Page MenuHomePhabricator
Create Task
Maniphest T321708

MediaWiki should support passwordless login with passkeys
Open, Needs TriagePublicFeature
Actions

Assigned To
None
Authored By
Saklad5
Oct 26 2022, 3:49 PM
Tags
Referenced Files
None
Subscribers
Agusbou2015
Aklapper
alistair3149
ARamadan-WMF
Base
Diskdance
Dmantena
View All 34 Subscribers

Description

Feature summary (what you would like to be able to do and where):

Passkeys (also known as multi-device FIDO credentials) should be offered as a first resort instead of passwords (and accompanying multi-factor authentication schemes), and accounts with passwords should be capable of transitioning to use passkeys exclusively.

Passkeys are currently supported as a multi-factor authentication method through Extension:WebAuthn.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

Any authentication flow that includes a password should instead favor passkeys as a first resort: if an account has both, it should ask for a passkey by default. New accounts should be encouraged to avoid creating passwords in the first place in favor of passkeys.

Multi-factor authentication systems, if present, should only be used alongside passwords: passkeys are phishing-resistant due their design, so TOTP codes and similar systems are redundant.

Benefits (why should this be implemented?):

Passwords are notoriously insecure, and systems like TOTP are still vulnerable to phishing attacks while adding considerable complexity to login flows. Major websites like Wikipedia have yet to implement multi-factor at large, still relying on passwords as the first and last line of defense. I feel it would be valuable for MediaWiki to set a good example for the Internet ecosystem as a whole by adopting passkeys as soon as possible.

Passkeys don't rely on a shared secret of any kind, which massively improves the security of servers: they are much easier to implement than other authentication schemes as a result.

Numerous projects use MediaWiki, and all of them would gain considerable security benefits and a better user experience from adopting passkeys. All major OS and browser vendors have committed to their support, and they are already implemented in macOS and iOS. By the time MediaWiki finishes implementing it, it is likely to be supported on the other major platforms as well.

Implementation:
I (TheDJ) was trying to find how the UX flow should work for a login screen when you have:

  1. Users with passwords
  2. Users with passkey known to the system (say Apple's touchID+keychain)
  3. Users with hardware passkey (say a Yubico key)
  4. Users with 2FA

And I found this explainer, which I think is pretty helpful if anyone ever wanted to work on this.
https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add passwordless login with passkeysmediawiki/extensions/OATHAuthmaster+251 -8
WebAuthnAuthenticator: Allow multiple challenges in parallelmediawiki/extensions/OATHAuthmaster+106 -62
Add a database table to track WebAuthn userHandle valuesmediawiki/extensions/OATHAuthmaster+492 -41
[Proof of concept] Passwordless loginmediawiki/extensions/WebAuthnmaster+272 -45
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
alistair3149 added a comment.Dec 12 2022, 9:11 PM
In T321708#8355310, @Saklad5 wrote:

OK, I've tested WebAuthn 2FA with Wikipedia, and found an unusual issue: I can successfully create and use a passkey on macOS 13.0 and Safari 16.1. However, when attempting to use it to login on iOS 16.1 and Safari 16.1, Wikipedia's login flow doesn't seem to prompt for a passkey at all.

Instead, it simply says "Please touch your verification device or follow the instructions from the browser". It has a single button, "Continue login", which causes the verification process to fail when pressed. My iPhone definitely has the WebAuthn/passkey credential I registered on my Mac: it just isn't getting asked for it like the latter is.

Is it possible that there is some sort of mobile-specific bug with the WebAuthn implementation?

The mobile bug seems to be T286138.

Just to confirm, Passkey as 2FA works fine on desktop right?

Saklad5 added a comment.EditedDec 12 2022, 9:27 PM
In T321708#8461868, @alistair3149 wrote:

Just to confirm, Passkey as 2FA works fine on desktop right?

It did in October, yes.

I switched my account to TOTP upon encountering the issue. Let me know if you want me to switch it back temporarily to see if it still works.

