PHPackages                             netresearch/nr-passkeys-be - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. netresearch/nr-passkeys-be

ActiveTypo3-cms-extension[Authentication &amp; Authorization](/categories/authentication)

netresearch/nr-passkeys-be
==========================

Passwordless TYPO3 backend authentication via Passkeys (WebAuthn/FIDO2) - by Netresearch

v0.10.0(1w ago)33.3k[1 issues](https://github.com/netresearch/t3x-nr-passkeys-be/issues)1GPL-2.0-or-laterPHPPHP ^8.2CI passing

Since Feb 10Pushed 3w ago1 watchersCompare

[ Source](https://github.com/netresearch/t3x-nr-passkeys-be)[ Packagist](https://packagist.org/packages/netresearch/nr-passkeys-be)[ Docs](https://github.com/netresearch/t3x-nr-passkeys-be)[ RSS](/packages/netresearch-nr-passkeys-be/feed)WikiDiscussions main Synced today

READMEChangelog (10)Dependencies (64)Versions (42)Used By (1)

 [ ![Netresearch](Resources/Public/Icons/Extension.svg) ](https://www.netresearch.de/)

Passkeys Backend Authentication
===============================

[](#passkeys-backend-authentication)

 Passwordless TYPO3 backend login via WebAuthn/FIDO2 Passkeys.
 One-click authentication with TouchID, FaceID, YubiKey, and Windows Hello.

 [![CI](https://github.com/netresearch/t3x-nr-passkeys-be/actions/workflows/ci.yml/badge.svg)](https://github.com/netresearch/t3x-nr-passkeys-be/actions/workflows/ci.yml) [![codecov](https://camo.githubusercontent.com/331b76c3c2001f338dfde068d9fce037e284f98d804ecc87fe9a6764f3c53022/68747470733a2f2f636f6465636f762e696f2f67682f6e657472657365617263682f7433782d6e722d706173736b6579732d62652f67726170682f62616467652e737667)](https://codecov.io/gh/netresearch/t3x-nr-passkeys-be)

 [![OpenSSF Best Practices](https://camo.githubusercontent.com/bb8c43ce6562939d818b4fc740ceda4d164406f3aa40c238ed1528c6c651ba11/68747470733a2f2f7777772e626573747072616374696365732e6465762f70726f6a656374732f31323033372f6261646765)](https://www.bestpractices.dev/projects/12037) [![OpenSSF Scorecard](https://camo.githubusercontent.com/c3bc3cc8f5917bf8b81515b0737fb5055737f6e3c8faedd4923989cca0564be8/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6e657472657365617263682f7433782d6e722d706173736b6579732d62652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/netresearch/t3x-nr-passkeys-be)

 [![PHPStan](https://camo.githubusercontent.com/722de1d5a42bd7b0690e2dd7cf57984e352512dacc0e674932366f1ae2289b09/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d4c6576656c25323031302d627269676874677265656e2e737667)](https://phpstan.org/) [![Mutation](https://camo.githubusercontent.com/8882657773834863cefba97b0d5b8cd59eecd50ab07aaa2f6b889f3a724c5678/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f496e66656374696f6e2532304d53492d25453225383925413538302532352d627269676874677265656e)](https://infection.github.io/) [![PHP](https://camo.githubusercontent.com/cc8083cb91a88dce53f95e87ded5b6624879ccf69ba404ae2da2c0286819dcd3/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322d2d382e352d626c75652e7376673f6c6f676f3d706870)](https://www.php.net/) [![TYPO3](https://camo.githubusercontent.com/bc16ab50abbc8a7f9d4ead233d19b076e07940a780f56cc1b777ec881a49a29b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5459504f332d31322532304c545325323025374325323031332532304c545325323025374325323031342d6f72616e67652e7376673f6c6f676f3d7479706f33)](https://typo3.org/) [![License](https://camo.githubusercontent.com/a8a63eb7fe3f22d76ae3d9983f4df033a851f514327295f8ca30785dfa99e804/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f6e657472657365617263682f7433782d6e722d706173736b6579732d6265)](https://github.com/netresearch/t3x-nr-passkeys-be/blob/main/LICENSE) [![Latest Release](https://camo.githubusercontent.com/cbecc6ef43980e7b5e9a2da3d715e5d2d16ab029ff3310f5a47e3db354566da8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f6e657472657365617263682f7433782d6e722d706173736b6579732d6265)](https://github.com/netresearch/t3x-nr-passkeys-be/releases)

---

Overview
--------

[](#overview)

**nr\_passkeys\_be** replaces traditional password authentication in the TYPO3 backend with modern passkeys. It registers as a TYPO3 authentication service at priority 80, intercepting login requests before the standard password service. When passkey data is present, it performs full WebAuthn assertion verification. Otherwise, it falls through to password login (unless disabled).

