PHPackages mage-os/module-passkey-auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. mage-os/module-passkey-auth ActiveMagento2-module[Authentication & Authorization](/categories/authentication) mage-os/module-passkey-auth =========================== Passkey (WebAuthn) authentication for customer accounts 1.0.0-beta1(2mo ago)932OSL-3.0PHPPHP >=8.2CI passing Since Mar 17Pushed 2mo agoCompare [ Source](https://github.com/mage-os-lab/module-passkey-auth)[ Packagist](https://packagist.org/packages/mage-os/module-passkey-auth)[ RSS](/packages/mage-os-module-passkey-auth/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (6)Versions (2)Used By (0) MageOS Passkey Authentication ============================= [](#mageos-passkey-authentication) [![Latest Stable Version](https://camo.githubusercontent.com/c81e33a334e771b4eff6812f7e03915f40d1cc9726be19ee368f056f58c2c7e7/68747470733a2f2f706f7365722e707567782e6f72672f6d6167652d6f732f6d6f64756c652d706173736b65792d617574682f762f737461626c65)](https://packagist.org/packages/mage-os/module-passkey-auth)[![License](https://camo.githubusercontent.com/6a80fcb11523fe2f7c5ffa995809dd99acc98596ec83e5b025e7a0e401b8c894/68747470733a2f2f706f7365722e707567782e6f72672f6d6167652d6f732f6d6f64756c652d706173736b65792d617574682f6c6963656e7365)](https://packagist.org/packages/mage-os/module-passkey-auth)[![Total Downloads](https://camo.githubusercontent.com/c1a40ba3660078020a82d16280ff7a4d06021e774436016a12487a5457ceb3f8/68747470733a2f2f706f7365722e707567782e6f72672f6d6167652d6f732f6d6f64756c652d706173736b65792d617574682f646f776e6c6f616473)](https://packagist.org/packages/mage-os/module-passkey-auth) Passwordless login for Magento 2 customer accounts using the WebAuthn/FIDO2 standard. Customers register passkeys (biometric, security key, or device PIN) and sign in with a single tap — no passwords to remember, phish, or leak. Built on [`web-auth/webauthn-lib`](https://github.com/web-auth/webauthn-lib) v5. Key Features ------------ [](#key-features) ### Passwordless Authentication [](#passwordless-authentication) - **One-tap login**: Customers authenticate with fingerprint, Face ID, Windows Hello, or a hardware security key - **Token-based sessions**: Successful passkey authentication issues a standard Magento customer token - **Anti-enumeration**: Authentication options return a valid response even for non-existent emails, preventing account discovery ### Credential Management [](#credential-management) - **My Account page**: Customers add, rename, and delete passkeys from their account dashboard - **Clone detection**: Sign-count tracking detects copied authenticators ### Store Admin Controls [](#store-admin-controls) - **Enrollment prompts**: Optional banners on account pages after password login or account creation to encourage passkey adoption - **Rate limiting**: Built-in cache-based limits on options requests and verification failures Requirements ------------ [](#requirements) ComponentVersion**PHP**8.2+**Magento Open Source / Mage-OS**2.4.x**HTTPS**Required (WebAuthn does not work over plain HTTP)Installation ------------ [](#installation) ``` composer require mage-os/module-passkey-auth bin/magento setup:upgrade ``` Configuration ------------- [](#configuration) Navigate to **Stores > Configuration > Customers > Customer Configuration > Passkey Authentication**. SettingDescriptionDefault**Enable Passkey Authentication**Master on/off switchYes**Prompt After Password Login**Show enrollment banner on account pages after password sign-inYes**Prompt After Account Creation**Show enrollment banner on account pages after registrationNoThe Relying Party (RP) ID and allowed origins are derived automatically from the store's base URL — no manual configuration required. WebAuthn parameters (user verification, attestation conveyance, ceremony timeout, authenticator attachment, and max credentials per customer) use sane defaults internally and are not exposed as admin settings. Architecture ------------ [](#architecture) ### Service Contracts [](#service-contracts) All business logic is exposed through `Api` interfaces: InterfaceImplementationPurpose`RegistrationOptionsInterface``Registration\OptionsGenerator`Generate WebAuthn creation options`RegistrationVerifierInterface``Registration\Verifier`Verify attestation and store credential`AuthenticationOptionsInterface``Authentication\OptionsGenerator`Generate WebAuthn request options`AuthenticationVerifierInterface``Authentication\Verifier`Verify assertion and issue token`CredentialRepositoryInterface``CredentialRepository`Credential CRUD`CredentialManagementInterface``CredentialManagement`List, rename, delete credentials`Data\CredentialInterface``Data\Credential`Credential data transfer object`Data\AuthenticationResultInterface``Data\AuthenticationResult`Authentication result DTO### REST API [](#rest-api) MethodEndpointAuthPurpose`POST``/V1/passkey/registration/options`Customer (self)Get creation options for navigator.credentials.create()`POST``/V1/passkey/registration/verify`Customer (self)Submit attestation response, receive stored credential`POST``/V1/passkey/authentication/options`AnonymousGet request options for navigator.credentials.get()`POST``/V1/passkey/authentication/verify`AnonymousSubmit assertion response, receive customer token`GET``/V1/passkey/credentials`Customer (self)List customer's registered passkeys`PUT``/V1/passkey/credentials/:entityId`Customer (self)Rename a passkey`DELETE``/V1/passkey/credentials/:entityId`Customer (self)Delete a passkey### Events [](#events) EventPayloadFired When`passkey_credential_register_after``customer_id`, `credential`New passkey registered`passkey_authentication_success``customer_id`, `credential`Successful passkey login`passkey_authentication_failure``credential_id`, `reason`Failed passkey login`passkey_credential_remove_after``customer_id`, `credential_id`Passkey deleted### Database [](#database) **`passkey_credential`** — Stores registered WebAuthn credentials. One customer can have multiple credentials (up to 10). Foreign key to `customer_entity` with `CASCADE` delete. **`passkey_challenge`** — Temporary single-use challenges with a 5-minute TTL. Cleaned up by the `passkey_challenge_cleanup` cron job. Extensibility ------------- [](#extensibility) ### Observing Passkey Events [](#observing-passkey-events) Create an observer in your module's `etc/events.xml`: ``` ``` ### Overriding Services [](#overriding-services) All service contracts can be replaced via DI preferences in `etc/di.xml`: ``` ``` ### Frontend Customization [](#frontend-customization) The module provides three jQuery UI widgets that can be extended via RequireJS mixins: - `passkeyLogin` — Login page authentication flow - `passkeyManage` — My Account credential management (add/rename/delete) - `enrollmentPrompt` — Enrollment banner after password login Templates are in `view/frontend/templates/` and can be overridden via theme fallback. Styles use Luma/blank theme variables and patterns (`.message.info`, `.data.table`, `.action.primary`) for native theme consistency. Security -------- [](#security) - **HTTPS required**: WebAuthn ceremonies are rejected by browsers on non-secure origins. The module detects non-secure contexts and displays a specific error message. - **Single-use challenges**: Each challenge token is consumed on verification and cannot be reused. - **Rate limiting**: Options generation (10 requests/60s) and verification failures (5 failures/900s) are rate-limited per customer. - **Sign-count validation**: Detects cloned authenticators by tracking the signature counter. - **Anti-enumeration**: Authentication options return a valid (but unusable) response for non-existent email addresses. - **Ownership enforcement**: All credential operations validate that the credential belongs to the requesting customer. Contributing ------------ [](#contributing) Issues and pull requests welcome on GitHub. License ------- [](#license) This module is licensed under the [Open Software License 3.0](https://opensource.org/licenses/OSL-3.0). Support ------- [](#support) - **Issues**: [GitHub Issues](https://github.com/mage-os-lab/module-passkey-auth/issues) - **Community**: [Mage-OS Discord](http://chat.mage-os.org) ### Health Score 36 — LowBetter than 82% of packages Maintenance87 Actively maintained with recent releases Popularity12 Limited adoption so far Community7 Small or concentrated contributor base Maturity32 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 63d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/100189073?v=4)[Mage-OS](/maintainers/mage-os-ci)[@mage-os-ci](https://github.com/mage-os-ci) --- Top Contributors [![rhoerr](https://avatars.githubusercontent.com/u/13335952?v=4)](https://github.com/rhoerr "rhoerr (45 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/mage-os-module-passkey-auth/health.svg) ``` [![Health](https://phpackages.com/badges/mage-os-module-passkey-auth/health.svg)](https://phpackages.com/packages/mage-os-module-passkey-auth) ``` ### Alternatives [bitexpert/magento2-force-customer-login The Force Login module for Magento2 redirects a storefront visitor to the Magento2 Frontend login page, if the visitor is not logged in. It is possible to configure the whitelisted urls to add custom definitions. 171409.9k](/packages/bitexpert-magento2-force-customer-login)[dotdigital/dotdigital-magento2-extension Dotdigital for Magento 2 50374.2k18](/packages/dotdigital-dotdigital-magento2-extension)[swissup/module-search-mysql-legacy Legacy mysql search for magento 2.4 10483.0k](/packages/swissup-module-search-mysql-legacy)[space48/magento2-sso SAML based single sign-on integration for Magento 2 backend. 1827.3k](/packages/space48-magento2-sso)[hryvinskyi/magento2-invisible-captcha Magento 2 Google Invisible Captcha (Recaptcha) module 279.4k](/packages/hryvinskyi-magento2-invisible-captcha)[mage-os/module-inventory-reservations-grid Add a grid with the list of inventory reservations. 126.8k](/packages/mage-os-module-inventory-reservations-grid) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)