Joomla passkey

[komir2004]

Hi, this question isn’t directly really related to Panopticon, but I’ll give it a try and maybe I’ll get some help :)
I’ve recently started using Passkeys with Panopticon administration, generated via Bitwarden. What I really like about Panopticon is that I don’t need to type anything, I just click “Passkey login,” Bitwarden pops up, fills in the credentials, and I’m logged in automatically.

Now I’m trying to achieve the same workflow in Joomla administration. However, Joomla requires me to first enter my username before I can click “Passkey login.” Only then does Bitwarden provide the passkey and log me in.

My question: Is it possible in Joomla to skip the username step (like in Panopticon), or is this behavior dependent on Bitwarden’s implementation?

[nikosdion]

I contributed the current implementation of WebAuthn (passkeys) in Joomla 4.0. So, you are definitely asking the right person.

WebAuthn in Joomla only supports roaming keys which don't store any identifying information about the user. That's why you need to provide your username. Using your username, Joomla looks up the passkeys it knows and asks the browser if an authenticator for any of these passkeys exists. The browser then displays the appropriate WebAuthn interface. Finally, it sends the authenticator response to the server which verifies it and performs the login.

You can use a resident key instead. In this case, personally identifiable information are stored into the authenticator. The site asks the browser if there are any discoverable keys. The browser asks connected authenticators and displays an appropriate interface. If any authenticators are found and the user consented, their challenge response is sent to the site which first tries to find the user based on the personal information reported by the authenticator, make sure this authenticator is allowed for this user, and then do the verification and login.

Now, you might ask, why not use a resident authenticator all along? Because in 2020, when this implementation was written for Joomla, hardware authenticators like YubiKey only supported a very small number of resident keys (10 to 25, depending on the model), and managing them was quite atrocious if at all possible. Software authenticators either didn't exist, were not secure, or flat out did not support resident keys. Adding support for a feature that wasn't quite ready in the browsers, hardware, and software meant to be used with did not make sense.

Fast forward to the end of 2025. Newer YubiKey models support up to 100 stored keys. Password managers like 1Password support passkeys, including resident keys. Android and iPhoneOS/iPadOS work correctly with desktop browsers even outside a single company's ecosystem, allowing you to use your phone as an authenticator which supports resident keys – and sync them across your devices in a secure way. Browsers have gotten a lot better on supporting resident keys, too. Finally, the entire stack is ready for this.

I have already written the code to support resident authenticators. I will eventually release it as its own product, with a very low cost subscription.

[komir2004]

Do you have any timeframe for when a version available for purchase might be released?

[nikosdion]

I do not have a timeframe just yet. There are two more extensions I need to finish up and release, and there's some work I am currently doing with Akeeba Backup and Kickstart which needs to be completed before anything else. I think a realistic expectation would be end of January to mid February, assuming no emergency / bug fix requires me to shift focus again.