**Extension key**`nr_passkeys_be`**Package**`netresearch/nr-passkeys-be`**TYPO3**12.4 LTS, 13.4 LTS, 14.x**PHP**8.2, 8.3, 8.4, 8.5**License**GPL-2.0-or-laterFeatures
--------

[](#features)

- **Primary authentication** -- Passkeys replace passwords, not just augment them
- **Discoverable login** -- Optional username-less login via resident credentials
- **Per-group enforcement** -- 4 levels (Off, Encourage, Required, Enforced) with configurable grace periods for gradual rollout
- **Onboarding banner** -- Dismissible banner with passkey explanation, docs link, and administrator contact for encouraged users
- **Setup interstitial** -- PSR-15 middleware prompts users to register passkeys after login (skippable during grace period)
- **Admin dashboard** -- Backend module with adoption stats, per-group enforcement controls, user list, and bulk actions
- **Admin management** -- Admins can list, revoke passkeys, send reminders, and unlock locked accounts
- **Self-service** -- Users register, rename, and remove their own passkeys in User Settings
- **Rate limiting** -- Per-endpoint and per-account lockout protection
- **Replay protection** -- HMAC-signed challenge tokens with single-use nonces

### Supported Authenticators

[](#supported-authenticators)

PlatformAuthenticatormacOS / iOSTouchID, FaceIDWindowsWindows HelloCross-platformYubiKey, other FIDO2 security keysInstallation
------------

[](#installation)

```
composer require netresearch/nr-passkeys-be
```

Activate the extension in the TYPO3 Extension Manager or via CLI:

```
vendor/bin/typo3 extension:activate nr_passkeys_be
```

Quick Start
-----------

[](#quick-start)

After installation, follow these steps:

1. **Review extension settings** — Go to **Admin Tools &gt; Settings &gt; Extension Configuration &gt; nr\_passkeys\_be** and verify the Relying Party settings (`rpId`, `rpName`, `origin`). The defaults auto-detect from your domain, which works for most single-domain setups.
2. **Open the Passkey Management module** — Navigate to **Admin Tools &gt; Passkey Management**. The Dashboard shows adoption statistics and the Help tab provides a full rollout guide with recovery procedures and FAQ.
3. **Register your own passkey** — Go to **User Settings &gt; Passkeys** and register a passkey to verify the setup works on your device.
4. **Enable enforcement for a pilot group** — On the Dashboard, set a small group (e.g., your admin team) to *Encourage*. Users will see a dismissible banner prompting them to set up a passkey.
5. **Roll out gradually** — Progress through *Encourage* → *Required* → *Enforced* as adoption grows. See the Help tab in the backend module for the complete rollout guide.

> **Full documentation:** [docs.typo3.org/p/netresearch/nr-passkeys-be](https://docs.typo3.org/p/netresearch/nr-passkeys-be/main/en-us/) · [Configuration reference](Documentation/Configuration/Index.rst)

Passkeys &amp; MFA
------------------

[](#passkeys--mfa)

Passkeys are **inherently multi-factor**: they combine *something you have* (your device) with *something you are* (biometric) or *something you know* (device PIN). They are also phishing-resistant — the credential is cryptographically bound to the origin.

**For most TYPO3 backends, passkeys alone are more secure than password + TOTP.** The FIDO Alliance and W3C consider passkeys a stronger replacement for password + OTP. Adding TYPO3's MFA on top is optional defence-in-depth, not a requirement.

Consider keeping MFA enabled alongside passkeys only if:

- Your security policy explicitly mandates independent factors (e.g., PCI-DSS)
- Your threat model includes authenticator device compromise

See the Help tab in **Admin Tools &gt; Passkey Management** for details on MFA coexistence and middleware processing order.

Configuration
-------------

[](#configuration)

Extension settings are available in **Admin Tools &gt; Settings &gt; Extension Configuration &gt; nr\_passkeys\_be**:

SettingDefaultDescription`rpId`*(auto-detect)*Relying Party domain (e.g., `example.com`)`rpName``TYPO3 Backend`Display name shown during passkey registration`origin`*(auto-detect)*Full origin URL (e.g., `https://example.com`)`challengeTtlSeconds``120`Challenge token lifetime in seconds`discoverableLoginEnabled``true`Allow username-less login via resident credentials`disablePasswordLogin``false`Block password login for users with registered passkeys`rateLimitMaxAttempts``10`Requests per IP per endpoint before rate limiting`rateLimitWindowSeconds``300`Rate limit window duration in seconds`lockoutThreshold``5`Failed login attempts (per IP) before account lockout`lockoutUserThreshold``15`Failed login attempts (per username, all IPs) before account lockout`lockoutDurationSeconds``900`Lockout duration in seconds (15 min)`userVerification``required`WebAuthn user verification requirement`allowedAlgorithms``ES256`Comma-separated signing algorithmsSee the [Configuration documentation](Documentation/Configuration/Index.rst) for detailed descriptions of each setting.

How It Works
------------

[](#how-it-works)

The extension registers a TYPO3 authentication service at priority 80 (above `SaltedPasswordService` at 50). When passkey assertion data is present in the login request, it verifies the WebAuthn assertion. When no passkey data is present, it passes through to the next auth service (standard password login) unless password login is disabled.

### API Endpoints

[](#api-endpoints)

**Login** (public):

- `POST /passkeys/login/options` -- Generate authentication challenge
- `POST /passkeys/login/verify` -- Verify passkey assertion

**Self-Service** (authenticated, AJAX routes):

- `POST /ajax/passkeys/manage/registration/options` -- Generate registration challenge \*
- `POST /ajax/passkeys/manage/registration/verify` -- Complete passkey registration \*
- `GET /ajax/passkeys/manage/list` -- List own passkeys
- `POST /ajax/passkeys/manage/rename` -- Rename a passkey label \*
- `POST /ajax/passkeys/manage/remove` -- Remove a passkey \*

**Admin** (admin-only, AJAX routes):

- `GET /ajax/passkeys/admin/list?beUserUid=N` -- List any user's passkeys
- `POST /ajax/passkeys/admin/remove` -- Revoke a user's passkey \*
- `POST /ajax/passkeys/admin/revoke-all` -- Revoke all passkeys for a user \*
- `POST /ajax/passkeys/admin/unlock` -- Unlock a locked-out user \*
- `POST /ajax/passkeys/admin/update-enforcement` -- Update group enforcement level \*
- `POST /ajax/passkeys/admin/send-reminder` -- Send passkey setup reminder \*
- `POST /ajax/passkeys/admin/clear-nudge` -- Clear active nudge for a user \*

**Enforcement** (authenticated, AJAX route):

- `GET /ajax/passkeys/enforcement/status` -- Get enforcement status for banner

\* Protected by TYPO3 **Sudo Mode** -- write operations require password re-verification (15 min grant lifetime).

Documentation
-------------

[](#documentation)

- **Online documentation:** [docs.typo3.org/p/netresearch/nr-passkeys-be](https://docs.typo3.org/p/netresearch/nr-passkeys-be/main/en-us/)
- **In the backend:** Admin Tools &gt; Passkey Management &gt; Help tab (rollout guide, recovery, FAQ)
- **Source:** [Documentation/](Documentation/) directory (RST format)

Development
-----------

[](#development)

```
composer install

# Code quality
composer ci:test:php:cgl       # Check code style (PER-CS3.0)
composer ci:cgl                # Fix code style
composer ci:test:php:phpstan   # PHPStan level 10

# Tests
composer ci:test:php:unit         # Unit tests
composer ci:test:php:functional   # Functional tests (requires MySQL)
composer ci:test:php:all          # All test suites
composer ci:mutation              # Mutation testing (MSI >= 80%)

# Or use make
make ci                           # Run lint + stan + unit + fuzz locally
make up                           # Start DDEV with all TYPO3 versions
make help                         # Show all available targets
```

Security
--------

[](#security)

If you discover a security vulnerability, please report it responsibly. See [SECURITY.md](SECURITY.md) for details.

License
-------

[](#license)

GPL-2.0-or-later. See [LICENSE](LICENSE).

---

 Developed and maintained by [Netresearch DTT GmbH](https://www.netresearch.de/)

###  Health Score

47

—

FairBetter than 93% of packages

Maintenance90

Actively maintained with recent releases

Popularity25

Limited adoption so far

Community14

Small or concentrated contributor base

Maturity49

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 95.1% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~8 days

Total

18

Last Release

9d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/151247?v=4)[Netresearch DTT GmbH](/maintainers/netresearch)[@netresearch](https://github.com/netresearch)

---

Top Contributors

[![CybotTM](https://avatars.githubusercontent.com/u/326348?v=4)](https://github.com/CybotTM "CybotTM (313 commits)")[![just-tobi](https://avatars.githubusercontent.com/u/5242689?v=4)](https://github.com/just-tobi "just-tobi (10 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (6 commits)")

---

Tags

authenticationfido2passkeyspasswordlessphptypo3typo3-extensionwebauthnAuthenticationFIDO2webauthnbackendtypo3Passwordlesspasskeys

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/netresearch-nr-passkeys-be/health.svg)

```
[![Health](https://phpackages.com/badges/netresearch-nr-passkeys-be/health.svg)](https://phpackages.com/packages/netresearch-nr-passkeys-be)
```

###  Alternatives

[friendsoftypo3/content-blocks

TYPO3 CMS Content Blocks - Content Types API | Define reusable components via YAML

103519.9k53](/packages/friendsoftypo3-content-blocks)[web-auth/webauthn-symfony-bundle

FIDO2/Webauthn Security Bundle For Symfony

66529.9k11](/packages/web-auth-webauthn-symfony-bundle)[wazum/sluggi

TYPO3 extension for URL slug management with inline editing, auto-sync, locking, access control, and redirects

40529.5k](/packages/wazum-sluggi)[ellaisys/aws-cognito

Laravel Authentication using AWS Cognito (Web and API)

123256.9k1](/packages/ellaisys-aws-cognito)[pagemachine/typo3-formlog

Form log for TYPO3

23238.6k8](/packages/pagemachine-typo3-formlog)[in2code/femanager

Modern TYPO3 Frontend User Registration.

53790.4k8](/packages/in2code-femanager)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
