Discourse ships with its own auth system built directly on webauthn for 2fa. I think the only big gap we have now is that we don’t allow 2fa to be the only factor (optionally)
I do hope to make this an option for Discourse as well, I really do hate passwords and 2fa+challenge only to me feels inherently better than password, for sure.
Tricky, depends on how deep down the rabbit hole you want to go. A prototype PR that adds a site setting would be delightful, but I totally get that this can be a rather big time commitment.
A quick update: support for passkeys in Discourse is coming soon. I’ve been working on this over the past few weeks and we have a couple of draft PRs ready. See #23586, #23587 and #23591.
I think in about 3-4 weeks, we should be able to merge this (behind a default-off site setting). And if we grant a few more weeks for testing and bug fixing, I suspect we’ll be able to have this production-ready state in about two months. Stay tuned!
I just enabled the site setting and added a passkey to my account on a forum I help run, and this seems to work perfectly. To enable it early on a site, this should work:
cd /var/discourse
./launcher enter app
rails c
SiteSetting.experimental_passkeys=true
Hey folks, yes, we’ve merged a few PRs adding passkeys support and are already testing it internally.
The steps above are correct, if you’d like to be a very very early tester of the feature. We are still fine-tuning a few things, though, and an official update/announcement is coming soon.
Another update here before making an official announcement: passkeys are now enabled here on meta. Please try them out and report any issues as replies in this topic.
Our plan is to keep testing the feature for another week or so under the experimental flag. Then we will announce them officially and remove the experimental site setting (i.e. passkeys support will be enabled by default on all instances using local logins).
Thanks for the report @Arkshine, I had forgotten to include a small change in the mobile component in a commit two days ago. Kind of an embarrassing mistake, the button did nothing on all mobile devices.
Anyhow, it’s fixed now, I just tested on my Android, and it should work for you as well.
Ah, interesting, thanks for the screenshot. I suspect the device doesn’t support user verification? Can you use touch/faceId or a PIN to unlock the device?
Per this page, it does look like Chrome OS support is patchy.