PHPackages netresearch/nr-passkeys-be - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. netresearch/nr-passkeys-be ActiveTypo3-cms-extension[Authentication & Authorization](/categories/authentication) netresearch/nr-passkeys-be ========================== Passwordless TYPO3 backend authentication via Passkeys (WebAuthn/FIDO2) - by Netresearch v0.6.0(2mo ago)22.5k1GPL-2.0-or-laterPHPPHP ^8.2CI passing Since Feb 10Pushed 1mo ago1 watchersCompare [ Source](https://github.com/netresearch/t3x-nr-passkeys-be)[ Packagist](https://packagist.org/packages/netresearch/nr-passkeys-be)[ Docs](https://github.com/netresearch/t3x-nr-passkeys-be)[ RSS](/packages/netresearch-nr-passkeys-be/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (8)Dependencies (16)Versions (24)Used By (1) [ ![Netresearch](Resources/Public/Icons/Extension.svg) ](https://www.netresearch.de/) Passkeys Backend Authentication =============================== [](#passkeys-backend-authentication) Passwordless TYPO3 backend login via WebAuthn/FIDO2 Passkeys. One-click authentication with TouchID, FaceID, YubiKey, and Windows Hello. [![CI](https://github.com/netresearch/t3x-nr-passkeys-be/actions/workflows/ci.yml/badge.svg)](https://github.com/netresearch/t3x-nr-passkeys-be/actions/workflows/ci.yml) [![codecov](https://camo.githubusercontent.com/331b76c3c2001f338dfde068d9fce037e284f98d804ecc87fe9a6764f3c53022/68747470733a2f2f636f6465636f762e696f2f67682f6e657472657365617263682f7433782d6e722d706173736b6579732d62652f67726170682f62616467652e737667)](https://codecov.io/gh/netresearch/t3x-nr-passkeys-be) [![OpenSSF Best Practices](https://camo.githubusercontent.com/bb8c43ce6562939d818b4fc740ceda4d164406f3aa40c238ed1528c6c651ba11/68747470733a2f2f7777772e626573747072616374696365732e6465762f70726f6a656374732f31323033372f6261646765)](https://www.bestpractices.dev/projects/12037) [![OpenSSF Scorecard](https://camo.githubusercontent.com/c3bc3cc8f5917bf8b81515b0737fb5055737f6e3c8faedd4923989cca0564be8/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6e657472657365617263682f7433782d6e722d706173736b6579732d62652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/netresearch/t3x-nr-passkeys-be) [![PHPStan](https://camo.githubusercontent.com/722de1d5a42bd7b0690e2dd7cf57984e352512dacc0e674932366f1ae2289b09/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d4c6576656c25323031302d627269676874677265656e2e737667)](https://phpstan.org/) [![Mutation](https://camo.githubusercontent.com/8882657773834863cefba97b0d5b8cd59eecd50ab07aaa2f6b889f3a724c5678/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f496e66656374696f6e2532304d53492d25453225383925413538302532352d627269676874677265656e)](https://infection.github.io/) [![PHP](https://camo.githubusercontent.com/cc8083cb91a88dce53f95e87ded5b6624879ccf69ba404ae2da2c0286819dcd3/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322d2d382e352d626c75652e7376673f6c6f676f3d706870)](https://www.php.net/) [![TYPO3](https://camo.githubusercontent.com/bc16ab50abbc8a7f9d4ead233d19b076e07940a780f56cc1b777ec881a49a29b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5459504f332d31322532304c545325323025374325323031332532304c545325323025374325323031342d6f72616e67652e7376673f6c6f676f3d7479706f33)](https://typo3.org/) [![License](https://camo.githubusercontent.com/a8a63eb7fe3f22d76ae3d9983f4df033a851f514327295f8ca30785dfa99e804/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f6e657472657365617263682f7433782d6e722d706173736b6579732d6265)](https://github.com/netresearch/t3x-nr-passkeys-be/blob/main/LICENSE) [![Latest Release](https://camo.githubusercontent.com/cbecc6ef43980e7b5e9a2da3d715e5d2d16ab029ff3310f5a47e3db354566da8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f6e657472657365617263682f7433782d6e722d706173736b6579732d6265)](https://github.com/netresearch/t3x-nr-passkeys-be/releases) --- Overview -------- [](#overview) **nr\_passkeys\_be** replaces traditional password authentication in the TYPO3 backend with modern passkeys. It registers as a TYPO3 authentication service at priority 80, intercepting login requests before the standard password service. When passkey data is present, it performs full WebAuthn assertion verification. Otherwise, it falls through to password login (unless disabled). **Extension key**`nr_passkeys_be`**Package**`netresearch/nr-passkeys-be`**TYPO3**12.4 LTS, 13.4 LTS, 14.x**PHP**8.2, 8.3, 8.4, 8.5**License**GPL-2.0-or-laterFeatures -------- [](#features) - **Primary authentication** -- Passkeys replace passwords, not just augment them - **Discoverable login** -- Optional username-less login via resident credentials - **Per-group enforcement** -- 4 levels (Off, Encourage, Required, Enforced) with configurable grace periods for gradual rollout - **Onboarding banner** -- Dismissible banner with passkey explanation, docs link, and administrator contact for encouraged users - **Setup interstitial** -- PSR-15 middleware prompts users to register passkeys after login (skippable during grace period) - **Admin dashboard** -- Backend module with adoption stats, per-group enforcement controls, user list, and bulk actions - **Admin management** -- Admins can list, revoke passkeys, send reminders, and unlock locked accounts - **Self-service** -- Users register, rename, and remove their own passkeys in User Settings - **Rate limiting** -- Per-endpoint and per-account lockout protection - **Replay protection** -- HMAC-signed challenge tokens with single-use nonces ### Supported Authenticators [](#supported-authenticators) PlatformAuthenticatormacOS / iOSTouchID, FaceIDWindowsWindows HelloCross-platformYubiKey, other FIDO2 security keysInstallation ------------ [](#installation) ``` composer require netresearch/nr-passkeys-be ``` Activate the extension in the TYPO3 Extension Manager or via CLI: ``` vendor/bin/typo3 extension:activate nr_passkeys_be ``` Configuration ------------- [](#configuration) Extension settings are available in **Admin Tools > Settings > Extension Configuration > nr\_passkeys\_be**: SettingDefaultDescription`challengeTtlSeconds``120`Challenge token lifetime in seconds`discoverableLoginEnabled``true`Allow username-less login via resident credentials`disablePasswordLogin``false`Block password login for users with registered passkeys`rateLimitMaxAttempts``10`Requests per IP per endpoint before rate limiting`rateLimitWindowSeconds``300`Rate limit window duration in seconds`lockoutThreshold``5`Failed login attempts (per IP) before account lockout`lockoutUserThreshold``15`Failed login attempts (per username, all IPs) before account lockout`lockoutDurationSeconds``900`Lockout duration in seconds (15 min)`userVerification``required`WebAuthn user verification requirement`allowedAlgorithms``ES256`Comma-separated signing algorithmsSee [Configuration documentation](Documentation/Configuration/Index.rst) for all settings including `rpId`, `rpName`, and `origin`. How It Works ------------ [](#how-it-works) The extension registers a TYPO3 authentication service at priority 80 (above `SaltedPasswordService` at 50). When passkey assertion data is present in the login request, it verifies the WebAuthn assertion. When no passkey data is present, it passes through to the next auth service (standard password login) unless password login is disabled. ### API Endpoints [](#api-endpoints) **Login** (public): - `POST /passkeys/login/options` -- Generate authentication challenge - `POST /passkeys/login/verify` -- Verify passkey assertion **Self-Service** (authenticated, AJAX routes): - `POST /ajax/passkeys/manage/registration/options` -- Generate registration challenge \* - `POST /ajax/passkeys/manage/registration/verify` -- Complete passkey