Using passkeys in WordPress
Published: â Leave a comment
You absolutely should securing your WordPress login with a multi-factor authentication to make it harder for attackers to hijack your site. And passkeys are even more convenient.
Enhancing your login with a multi-factor authentication prevents attackers from login even if they have your username/email address and password, since they need another factor to successfully login. This can be a time-based one-time password, a security key, backup verification codes or a code sent to your email address. To get this into WordPress, there is a small but great plugin called Two-Factor, which has been started as so-called âfeatured pluginâ, whose intention is usually to get merged into WordPress core in the future.
As long as this doesnât happen, I highly recommend installing and setting up this plugin to enable a second factor to the WordPress login. It contains the above mentioned methods for a second factor.
To also use passkeys, there is another plugin that extends Two-Factor with WebAuthn, the standard for using passkeys. This plugin is called WebAuthn Provider for Two Factor and can be found for free in the WordPress plugin repository.
After installing, go to your edit profile page in the backend and find the entry âWebAuthnâ in the âTwo-Factor Optionsâ. To use it, you need a âdeviceâ to authenticate, which could be one of this:
- YubiKey
- Secure enclaves such as Touch ID/Face ID or Windows Hello
- Password manager (not every password manager supports passkeys yet, among the most popular ones, these do for example: 1Password, Bitwarden, Dashlane, Keeper, Keypassium, Strongbox)
- Browser (e.g. Google Chrome can do it)
Click on âRegister New Keyâ and follow the instructions. Afterwards, you can set WebAuthn as primary method for your second factor to always be asked for your passkey first (you can always switch to a different method if enabled).
Depending on your workflow, using passkeys is usually easier than using time-based one-time passwords since you donât need to type or copy and paste them. Here an example with a passkey stored in Strongbox:
As an additional plus, you can use passkeys for various other services. A comprehensive list can be found at Passkeys.directory.
Quick note for multisite users with multiple domains: Since passkeys are limited to a single domain, you need to register a security key (WebAuthn) for each domain.