As far as I know, all versions of Safari share the same functional implementation. My best guess is that MediaWiki is violating the specification somewhere, and it only works on macOS due to undefined behavior.

alistair3149 added a comment.Dec 15 2022, 7:44 AM
In T321708#8461912, @Saklad5 wrote:
In T321708#8461868, @alistair3149 wrote:

Just to confirm, Passkey as 2FA works fine on desktop right?

It did in October, yes.

I switched my account to TOTP upon encountering the issue. Let me know if you want me to switch it back temporarily to see if it still works.

As far as I know, all versions of Safari share the same functional implementation. My best guess is that MediaWiki is violating the specification somewhere, and it only works on macOS due to undefined behavior.

The mobile bug should be fixed with T286138, and it'll be deployed on WMF wiki early next year.

Tgr subscribed.Dec 21 2022, 10:49 PM
Epopen subscribed.Feb 8 2023, 2:58 AM
saper subscribed.Feb 12 2023, 2:34 PM
TheDJ updated the task description. (Show Details)Feb 17 2023, 1:10 PM
Agusbou2015 subscribed.Mar 25 2023, 7:01 PM
alistair3149 renamed this task from MediaWiki should support passkeys to MediaWiki should support passwordless login with passkeys.Jun 13 2023, 2:53 AM
alistair3149 updated the task description. (Show Details)
Jdlrobson moved this task from Backlog to Workflow on the MediaWiki-User-login-and-signup board.Jul 13 2023, 4:03 PM
Lemonaka subscribed.Sep 6 2023, 10:26 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 6 2023, 10:26 PM
larissagaulia moved this task from Inbox, needs triage to Not planned (Patches welcome!) on the MediaWiki-Platform-Team board.Sep 18 2023, 1:25 PM
Tgr added a comment.Sep 28 2023, 10:48 AM

Passkeys are origin-bound so this is blocked on T244088: Logging in at another wiki than WebAuth was set up fails.

Passkeys as a second factor are a clear security improvement over TOTP (which is not origin-bound, so phishable) and a usability improvement over U2F as you don't need an extra piece of hardware. Passwords as primary authentication, not so sure. Easy to get yourself locked out when you lose your phone (for 2FA we'd do a human review and remove the second factor; for lost primary credentials, what would we do?), passkeys are device-bound so you'd need some sort of cross-device attestation process, and you essentially transfer security to the device managing the passkey (phones with fingerprint sensors are probably OK; but e.g. Windows Hello uses a 6-digit PIN which is hardly safer than a password).

Stang subscribed.Sep 28 2023, 4:21 PM
Seddon merged a task: T348766: Feature request for Passkey Support in Login System.Oct 17 2023, 4:56 PM
Seddon added subscribers: ARamadan-WMF, Dmantena.
Nikerabbit subscribed.Oct 18 2023, 4:27 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Nov 30 2023, 5:56 PM
Reedy moved this task from User Experience to New 2FA Methods on the MediaWiki-extensions-OATHAuth board.
Diskdance subscribed.Jun 18 2024, 2:42 AM
revi subscribed.Oct 31 2024, 4:31 PM
JTweed-WMF edited projects, added MediaWiki-Platform-Team (Roadmap); removed MediaWiki-Platform-Team.Jan 22 2025, 3:46 PM
JTweed-WMF moved this task from Now => Move to Inbox to Parking Lot on the MediaWiki-Platform-Team (Roadmap) board.
Sjoerddebruin awarded a token.Mar 2 2025, 11:10 AM
Sjoerddebruin subscribed.
TheDJ added a parent task: T187256: Add another way of two factor auth to Phabricator other than TOTP (SMS, email, etc).Mar 18 2025, 3:22 PM
TheDJ removed a parent task: T187256: Add another way of two factor auth to Phabricator other than TOTP (SMS, email, etc).
Nemoralis subscribed.Apr 7 2025, 6:19 AM
TheresNoTime subscribed.Apr 7 2025, 3:00 PM
zoe subscribed.Apr 7 2025, 4:49 PM
Diskdance added a comment.Apr 8 2025, 9:56 AM

Is the major blocker of this feature solved by the deployment of T348388: SUL3: Use a dedicated domain for login and account creation? If so, can we push this forward?

