Changelog 

Version 0.1.0 

Initial release

This is the first public release of Passkeys Frontend Authentication (nr_passkeys_fe). It provides passkey-first login for TYPO3 frontend users with all core features.

Features 

  • Passkey-first login -- Discoverable (usernameless) and username-first login flows via the NrPasskeysFe:Login plugin. Supports all FIDO2/WebAuthn-compliant authenticators.
  • felogin integration -- Injects a passkey button into the standard felogin plugin via PSR-14 event listener. No login provider switching required.
  • Self-service management -- Frontend users can enroll, rename, and revoke their own passkeys via the NrPasskeysFe:Management plugin.
  • Recovery codes -- Users can generate 10 one-time recovery codes (bcrypt hashed) as a fallback when no authenticator device is available.
  • Per-site RP ID -- Each TYPO3 site has an independent WebAuthn Relying Party configuration via config.yaml.
  • Per-group enforcement -- Four enforcement levels (Off, Encourage, Required, Enforced) configurable per site and per frontend user group with configurable grace periods.
  • Post-login interstitial -- Users without a passkey are shown an enrollment interstitial when enforcement level is Required or Enforced.
  • Backend admin module -- Administrators can view adoption statistics, manage credentials, and configure enforcement from Admin Tools > Passkey Management FE.
  • PSR-14 events -- Eight events for extensibility: before/after authentication, before/after enrollment, enforcement level resolved, passkey removed, recovery codes generated, magic link requested.
  • Security hardened -- HMAC-signed challenges, nonce replay protection, per-IP rate limiting, and account lockout (shared with nr-passkeys-be).
  • Vanilla JavaScript -- Zero runtime npm dependencies. The frontend JavaScript uses only the native WebAuthn browser API.

Requirements 

  • TYPO3 13.4 LTS or 14.1+
  • PHP 8.2+
  • netresearch/nr-passkeys-be ^0.6
  • HTTPS

Known limitations 

  • Magic link login is deferred to v0.2 (ADR-011). The MagicLinkRequestedEvent is emitted but no email is sent by default.
  • No admin-initiated passkey registration on behalf of users.