Passwordless login using passkeys

pmusaraj · 2023-11-16T17:39:57.671Z

Following up on Support passwordless login with Passkeys and a few weeks of internal testing, we are happy to announce that support for passkeys has now landed in Discourse.

What are passkeys

Passkeys are a safer, simpler alternative to using passwords for authentication. Creating and using a passkey is now widely supported across platforms and browsers. Compared to passwords, passkeys have better built-in safety due to strong platform-generated credentials and biometric identity validation (like touchID, faceID, PIN or device password). Passkeys are also safe from server-side leaks (the private portion of the key never leaves the device) or phishing (each key is linked with one website/service only).

Feature Rollout

If you are a hosted customer, passkeys support will be rolled out to your instance over the next few days. If you’d like to enable them right now, please reach out to @team here on meta or via email to team@discourse.org.

If you are self-hosting Discourse, note that the feature ~~will be enabled by default in Discourse core shortly~~ is now enabled by default in core as of this commit. If you would like to disable it, you can do so via the Rails console:

launcher enter app
rails c
SiteSetting.enable_passkeys = false

Note that passkeys can only be used on Discourse instances with local logins enabled. If your instance doesn’t use local logins, the passkeys feature has no effect.

Once the feature is enabled, users can add passkeys to their account by going to the security tab of their user preferences:

The image shows a computer screen displaying a login modal with various sign-in options including social and service provider logins, as well as traditional email/username and password fields.2174×910 70.5 KB

Once a passkey is registered, they can login with it via the autofill dropdown under the username field (1) or by clicking on the “Login with a passkey” button (2).

The image shows a computer screen displaying a login modal with various sign-in options including social and service provider logins, as well as traditional email/username and password fields.2034×1316 276 KB

More details

There are numerous resources and guides available on passkeys. I have found the following to be the most useful:

https://passkeys.dev/ maintained by the W3C has a great chart detailing device support
Google provides a comprehensive developer guide
Apple’s Passkeys Overview - Apple Developer is useful
Password managers offer informative guides, too, see 1Password on passkeys or Bitwarden on passkeys for examples.

Possible future improvements

Once the initial rollout of the feature is complete, we may consider making the following improvements:

Allow setting up a passkey on account creation
Allow passkeys to be used when confirming sensitive actions (currently supported in the Security tab of User Preferences but not in some admin-only screens)
Allow removing passwords altogether (on a per-user or per-instance basis?)

Be0 · 2023-12-30T07:59:44.420Z

This is a great addition! However, the security benefits can be easily bypassed by logging in with a password. I expected to still be prompted for a passkey after entering my password, but it just logs in with the password. This can be avoided by reregistering the security keys in the separate 2FA settings, but that’s not obvious and is cumbersome.

pmusaraj · 2024-01-11T20:04:49.628Z

Thanks @Be0

Be:

I expected to still be prompted for a passkey after entering my password, but it just logs in with the password.

In most current implementations, passkeys aren’t yet being deployed this way. They’re being treated as independent from 2FA, see this report on Youtube’s approach. I think the industry will slowly adapt here though.

There are two changes needed for this to work as you expect:

step 1: allow using passkeys as 2FA (currently, as you noted, security keys need to be registered independently)
step 2: enforce 2FA on password logins when user has added a passkey

Step 1 makes sense to me, and it’s not disruptive. Step 2 makes sense too, but it is a little disruptive, if user deletes the passkey from their browser (or doesn’t have it on a given device), access will be blocked.

I think it makes sense to look into this, though.

patrickemin · 2024-01-31T16:45:37.511Z

Hi, when browsing my Discourse site on mobile (Firefox), passkeys are not supported, is it as intended?

pmusaraj · 2024-01-31T17:49:47.167Z

I think Firefox is actively working on adding passkeys support across the board, but it’s still not 100% there if I am reading this chart correctly.

Depending on your version and operating system, it might not yet be available. I just did a quick test on macOS and iOS, and passkey authentication was available and functional for me here on meta.discourse.org.

pmusaraj · 2024-02-09T17:22:08.402Z

A post was split to a new topic: Issues using passkeys with vaultwarden

pmusaraj · 2024-02-15T19:59:46.382Z

If the browser’s autocomplete function doesn’t include the passkey for some reason, you can click the “Log in with a passkey” button.

image1552×1056 122 KB

pmusaraj · 2024-02-28T15:31:35.227Z

You can write a PM to @team here or send an email to team@discourse.org and we can disable this feature for you. We don’t recommend doing so, many services on the web are adopting passkeys as a safer option for authentication.

Kartoon · 2024-04-03T06:13:08.920Z

Is it in the plans to eventually be able to disable the password altogether (preferably on an account setting basis, I can see forcing entire sites to do it not ending well)? Because having both a passkey and a password active kind of limits the usefulness of the passkey. You can sort of mitigate it by making a stupidly complex password and just never using it but that’s just sidestepping the point of passkeys

pmusaraj · 2024-04-03T20:15:36.916Z

Yes, I think that would be nice (and improved security for the account). Adding it now under the “Possible future improvements” section of the OP.

JetForMe · 2024-04-20T03:25:23.753Z

This is crucial to the safety of passkeys. They’re little more than a convenience if I can’t disable password login.

patrickemin · 2024-05-01T14:57:20.903Z

If I understand the passkey mechanism correctly, you need to have installed a trusted container such as a password manager to store the access keys. Getting rid of passwords assumes that all users have installed such a manager, so how those users who did not do so will login?

Kartoon · 2024-05-01T18:25:24.964Z

The same way people who don’t use 2FA access sites that require 2FA - they don’t.

Not that this is an actual concern since Chrome, Safari, Windows, iPhones, Android, Yubi, etc. are all alternative to password managers (which you should already be using in 2024 regardless) and all function with passkeys.

I also wasn’t suggesting forcing every user to not have a password (though I’m fine with that) but if YOU the passkey user can’t disable your password then the passkey serves far less of a purpose and you’re still completely phishable.

patrickemin · 2024-05-01T19:10:10.543Z

Kartoon:

I also wasn’t suggesting forcing every user to not have a password (though I’m fine with that) but if YOU the passkey user can’t disable your password then the passkey serves far less of a purpose and you’re still completely phishable.

If I chose passkeys for Discourse, I will not use anymore my password, so how can I be phishable ? I understand the risk of malicious or brute force attack on the password login will remain, and your suggestion to disable it per user is valid, but not by phishing?