Support passwordless login with Passkeys

:wave: Thomas Cannon here, one of the lead maintainers for the Ruby passkeys organization!

There are some libraries that have been put together to help with this, but we desperately need maintainers. Some relevant links below:

Definitely want to help as much as we can; and pool resources to make passkeys the standard across the Ruby ecosystem :muscle:

8 Likes

Hi Thomas,

Discourse ships with its own auth system built directly on webauthn for 2fa. I think the only big gap we have now is that we don鈥檛 allow 2fa to be the only factor (optionally)

I noticed Google are all in now as well (as of yesterday), Passkeys: What they are and how to use them

I do hope to make this an option for Discourse as well, I really do hate passwords and 2fa+challenge only to me feels inherently better than password, for sure.

7 Likes

Awesome! What鈥檚 the best way I could help out?

2 Likes

Tricky, depends on how deep down the rabbit hole you want to go. A prototype PR that adds a site setting would be delightful, but I totally get that this can be a rather big time commitment.

2 Likes

I can try! No promises, so if anyone wants to beat me to to the lunch, go for it!

5 Likes

A quick update: support for passkeys in Discourse is coming soon. I鈥檝e been working on this over the past few weeks and we have a couple of draft PRs ready. See #23586, #23587 and #23591.

I think in about 3-4 weeks, we should be able to merge this (behind a default-off site setting). And if we grant a few more weeks for testing and bug fixing, I suspect we鈥檒l be able to have this production-ready state in about two months. Stay tuned!

10 Likes

Hi there! Is there anything new to be said about passkeys in Discourse?

2 Likes

It appears that the final PR for this was merged a week ago, and the name of the site setting appears to currently be experimental_passkeys (currently a hidden setting).

1 Like

I just enabled the site setting and added a passkey to my account on a forum I help run, and this seems to work perfectly. To enable it early on a site, this should work:

cd /var/discourse
./launcher enter app
rails c
SiteSetting.experimental_passkeys=true

Once it鈥檚 enabled, it seems like you just have to open https://forum.example.com/my/preferences/security and add a passkey, then log out and use the Login with a passkey option to log back in.

2 Likes

Hey folks, yes, we鈥檝e merged a few PRs adding passkeys support and are already testing it internally.

The steps above are correct, if you鈥檇 like to be a very very early tester of the feature. We are still fine-tuning a few things, though, and an official update/announcement is coming soon.

9 Likes

Another update here before making an official announcement: passkeys are now enabled here on meta. Please try them out and report any issues as replies in this topic.

Our plan is to keep testing the feature for another week or so under the experimental flag. Then we will announce them officially and remove the experimental site setting (i.e. passkeys support will be enabled by default on all instances using local logins).

7 Likes

I tested it on Desktop (windows 11, Chrome), and it works perfectly! :+1:

I had to hit Send Password Reset Email to confirm my identity because I usually log in with Google, so I don鈥檛 know my password. :sweat_smile:


I tested on Android (10) and Chrome/App. It works well, however:

  • Touching the input triggers the passkey modal.
    • Ignoring and touching the input again allows me to type
  • Touching the button does nothing (apart from selecting it and closing the keyboard)


(yay, it鈥檚 laggy, not sure why)

5 Likes

Thanks for the report @Arkshine, I had forgotten to include a small change in the mobile component in a commit two days ago. Kind of an embarrassing mistake, the button did nothing on all mobile devices.

Anyhow, it鈥檚 fixed now, I just tested on my Android, and it should work for you as well.

2 Likes

Yep, it鈥檚 working now, thanks! :smile:

2 Likes

It seems like a chromeos system can鈥檛 be used as a passkey with Discourse (although it can be used as one with other websites), is that intentional?

We鈥檙e not specifically blocking it, no. What鈥檚 a 鈥渃hromeos system鈥, exactly, is it Chrome on ChromeOS? Can you share the browser and OS version?

Yes.

Sure.
From chrome://version:

Key Value
Google Chrome 118.0.5993.86 (Official Build) (64-bit)
Revision d9a55e23605b9c433d369a305c71114843ec754d-refs/branch-heads/5993@{#1287}
Platform 15604.45.0 (Official Build) stable-channel octopus
User Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

Is that enough information?

Here鈥檚 what happens when I try to add a passkey using this computer (I choose the 鈥淭his Device鈥 option in the first menu):
Screenshot 2023-10-27 10.47.45 AM
Screenshot 2023-10-27 10.47.55 AM

1 Like

Ah, interesting, thanks for the screenshot. I suspect the device doesn鈥檛 support user verification? Can you use touch/faceId or a PIN to unlock the device?

Per this page, it does look like Chrome OS support is patchy.

1 Like

I think it does.

I use a password. It might be worth noting that I can add this device as a 2FA method to an account using webauthn, I just can鈥檛 add it as a passkey.

1 Like