Feature Request: Passwordless authentication

[mohabgabber]

What problem will this feature address?

Setting up a secure authentication process in dokploy requires using a strong password along with two factor authentication.
But due to the fact that the session cookie's expiry is short, that results in the user repeatedly entering the password and two factor authentication codes each time they open the instance.

Describe the solution you'd like

The addition of passwordless authentication using Webauthn which will increase security and efficiency at the same time.

Describe alternatives you've considered

Using Webauthn for the authentication process will increase security and efficiency.

Additional context

No response

Will you send a PR to implement it?

No

[Cohvir]

Passkeys are secure and efficient indeed. I agree. +1

[iyobo]

Upvote + concrete implementation path (Better Auth passkey plugin)

+1 on native WebAuthn passkeys for the Dokploy panel — especially platform authenticators (Touch ID, Face ID, Windows Hello, Android fingerprint) so operators are not tied to a separate TOTP app (Google Authenticator, etc.) on every short session expiry.

Problem (expanded)

Today Dokploy documents TOTP 2FA (password + 6-digit rotating code). That is strong, but for a self-hosted control plane you open often it is friction-heavy:

• Password + authenticator app on every re-auth when the session cookie expires
• TOTP codes are phishable/copy-pasteable; passkeys are origin-bound
• Biometric unlock is handled by the OS/browser, not a third-party OTP app

Passkeys are not “TOTP with fingerprint” — they are FIDO2/WebAuthn: device-held key pair, biometric/PIN unlocks the private key, server verifies the assertion.

Why this should be tractable for Dokploy

Dokploy already uses Better Auth (TOTP via the twoFactor plugin per docs). Better Auth ships a first-class passkey plugin:

• Docs: https://www.better-auth.com/docs/plugins/passkey
• Package: @better-auth/passkey (SimpleWebAuthn under the hood)
• Supports authenticatorAttachment: "platform" for built-in biometrics
• Supports listing/deleting passkeys per user, sign-in via signIn.passkey, add while authenticated via passkey.addPasskey

So this is largely enable plugin + DB migration + settings UI, not a greenfield auth migration.

Suggested scope (MVP)

Account settings (authenticated user)

1. “Add passkey” → WebAuthn registration (passkey.addPasskey), optional friendly name
2. List registered passkeys; revoke individual credentials
3. Require userVerification: "preferred" (or required) so biometrics/PIN are actually used

Sign-in

4. “Sign in with passkey” on the login page (signIn.passkey), with conditional UI / autofill where supported
5. Keep password + TOTP as fallback for users without a passkey and for account recovery

Self-hosted requirements

6. Document rpID / origin for the panel hostname (e.g. fleet.example.com over HTTPS). Passkeys will not work on plain HTTP except localhost dev.
7. Recovery: existing TOTP recovery codes and/or admin break-glass — passkeys must not be the only factor with no recovery story

Optional later

• Passkey-first registration for new installs
• Enforce “must have passkey or TOTP” org policy (ties into security hardening discussions like Security Roadmap Discussion: Hardening Self-Hosted Dokploy for Production Use #4360)

Non-goals for this issue

• Replacing enterprise OIDC/SAML SSO — complementary; SSO is for IdP federation, passkeys are for native panel login
• Passkeys for deployed apps — those apps bring their own auth (Authelia, Pocket ID, etc.); this issue is Dokploy UI login only

Security notes

• WebAuthn is phishing-resistant (RP ID binding)
• Platform passkeys sync via iCloud/Google/Windows Hello depending on OS — document trade-offs for fleet operators
• Still worth encrypting secrets at rest (Security Roadmap Discussion: Hardening Self-Hosted Dokploy for Production Use #4360) — passkeys harden authentication, not DB compromise of env vars

References

• Dokploy 2FA (TOTP): https://dokploy-dokploy.mintlify.app/integrations/authentication/2fa
• Better Auth passkey plugin: https://www.better-auth.com/docs/plugins/passkey
• Related hardening discussion: Security Roadmap Discussion: Hardening Self-Hosted Dokploy for Production Use #4360

Happy to help test on a self-hosted HTTPS instance if a PR lands.

— filed via fleet operator feedback (not a Dokploy maintainer)

[iyobo]

Opened an implementation PR: #4544 — adds @better-auth/passkey@1.5.4, login + profile UI, and Drizzle migration. Self-hosted installs need BETTER_AUTH_URL set to the public HTTPS panel URL for rpID/origin to match the browser.