Enrollment
Passkey enrollment is the process of creating a new passkey credential on a device and registering the public key with the TYPO3 site.
Prerequisites
- The user must be logged in to a frontend session.
- The browser must support WebAuthn (all modern browsers do).
- HTTPS is required (or
localhost).
Enrolling a passkey
Users enroll passkeys from the NrPasskeysFe:Management plugin or the dedicated enrollment page:
- Navigate to the management page (or the enrollment interstitial).
- Click Register a new passkey.
- The browser opens the passkey creation dialog.
- Choose an authenticator (TouchID, Windows Hello, YubiKey, etc.).
- Optionally enter a name for the passkey (e.g. "MacBook Pro").
- Confirm with the biometric prompt.
- The passkey is registered and appears in the credential list.
Note
Multiple passkeys can be registered on different devices. This is recommended so users are not locked out if they lose a device.
Post-login enrollment interstitial
When the site enforcement level is required or enforced, users
who log in without a passkey are redirected to the enrollment page
before accessing the site. This interstitial:
- Explains why a passkey is required.
- Provides the enrollment form.
- Shows remaining grace period days (for
requiredlevel). - When the grace period expires or level is
enforced, skipping is disabled.
See Enforcement for details on configuring enforcement levels.
Naming passkeys
During enrollment, users can give each passkey a name. This name appears in the management panel to help users identify which authenticator each passkey belongs to (e.g. "iPhone 16", "YubiKey 5C NFC").
Names can be renamed later in the management panel.