Frontend (No Framework Dependencies)
    • ADR-010: Recovery Codes Hashed with bcrypt
    • ADR-011: Magic Link Recovery Deferred to v0.2
    • ADR-012: Authentication Service Priority 80
  • Changelog
  1. Passkeys Frontend Authentication
  2. Architecture Decision Records
  3. ADR-003: Triple Recovery Mechanisms (Password + Codes + Magic Link)
Give feedback Edit on GitHub

ADR-003: Triple Recovery Mechanisms (Password + Codes + Magic Link) 

Status

Accepted

Date

2026-03-14

Decision-makers

Sebastian Mendel

Context 

Passkey-first authentication creates a lockout risk when users lose access to their authenticator. The design principle is "recovery first" — no user should be permanently locked out because their phone broke.

Four approaches were considered, from minimal to maximal:

A. Password fallback only B. Password + recovery codes C. Password + magic link D. All three: password + recovery codes + magic link

Decision 

Option D: All three recovery mechanisms, phased.

  • v0.1 — Password fallback: Standard felogin password login remains available. Blocked only at Enforced enforcement level.
  • v0.1 — Recovery codes: 10 one-time codes generated at passkey enrollment. Stored bcrypt-hashed. Format: XXXX-XXXX (alphanumeric).
  • v0.2 — Magic link: Email-based one-time login URL. 15-minute TTL, single-use. Requires TYPO3 mail configuration.

Each mechanism can be enabled/disabled per site via site configuration:

nr_passkeys_fe:
  enabledRecoveryMethods:
    - password
    - recovery_code
    - magic_link
Copied!

Consequences 

Positive:

  • Maximum flexibility for different deployment scenarios
  • Per-site configurability covers diverse requirements
  • Phased delivery reduces v0.1 scope while planning for v0.2
  • Password fallback is free (felogin already handles it)

Negative:

  • Magic link adds complexity (email delivery, token management)
  • Three auth paths to secure and test
  • User confusion about which recovery method to use

Mitigation:

  • Magic link deferred to v0.2 (see ADR-011)
  • Clear recovery UI: show available methods based on site config
  • Each mechanism tested independently and in combination

Alternatives Considered 

Options A-C: Each individually viable but less flexible. Enterprise deployments may disable password fallback entirely (compliance), making recovery codes or magic links essential. Consumer sites may prefer magic links over codes.

  • Previous
  • Next
Reference to the headline

Copy and freely share the link

This link target has no permanent anchor assigned. You can make a pull request on GitHub to suggest an anchor. The link below can be used, but is prone to change if the page gets moved.

Copy this link into your TYPO3 manual.

  • Home
  • Contact
  • Issues
  • Repository

Last rendered: Mar 24, 2026 06:25

© since 2025 by Netresearch DTT GmbH
  • Legal Notice
  • Privacy Policy