registration \* - `GET /ajax/passkeys/manage/list` -- List own passkeys - `POST /ajax/passkeys/manage/rename` -- Rename a passkey label \* - `POST /ajax/passkeys/manage/remove` -- Remove a passkey \* **Admin** (admin-only, AJAX routes): - `GET /ajax/passkeys/admin/list?beUserUid=N` -- List any user's passkeys - `POST /ajax/passkeys/admin/remove` -- Revoke a user's passkey \* - `POST /ajax/passkeys/admin/revoke-all` -- Revoke all passkeys for a user \* - `POST /ajax/passkeys/admin/unlock` -- Unlock a locked-out user \* - `POST /ajax/passkeys/admin/update-enforcement` -- Update group enforcement level \* - `POST /ajax/passkeys/admin/send-reminder` -- Send passkey setup reminder \* - `POST /ajax/passkeys/admin/clear-nudge` -- Clear active nudge for a user \* **Enforcement** (authenticated, AJAX route): - `GET /ajax/passkeys/enforcement/status` -- Get enforcement status for banner \* Protected by TYPO3 **Sudo Mode** -- write operations require password re-verification (15 min grant lifetime). Documentation ------------- [](#documentation) Full documentation is available in the [Documentation/](Documentation/) directory, covering installation, configuration, administration, and developer guides. Development ----------- [](#development) ``` composer install # Code quality composer ci:test:php:cgl # Check code style (PER-CS3.0) composer ci:cgl # Fix code style composer ci:test:php:phpstan # PHPStan level 10 # Tests composer ci:test:php:unit # Unit tests composer ci:test:php:functional # Functional tests (requires MySQL) composer ci:test:php:all # All test suites composer ci:mutation # Mutation testing (MSI >= 80%) # Or use make make ci # Run lint + stan + unit + fuzz locally make up # Start DDEV with all TYPO3 versions make help # Show all available targets ``` Security -------- [](#security) If you discover a security vulnerability, please report it responsibly. See [SECURITY.md](SECURITY.md) for details. License ------- [](#license) GPL-2.0-or-later. See [LICENSE](LICENSE). --- Developed and maintained by [Netresearch DTT GmbH](https://www.netresearch.de/) ### Health Score 47 — FairBetter than 93% of packages Maintenance96 Actively maintained with recent releases Popularity26 Limited adoption so far Community11 Small or concentrated contributor base Maturity46 Maturing project, gaining track record Bus Factor1 Top contributor holds 97.7% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~2 days Total 8 Last Release 69d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/acffee6a64e18f21593794b335dd8786001148f7df89fd8372a54d3dd09d91a4?d=identicon)[netresearch](/maintainers/netresearch) --- Top Contributors [![CybotTM](https://avatars.githubusercontent.com/u/326348?v=4)](https://github.com/CybotTM "CybotTM (253 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (6 commits)") --- Tags authenticationfido2passkeyspasswordlessphptypo3typo3-extensionwebauthnAuthenticationFIDO2webauthnbackendtypo3Passwordlesspasskeys ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/netresearch-nr-passkeys-be/health.svg) ``` [![Health](https://phpackages.com/badges/netresearch-nr-passkeys-be/health.svg)](https://phpackages.com/packages/netresearch-nr-passkeys-be) ``` ### Alternatives [laragear/webauthn Authenticate users with Passkeys: fingerprints, patterns and biometric data. 403480.4k8](/packages/laragear-webauthn)[web-auth/webauthn-symfony-bundle FIDO2/Webauthn Security Bundle For Symfony 63397.4k6](/packages/web-auth-webauthn-symfony-bundle)[in2code/femanager Modern TYPO3 Frontend User Registration. 49745.4k6](/packages/in2code-femanager)[friendsoftypo3/openid OpenID authentication for TYPO3 CMS 1396.0k](/packages/friendsoftypo3-openid)[causal/oidc This extension uses OpenID Connect to authenticate users. 1557.8k](/packages/causal-oidc) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)