Thomas Cannon here, one of the lead maintainers for the Ruby passkeys organization!
There are some libraries that have been put together to help with this, but we desperately need maintainers. Some relevant links below:
Definitely want to help as much as we can; and pool resources to make passkeys the standard across the Ruby ecosystem
Discourse ships with its own auth system built directly on webauthn for 2fa. I think the only big gap we have now is that we don’t allow 2fa to be the only factor (optionally)
I noticed Google are all in now as well (as of yesterday), Passkeys: What they are and how to use them
I do hope to make this an option for Discourse as well, I really do hate passwords and 2fa+challenge only to me feels inherently better than password, for sure.
Awesome! What’s the best way I could help out?
Tricky, depends on how deep down the rabbit hole you want to go. A prototype PR that adds a site setting would be delightful, but I totally get that this can be a rather big time commitment.
I can try! No promises, so if anyone wants to beat me to to the lunch, go for it!
A quick update: support for passkeys in Discourse is coming soon. I’ve been working on this over the past few weeks and we have a couple of draft PRs ready. See #23586, #23587 and #23591.
I think in about 3-4 weeks, we should be able to merge this (behind a default-off site setting). And if we grant a few more weeks for testing and bug fixing, I suspect we’ll be able to have this production-ready state in about two months. Stay tuned!
Hi there! Is there anything new to be said about passkeys in Discourse?
It appears that the final PR for this was merged a week ago, and the name of the site setting appears to currently be
experimental_passkeys (currently a hidden setting).
I just enabled the site setting and added a passkey to my account on a forum I help run, and this seems to work perfectly. To enable it early on a site, this should work:
./launcher enter app
Once it’s enabled, it seems like you just have to open https://forum.example.com/my/preferences/security and add a passkey, then log out and use the
Login with a passkey option to log back in.
Hey folks, yes, we’ve merged a few PRs adding passkeys support and are already testing it internally.
The steps above are correct, if you’d like to be a very very early tester of the feature. We are still fine-tuning a few things, though, and an official update/announcement is coming soon.
Another update here before making an official announcement: passkeys are now enabled here on meta. Please try them out and report any issues as replies in this topic.
Our plan is to keep testing the feature for another week or so under the experimental flag. Then we will announce them officially and remove the experimental site setting (i.e. passkeys support will be enabled by default on all instances using local logins).
I tested it on Desktop (windows 11, Chrome), and it works perfectly!
I had to hit Send Password Reset Email to confirm my identity because I usually log in with Google, so I don’t know my password.
I tested on Android (10) and Chrome/App. It works well, however:
- Touching the input triggers the passkey modal.
- Ignoring and touching the input again allows me to type
- Touching the button does nothing (apart from selecting it and closing the keyboard)
(yay, it’s laggy, not sure why)
Thanks for the report @Arkshine, I had forgotten to include a small change in the mobile component in a commit two days ago. Kind of an embarrassing mistake, the button did nothing on all mobile devices.
Anyhow, it’s fixed now, I just tested on my Android, and it should work for you as well.
Yep, it’s working now, thanks!
It seems like a chromeos system can’t be used as a passkey with Discourse (although it can be used as one with other websites), is that intentional?
We’re not specifically blocking it, no. What’s a “chromeos system”, exactly, is it Chrome on ChromeOS? Can you share the browser and OS version?
||118.0.5993.86 (Official Build) (64-bit)
||15604.45.0 (Official Build) stable-channel octopus
||Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/188.8.131.52 Safari/537.36
Is that enough information?
Here’s what happens when I try to add a passkey using this computer (I choose the “This Device” option in the first menu):
Ah, interesting, thanks for the screenshot. I suspect the device doesn’t support user verification? Can you use touch/faceId or a PIN to unlock the device?
Per this page, it does look like Chrome OS support is patchy.
I think it does.
I use a password. It might be worth noting that I can add this device as a 2FA method to an account using webauthn, I just can’t add it as a passkey.