[wp-trac] [WordPress Trac] #64735: Add optional Passkey (WebAuthn/FIDO2) login support to WordPress

Thu Feb 26 10:06:12 UTC 2026

#64735: Add optional Passkey (WebAuthn/FIDO2) login support to WordPress
-------------------------+-----------------------------
 Reporter:  haozi        |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 WordPress core authentication is still password-first. I’m requesting
 optional Passkey (WebAuthn/FIDO2) support in core so site owners can offer
 phishing-resistant login without relying on a plugin for the security-
 critical wp-login.php path.

 Many users now have passkeys available via platform authenticators
 (Windows Hello / Touch ID / Android) and hardware security keys. Today,
 enabling passkeys in WordPress typically requires installing and trusting
 a third-party plugin that handles enrollment, verification, and login
 flow. A minimal core implementation (or at least a core WebAuthn service +
 hooks) would improve baseline security and provide a stable integration
 point for plugins.

 Passkeys are increasingly the default login UX across platforms
 (Apple/Google/Microsoft ecosystems) and provide strong protection against
 credential phishing, password reuse, and many account-takeover vectors.
 For WordPress—powering a large portion of the web—first-class support
 would materially improve baseline security and user experience.

 Proposed scope (MVP):

 1. Passkey registration in user profile

 * Add a “Passkeys” (or “Security keys / Passkeys”) section to /wp-
 admin/profile.php (and optionally user-edit.php)
 * Allow users to register one or more credentials
 * Allow basic management: list, rename/label, remove
 * Persist the minimum metadata needed for verification:

   * credential ID
   * public key
   * signature counter (sign count)
   * transports (optional)
   * created time / last used time (optional)

 2. Passkey login on wp-login.php

 * Add a secondary “Sign in with passkey” option on wp-login.php
 * Perform WebAuthn assertion and establish the normal WP auth session on
 success
 * Keep password login unchanged as fallback (at least initially)

 3. Extensibility hooks

 * Provide actions/filters so plugins can:

   * enforce passkey-only for certain roles/users
   * require passkey as step-up for sensitive actions
 (profile/email/password changes, etc.)
   * integrate with existing 2FA/security policy plugins without re-
 implementing WebAuthn verification

 Notes / constraints:

 * RP ID/origin handling must be correct (including multisite and
 subdirectory installs).
 * Avoid user enumeration (login responses should not reveal whether a
 username has passkeys).
 * Site migration where the RP ID changes will likely require re-
 enrollment; that’s acceptable but should be documented.
 * Rate limiting should be considered similar to existing login protections
 (or via hooks).

 Reference:

 * WebAuthn Level 2 spec:
 [https://www.w3.org/TR/webauthn-2/](https://www.w3.org/TR/webauthn-2/)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64735>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform