Following up on Support passwordless login with Passkeys and a few weeks of internal testing, we are happy to announce that support for passkeys has now landed in Discourse.
What are passkeys
Passkeys are a safer, simpler alternative to using passwords for authentication. Creating and using a passkey is now widely supported across platforms and browsers. Compared to passwords, passkeys have better built-in safety due to strong platform-generated credentials and biometric identity validation (like touchID, faceID, PIN or device password). Passkeys are also safe from server-side leaks (the private portion of the key never leaves the device) or phishing (each key is linked with one website/service only).
Feature Rollout
If you are a hosted customer, passkeys support will be rolled out to your instance over the next few days. If you’d like to enable them right now, please reach out to @team here on meta or via email to team@discourse.org.
If you are self-hosting Discourse, note that the feature will be enabled by default in Discourse core shortly. If you would like to be an early adopter, you can enable the feature now via the Rails console:
launcher enter app
rails c
SiteSetting.enable_passkeys = true
Note that passkeys can only be used on Discourse instances with local logins enabled. If your instance doesn’t use local logins, the passkeys feature has no effect.
Once the feature is enabled, users can add passkeys to their account by going to the security tab of their user preferences:
Once a passkey is registered, they can login with it via the autofill dropdown under the username field (1) or by clicking on the “Login with a passkey” button (2).
More details
There are numerous resources and guides available on passkeys. I have found the following to be the most useful:
- https://passkeys.dev/ maintained by the W3C has a great chart detailing device support
- Google provides a comprehensive developer guide
- Apple’s Passkeys Overview - Apple Developer is useful
- Password managers offer informative guides, too, see 1Password on passkeys or Bitwarden on passkeys for examples.
Possible future improvements
Once the initial rollout of the feature is complete, we may consider making the following improvements:
- Allow setting up a passkey on account creation
- Allow passkeys to be used when confirming sensitive actions (currently supported in the Security tab of User Preferences but not in some admin-only screens)