Diskdance added a subtask: T358771: Unable to login on iPhone with Passkey Enabled.Apr 8 2025, 9:57 AM
Tgr removed a subtask: T358771: Unable to login on iPhone with Passkey Enabled.Apr 8 2025, 10:27 AM
Tgr added a comment.Apr 10 2025, 2:46 PM
In T321708#10720733, @Diskdance wrote:

Is the major blocker of this feature solved by the deployment of T348388: SUL3: Use a dedicated domain for login and account creation?

Yes, although there are plenty of minor blockers due to the WebAuthn just not working very well in general.

If so, can we push this forward?

Someone needs to decide first whether we want to push forward at all. Arguably the technology is not that mature yet (see e.g. https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/ or this recent vulnerability) and used on few other large websites.

Tgr added a comment.Jun 14 2025, 10:06 AM

Chrome and Safari now support automatic creation of passwordless login after a successful password login:

Johannnes89 subscribed.Jun 14 2025, 10:22 AM
kostajh subscribed.Jul 1 2025, 7:16 PM
Steenth subscribed.Jul 6 2025, 12:39 PM
Catrope mentioned this in T399665: Restrict WebAuthn to hardware security keys only.Jul 16 2025, 4:51 PM
TheGreatGreenStar subscribed.Jul 18 2025, 1:51 AM
TheGreatGreenStar added a comment.Jul 18 2025, 2:07 AM

Regarding recovery, perhaps to go fully passwordless users could be required to either have at least 2 passkeys OR one synced passkey (if we can detect this). If a user only has 1 local-bound passkey it should still bypass password but login via password + 2fa could still be possible to prevent lockout.
Alternatively passwordless with only 1 passkey regardless of type could be allowed BUT users then would be required to verify saving recovery codes by using one upon creation of their first passkey to ensure a recovery method.

TheGreatGreenStar added a subtask: T399917: Passkey Endpoints Well-Known URL.Jul 18 2025, 2:21 AM
TheGreatGreenStar added a comment.Jul 18 2025, 11:50 AM

Regarding the line

Someone needs to decide first whether we want to push forward at all. Arguably the technology is not that mature yet (see e.g. https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/ or this recent vulnerability) and used on few other large websites.

That number has increased as according to findings from the FIDO Alliance, 48% of the world’s top 100 websites
have already integrated passkey support. (https://fidoalliance.org/wp-content/uploads/2025/04/World-Password-Day-2025-Final.pdf)
We can also see that many companies are actively working to increase passkey adoption and usage including amazon, Microsoft and google: https://fidoalliance.org/passkeypledge/#See-Who-Has-Signed-the-Pledge

Additionally, Microsoft has made accounts passwordless by default: https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/
Due to this extreme overall push, there is a very strong argument to be made for passwordless support via passkeys.

ZhaoFJx subscribed.Jul 29 2025, 2:34 PM
ReaperDawn subscribed.Aug 12 2025, 12:08 PM
Catrope added a project: FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).Oct 28 2025, 9:56 PM
Catrope moved this task from Inbox to Passkey Support on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.
JeffreyWang subscribed.Oct 29 2025, 4:10 PM

At the MediaWiki Users and Developers Conference in Fall 2025, I introduced a prototype extension for passkey support (https://www.mediawiki.org/wiki/Extension:PasskeyAuth). Hopefully, this will provide a framework for future passkey authentication in MediaWiki. We will also see if this can soon be productionized as an extension that is based on PluggableAuth.

I am fully aware that this prototype is likely not appropriate for the needs of the WMF, but I at least hope this can serve as a demonstration of the possibilities with regard to this subject matter.

Gumgl awarded a token.Nov 17 2025, 5:55 PM
RhinosF1 subscribed.Dec 12 2025, 7:29 AM
OWresch-WMF moved this task from Roadmap to Not planned / Patches welcome on the MediaWiki-Platform-Team board.Jan 20 2026, 11:18 AM
OWresch-WMF edited projects, added MediaWiki-Platform-Team; removed MediaWiki-Platform-Team (Roadmap).
gerritbot added a comment.Jan 27 2026, 12:45 AM

Change #1233318 had a related patch set uploaded (by Catrope; author: Catrope):

[mediawiki/extensions/OATHAuth@master] [Proof of concept] Passwordless login

https://gerrit.wikimedia.org/r/1233318

gerritbot added a project: Patch-For-Review.Jan 27 2026, 12:45 AM

Change #1233319 had a related patch set uploaded (by Catrope; author: Catrope):

[mediawiki/extensions/WebAuthn@master] [Proof of concept] Passwordless login

https://gerrit.wikimedia.org/r/1233319

gerritbot added a comment.Jan 27 2026, 1:18 PM

Change #1233319 abandoned by Reedy:

[mediawiki/extensions/WebAuthn@master] [Proof of concept] Passwordless login

Reason:

Squashed into https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OATHAuth/+/1233318 (incoming)

https://gerrit.wikimedia.org/r/1233319

JJMC89 mentioned this in T415808: Cannot Use Modern Passkeys without Legacy Security Keys or TOTP App.Jan 28 2026, 5:37 PM
gerritbot added a comment.Feb 5 2026, 12:37 AM

Change #1236403 had a related patch set uploaded (by Catrope; author: Catrope):

[mediawiki/extensions/OATHAuth@master] Add a database table to track WebAuthn userHandle values

https://gerrit.wikimedia.org/r/1236403

Catrope created subtask T416544: New database table for tracking WebAuthn userHandle values (oathauth_user_handles).Feb 5 2026, 1:13 AM
Catrope mentioned this in T416544: New database table for tracking WebAuthn userHandle values (oathauth_user_handles).
Ladsgroup subscribed.Feb 6 2026, 9:25 PM
gerritbot added a comment.Feb 9 2026, 11:13 PM

Change #1236403 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Add a database table to track WebAuthn userHandle values

https://gerrit.wikimedia.org/r/1236403

Catrope created subtask T417117: Support conditional mediation in WebAuthnAuthenticator.Feb 11 2026, 5:24 AM
Catrope created subtask T417118: Enable passwordless login on the login form.Feb 11 2026, 5:39 AM
Catrope removed a subtask: T417117: Support conditional mediation in WebAuthnAuthenticator.
Catrope created subtask T417120: Display a "login with passkey" button if the user has logged in with a passkey before.Feb 11 2026, 5:43 AM
PixDeVl subscribed.Feb 11 2026, 12:24 PM
Reedy changed the status of subtask T416544: New database table for tracking WebAuthn userHandle values (oathauth_user_handles) from Open to In Progress.Feb 12 2026, 11:56 AM
JeffreyWang unsubscribed.Feb 12 2026, 9:39 PM

Super happy to see production-ready passkey support coming soon. If it is added into OATHAuth, I will deprecate PasskeyAuth and recommend to use OATHAuth.

Nemoralis added a project: User-notice.Feb 12 2026, 10:25 PM
rokejulianlockhart awarded a token.Feb 17 2026, 1:05 AM
rokejulianlockhart subscribed.
Catrope closed subtask T416544: New database table for tracking WebAuthn userHandle values (oathauth_user_handles) as Resolved.Feb 19 2026, 12:37 AM
STei-WMF subscribed.Feb 19 2026, 12:17 PM

Hello, how should I word this for Tech News? @Saklad5

Catrope moved this task from WE 4.6.4 - 2FA improvements and passkey support to WE 4.6.9 (Passwordless login and passkey promotion) on the FY2025-26 WE 4.6 - Account Security board.Feb 19 2026, 7:01 PM
Catrope edited projects, added FY2025-26 WE 4.6 - Account Security (WE 4.6.9 (Passwordless login and passkey promotion)); removed FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).
EMill-WMF subscribed.EditedFeb 23 2026, 1:05 AM

@STei-WMF Reach out to us on Slack to work it out. We'll need to be precise about it, because...

