2FA and Passkey Support in Craft CMS 5

2FA and Passkey support come to Craft 5 and here's how to use them both in your projects.

Image

There are two impor­tant account secu­ri­ty changes in Craft CMS 5 that will make user authen­ti­ca­tion more inline with best prac­tices for web applications.

The two new addi­tions to Craft 5 are:

  1. 2FA — two-fac­tor authen­ti­ca­tion using Duo Mobile, Google Authen­ti­ca­tor, Microsoft Authen­ti­ca­tor or a sup­port­ed pass­word man­ag­er like 1Password or Bitwarden.
  2. Passkey — A replace­ment for pass­words built on WebAu­thn. This type of pub­lic and pri­vate key authen­ti­ca­tion hap­pens at the oper­at­ing sys­tem lev­el and doesn’t require an addi­tion­al appli­ca­tion or set­up. On macOS, iOS, and iPa­dOS this means we can use Touch­ID or FaceID to log in to the con­trol panel.

Both new login options can make your user’s con­trol pan­el access more secure, and Passkey can also make it more convenient. 

Two-Fac­tor Authen­ti­ca­tion #

In Craft 5, two-fac­tor/t­wo-step/2­FA authen­ti­ca­tion is native­ly sup­port­ed for all con­trol pan­el logins. Each user will need to set up their own 2FA using one of the sup­port­ed authen­ti­ca­tor applications. 

The set­up is done in My Account > Pass­word & Verification. 

Fol­low the set­up instruc­tions via your account’s Two-Step Ver­i­fi­ca­tion area to use your pre­ferred authen­ti­ca­tor app.

After scan­ning the QR code or enter­ing the long­form code into your authen­ti­ca­tor app, you will then need to input the ver­i­fi­ca­tion code cre­at­ed by the authen­ti­ca­tion app. Once you do, you’re all set!

Impor­tant: As a site builder or admin, you can­not set­up, man­age or remove anoth­er user’s 2FA set­tings or authen­ti­ca­tor app.

How­ev­er, Craft admins can required that some or all con­trol pan­el accounts use two-fac­tor authen­ti­ca­tion. 2FA can be enforced via the User Set­tings, where you can require two-step ver­i­fi­ca­tion for some or all user groups. You can­not require 2‑step ver­i­fi­ca­tion for indi­vid­ual users (the way you can set permissions).

Once 2FA is enabled, all future con­trol pan­el logins will require both a pass­word and the code gen­er­at­ed by the authen­ti­ca­tor app. 

If 2FA is required for a user then it can­not be dis­abled by that user. The user can revoke the set­up and start over but they will not be able to pro­ceed with nor­mal con­trol pan­el account usage until anoth­er 2FA method is established.

After re-estab­lish­ing their 2FA app, they can then con­tin­ue to use the con­trol panel.

Does 2FA still require a password?

Yes. The pass­word is one of the two fac­tors of authen­ti­ca­tion (the oth­er being the authen­ti­ca­tor app code).

Can 2FA be dis­abled as an option for a site?

No. The secu­ri­ty fea­ture ships by default with Craft CMS and any user wish­ing to use it can set it up for their account.

Passkey Authen­ti­ca­tion #

If you’ve logged into the Craft 5 con­trol pan­el, you prob­a­bly noticed the addi­tion of the Passkey but­ton at the bot­tom of the login form.

Craft 5 also intro­duces Passkeys sup­port for con­trol pan­el users. Passkeys are a mod­ern authen­ti­ca­tion method designed to replace tra­di­tion­al pass­words. Uti­liz­ing the Web Authen­ti­ca­tion API (WebAu­thn), passkeys offer a more secure and user-friend­ly way to access online services.

To set up a Passkey for the Craft con­trol pan­el, log in to your account and go to My Account -> Passkeys. The first step is to add a passkey that we can use when log­ging in.

Click Cre­ate passkey and then you’ll be prompt­ed for your pass­word. If you already have 2FA set­up, you’ll be prompt­ed for the cur­rent 2FA code, too.

After you cre­ate and save your passkey, it will be list­ed in the Passkeys box in your user account. You can cre­ate mul­ti­ple passkeys (per device or brows­er) and revoke them at any time.

In the first exam­ple above, I’m using 1Password pass­word man­ag­er to man­age my passkeys, so it pops up as part of the brows­er exten­sion inte­gra­tion. On oth­er browsers, you might get dif­fer­ent behavior.

For exam­ple, if I want­ed native Touch­ID sup­port on my Mac­Book Pro, I can access the site in Safari and set up a new passkey for the Safari browser.

Instead of using the 1Password app as the passkey provider, I let native macOS take over and allow me to cre­ate a passkey using Touch­ID as my iden­ti­fi­ca­tion. After that, the process is the same except that when I log in, I use Touch­ID to authen­ti­cate and then prompt­ly logged in to Craft and for­ward­ed to the con­trol pan­el dashboard.

Can I Use 2FA or Passkey sup­port for front-end forms?

Tech­ni­cal­ly, yes. How­ev­er, you will need to include or recre­ate the JavaScript code that Craft CMS is using in the con­trol pan­el login form. There is not yet tech­ni­cal doc­u­men­ta­tion or exam­ples on how to do this.