The Passkey Extension for Magento 2 enables administrators to log in using a Passkey
Edit me

What is a Passkey?

A passkey is a modern authentication method that replaces traditional passwords. It combines a user’s device and biometrics (like fingerprint or facial recognition) to securely log in without needing to remember or type a password. Passkeys are based on public-key cryptography, making them resistant to phishing and password breaches.

For a deeper understanding of how passkeys work and why they’re secure, please take a loot at this detailed explanation.

Why Passkeys Are Secure

No Passwords to Steal

Passkeys don’t store or transmit passwords. Instead, they use a unique pair of keys:

  • Private Key: Stored securely on your device and never shared.
  • Public Key: Stored on the service’s servers and used to verify your identity. Hackers cannot steal the private key because it never leaves your device.

Phishing Resistance

Traditional passwords can be stolen through phishing attacks. Passkeys are resistant because authentication happens directly between your device and the service. No sensitive data is entered into potentially malicious websites.

Biometric Protection

Passkeys often use biometric authentication (fingerprint, face recognition) or device-based PINs. These are harder to replicate and never transmitted, making unauthorized access difficult.

Tied to Physical Devices

A passkey is bound to a specific device, meaning even if someone knows your credentials, they cannot log in without your device.

Resistant to Data Breaches

Since only the public key is stored on the server, even if the server is breached, the stolen data is useless without the corresponding private key.

Passkey extension for Magento 2

The Passkey Extension for Magento 2 enables administrators to log in using a passkey. It enhances the user experience by simplifying the login process while maintaining high-security standards. This is ideal for shop administrators who wish to log in without a password while still ensuring security.

Key Features:

  1. Easy Login: By Passkey you can log in without using your username and password.
  2. Secure: Passkey is a secure way to log in. It is resistant to phishing attacks and data breaches.
  3. Easy to Use: The Passkey module is easy to use and can be used by anyone.
  4. Customizable: It is possible to allow only specific admin users to use the Passkey.
  5. Multi-Device Support: Login with different devices like a mobile phone, tablet, or Yubi-Key.

Requirements

  • ext-curl: *,
  • magento/framework ^103.0
  • magento/module-authorization ^100.4
  • magento/module-backend ^102.0
  • magento/module-store ^101.1
  • magento/module-two-factor-auth ^1.1
  • magento/module-user ^101.2
  • psr/log ^1.1||^2||^3
  • PHP ~8.1.0||~8.2.0||~8.3.0

Compatibility

  • Magento Open Source / Adobe Commerce >= 2.4

Installation Instructions

You can install the extension via Composer or by copying the code into your Magento installation.

Composer Installation

  1. composer require customgento/module-passkey
  2. bin/magento module:enable CustomGento_Passkey
  3. bin/magento setup:upgrade
  4. bin/magento setup:di:compile
  5. bin/magento cache:flush

Manual Installation

  1. unzip the downloaded files
  2. create the directory app/code/CustomGento/Passkey/: mkdir -p app/code/CustomGento/Passkey/
  3. copy the unzipped files to the newly created directory app/code/CustomGento/Passkey/
  4. bin/magento module:enable CustomGento_Passkey
  5. bin/magento setup:upgrade
  6. bin/magento setup:di:compile
  7. bin/magento cache:flush

Configuration

You can enable the Passkey feature in the Magento backend under Stores > Configuration > Security > 2FA > General. It is important to mention that Passkey can not be the only 2FA method enabled. You need to enable at least one other 2FA method. If you just choose Passkey as the only 2FA method, you will get an error message.

Settings configuration

Usage

After enabling Passkey, you need to register a device to use it, such as a mobile phone, tablet, or YubiKey. To register a new device (after enabling Passkey 2FA), first log out, then log in again using your username and password.

Passkey device registration Email

Next, you will be prompted to check your email and click the link provided. Once you click the link, you’ll be guided to register your Passkey device. Simply select the device you want to register and follow the on-screen instructions. For example to register Yubi-Key, you need to insert the Yubi-Key into the USB port and touch it.

Passkey device registration

After registering your device you will be redirected to the Admin Panel.

Logging in with Passkey

After registering your Passkey device, you can log in with Passkey. To do so, you just need to click on the Passkey button in the login form. And you of course you do not need to enter your username and password anymore.

Log in by passkey

Resetting the Passkey

Imagine you lost your Passkey device and need to register a new one. There are two ways to reset the Passkey.

Reset the Passkey in the Admin Panel

  1. On the Admin sidebar, go to System > Permissions > All Users.
  2. Select the user and open the account in edit mode.
  3. Scroll down to the Current User Identity Verification section and enter your password.
  4. In the left panel, click 2FA.
  5. In the Configuration reset section, click Reset passkey and OK to confirm.

Reset Passkey

Reset the Passkey via CLI

For resetting the passkey with CLI you need to have access to the command line of the server, where your Magento installation is placed. If you don’t have access to it, please ask your developer or your agency for help. There, you can reset your Passkey for any specific user by running the following command:

bin/magento security:tfa:reset admin customgento_passkey

Where admin is the username of the user you want to reset the Passkey for.

Troubleshooting - I installed the extension, but it does not work

  1. Do you use the latest version of the extension?
  2. Do you use Magento >= 2.4?
  3. Do you have at least one other 2FA method enabled?
  4. Do you have the required PHP version installed?

Uninstallation

The uninstallation procedure depends on your setup:

Uninstallation After Composer Installation

  1. bin/magento module:uninstall CustomGento_Passkey
  2. bin/magento setup:di:compile
  3. bin/magento cache:flush

Uninstallation After Manual Installation

  1. bin/magento module:disable CustomGento_Passkey
  2. bin/magento setup:di:compile
  3. bin/magento cache:flush
  4. rm -r app/code/CustomGento/Passkey

Support

If you have any issues with this extension, feel free to contact us!

Licence

CustomGento Commercial Software Licence

© 2024 - present CustomGento GmbH