For the various interested parties on this ticket, I do want to make sure it's clear the steps we're taking now, and what we're not taking (yet).

  • The big limitation is that this is still only going to be usable for accounts which have already set up 2FA (which means having first set up either an authenticator app or security key). Passwordless login will not work for regular user accounts that currently login only using a password.
  • The main reasons for this right now are 1) we're concerned about 2FA-required users registering _only_ a passkey to their account, especially a device-tied non-synced passkey, and then losing access to that device, and 2) the current motivation for our wave of 2FA/passkey work over the last year is to support users for whom 2FA is required (a user group which is going to increase a lot, soon). Until we get through this effort, we are laser-focused on increasing usability and lowering lockout risk for that group of users.
  • Passwordless login will be supported if the account has a UV-supporting passkey registered to it. UV-supporting means that it requires user verification (a PIN or biometric) at the time of login, not just a button press or mouse click. Generally, we're only allowing passkeys to be registered in the first place if they advertise requirements for UV, though we recently relaxed this for Firefox on Linux clients given the behavior we see with 3rd-party password managers on that platform.
  • Some sites may be more relaxed about requiring UV for passwordless login even when 2FA would otherwise be required (I think this is true for GitHub, for example). A site that does this is basically saying that one-factor login is fine for "2FA"-enabled accounts, as long as that one factor is phishing-resistant. There may well be an argument for that, but we're not ready to go down that road right now.

The throughline here is that we are taking passkey implementation one step at a time, seeing what passkey providers users choose and what those providers' behavior is, and making sure it's working well, before taking bigger steps or expanding to larger audiences.

We do plan to aggressively let 2FA-enabled users know about the ability to add passkeys to their account and smooth their login experience, once we have passwordless login deployed. In the near-term, it may be that 2FA-required users are those who have the smoothest login experience on the wikis -- which would be quite a role reversal.

Please keep filing bugs and let us know how our system is working out in practice, so that we can smooth out the experience, and plan out where we take it next.

Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptFeb 23 2026, 1:05 AM
Rsilvola subscribed.Feb 24 2026, 2:36 PM
STei-WMF moved this task from To Triage to Announce in next Tech/News on the User-notice board.Feb 27 2026, 3:29 PM
gerritbot added a comment.Feb 27 2026, 7:51 PM

Change #1245437 had a related patch set uploaded (by Catrope; author: Catrope):

[mediawiki/extensions/OATHAuth@master] WebAuthnAuthenticator: Allow multiple challenges in parallel

https://gerrit.wikimedia.org/r/1245437

gerritbot added a comment.Mar 3 2026, 11:22 AM

Change #1245437 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] WebAuthnAuthenticator: Allow multiple challenges in parallel

https://gerrit.wikimedia.org/r/1245437

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.19; 2026-03-10).Mar 3 2026, 12:00 PM
STei-WMF moved this task from Announce in next Tech/News to Already announced/Archive on the User-notice board.Mar 4 2026, 11:53 AM
gerritbot added a comment.Mar 5 2026, 3:41 PM

Change #1233318 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Add passwordless login with passkeys

https://gerrit.wikimedia.org/r/1233318

Maintenance_bot removed a project: Patch-For-Review.Mar 5 2026, 4:31 PM
Catrope closed subtask T417118: Enable passwordless login on the login form as Resolved.Mar 6 2026, 3:36 AM
Catrope created subtask T419198: Deploy passwordless login.Mar 6 2026, 3:40 AM
Catrope closed subtask T419198: Deploy passwordless login as Resolved.Mon, Mar 16, 8:17 PM
sgrabarczuk subscribed.Mon, Mar 16, 11:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits