In the previous two episodes, I covered the importance of password managers and why 2-factor authentication is equally important. What about if a password is not needed at all or when you could use just your fingerprint as the primary authentication method?
This is possible with PassKeys, which essentially is an authentication via public/private key pair verification. The public and private keys are a cryptographically generated pair, in which the “ownership” of a given public key can only be verified by having the matching private key.
For those who have used SSH in the development of their website, you should already have a good understanding of how asymmetric/public key cryptography works. If you want to dive deeper into how PassKeys work, here’s a good article for that.
Using PassKeys for WordPress authentication
With PassKeys, you can eliminate the username/password authentication and have a “passwordless” login. However, WordPress core itself does not support PassKeys out of the box, so you’ll need to choose a plugin that makes this functionality available for you.
Keep in mind, though, that setting up the WordPress authentication to only use PassKeys means that you will only be able to log in from the device which holds the private key. If you have multiple devices which you use to work on your WordPress site, you should set up separate PassKeys for each device. To overcome that limitation, some password managers allow you to store your passkeys and synchronise them across your devices.
You can also choose to keep username/password authentication and use PassKeys as an additional security measure. Some websites, such as Cloudflare, only allow PassKeys as an option for two-factor authentication (2FA), and in this case, it’s a safer choice than SMS-based 2FA and others. One of the popular password managers that we’ve also recommended in the previous article, 1Password, keeps a directory of websites that already support PassKeys.
Since you will need a plugin to make PassKeys available to WordPress, one of the longest advocates for PassKeys in the WordPress ecosystem has been Solid Security. Take a look at what they offer, along with other plugins that support this feature.
Conclusion
PassKeys aim to offer a more secure and convenient alternative to traditional passwords. By leveraging public/private key cryptography, PassKeys eliminate the vulnerabilities associated with password theft and phishing attacks. For WordPress users, implementing PassKeys can enhance the security of your site while simplifying the login process.
Although WordPress does not support PassKeys out of the box, few plugins are available to bring this functionality to your site. Whether you choose to go entirely passwordless or use PassKeys as an 2FA, it’s well worth considering.
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread
Oliver Sild
Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.
