Using Passkeys/WebAuthn To Secure Your WordPress Login

ShieldPRO is bringing the all-powerful Passkey/WebAuthn 2-Factor Authentication to your WordPress login.

Passkeys pave the way to Passwordless logins for WordPress. Passkeys are slick to use, fast, and super secure replacements for our username+password logins.

In this article we’ll outline what Passkeys are, why they’re so important, discuss what WebAuthn is and how it relates, and what all this means for locking down your WordPress login security.

What Are Passkeys?

Simply put, Passkeys are “digital credentials” that provide secure authentication for websites and apps.

An authenticator is a device, either hardware or software, that provides these credentials.

These credentials use asymmetric cryptography – public and private key pairs. The authenticator will issue “public keys” for use by websites and apps, and when an app “challenges” you to verify your identity, the authenticator will answer the challenge using its secret, private key.

In this way you can securely verify your identity (authenticate) without needing a username or password.

So the term “Passkey” encompasses this entire concept – the issuing, and verification, of secure credentials between a client (you) and a server (an application or website).

You may have heard of Yubikeys, or Google Titan keys that plug into your USB, but they are just 1 type of authenticator used to facilitate passkeys. With the latest FIDO2 standard, Windows Hello, Apple’s Face ID / Touch ID, and compatible fingerprint scanners, can be used for passkeys.

When you can use your fingerprint or your face to log into a site, then it’s easy to see that 2-Factor Authentication and even Passwordless logins have never been easier.

If you don’t have a hardware-based authenticator, passkey services are now available from apps like 1Password, BitWarden, Apple, Microsoft and Google. It’s easier now than ever to ditch your passwords!

What’s the difference – Passkeys, WebAuthn, and FIDO2?

These terms are often used interchangeably and while they’re not synonyms, for most practical purposes they can be used interchangeably unless you’re having a technical discussion.

We’ve already discussed Passkeys & Authenticators already – they create your digital credentials.

When you use a Passkey to register, and then to authenticate yourself, your passkey, web browser and server must all communicate using a standard mechanism – a protocol. The Web Authentication API (or WebAuthn) is the Javascript API included with all major browsers that facilitates this communication.

They implement the FIDO2 standards for communications between the authenticator devices (passkeys), the browser, the operating system, and the server, to deliver this secure authentication.

If you want to understand a bit more, a perfect summary article here outlines the progression of these standards to U2F and then to the next generation, FIDO2. Yubico also has a nice workshop around passkeys to flesh out some of key concepts, too.

Why Are Passkeys So Important?

Half the challenge of deploying 2FA is making it easy-to-use. When users encounter friction, whether it’s annoying CAPTCHAs at the login, waiting for 2FA emails to arrive, or losing their Google Authenticator codes, they’ll abandon it.

Implementing two-factor authentication is making WordPress login seamless, as well as secure.

Passkeys add barely a few seconds and are so easy to use, they may replace passwords altogether.

Speaking of passwords – when using Passkeys, your accounts are protected against brute force login attacks, phishing, and data breaches. If you don’t rely on a password, then no-one can steal it from you and use it.

How Can Passkeys Be Used With WordPress?

The most obvious way to make use of Passkeys within WordPress is to protect WordPress User logins.

There are 2 primary approaches to using Passkeys with WordPress:

1. Two-Factor authentication – the passkey acts as a 2nd factor during login.
2. Passwordless Login -the user doesn’t need to use their password to login, only the authenticator device is required.

Taking the 2FA approach, this much like providing 2FA codes generated by Google Authenticator.

If a user registers a passkey on their WordPress user account, then you can further authenticate the user by prompting them to verify their passkey.

In the Passwordless login approach, you need only supply your WP username and then verify your identity using your authenticator device. In some implementations, you can even exclude the username altogether.

How To Use WebAuthn with Shield Security for WordPress

When you’re running ShieldPRO Plus Edition, you have full access to Shield’s WebAuthn feature.

You’ll be able to:

• Add unlimited FIDO2-compatibile authenticators to your WordPress user profile.
• Add Passkey services (such as 1Password) to your profile.
• Track when they were registered and when they were last used.
• Remove any authenticators from your profile at any time.
• Use any of your authenticators as your 2FA verification.

Currently, you can’t use Shield’s Passkey implementation for Passwordless WordPress login. This may change with future development, however.

To see how simple it is to use Passkeys, checkout this quick demo.

Where Can You Get Passkeys To Use With Shield?

We recommend having portable, hardware authenticators such as Yubikeys. They have a wide range of keys available, some of which are tiny and fit nicely into small devices like laptops. Others can be larger to fit on your keyrings, and some even support NFC so you can authenticate via your Smart Phone.

Google Titan keys offer similar devices.

Google, Apple and Microsoft offer software-based passkeys, as do password managers such as 1Password and Bitwarden.

There are many options out there, and if you’re using Windows 10 or 11, you can even use the built-in Windows Hello – but that does restrict the passkey to the actual device.

It’s worth noting that you can register as many passkeys as you desire on your WordPress user account, so you can use the most convenient passkey available to you at any given time/location.

When Can You Start Using WebAuthn With WordPress?

Passkeys will be available from ShieldPRO 18.5 onwards. This is due for release in early-mid November 2023.

As with all our Shield Security features, we will improve and adjust our WebAuthn implementation over time, and look to potentially add Passwordless Logins.

If you have any questions or feedback for us about this feature, please leave us a comment below and we’ll get right back to you.