How to Use PassKeys for WordPress Authentication

In the previous two posts (this one and this one), I covered the importance of password managers and why 2-factor authentication is equally important. What about if a password is not needed at all, or when you could use just your fingerprint as the primary authentication method?

This is possible with PassKeys, which essentially is an authentication via public/private key pair verification. The public and private keys are a cryptographically generated pair, in which the “ownership” of a given public key can only be verified by having the matching private key.

For those who have used SSH in the development of their website, you should already have a good understanding of how asymmetric/public key cryptography works. If you want to dive deeper into how PassKeys work, here’s a good article for that.

Using PassKeys for WordPress authentication

With PassKeys, you can eliminate the username/password authentication and have a “passwordless” login. However, WordPress core itself does not support PassKeys out of the box, so you’ll need to choose a plugin that makes this functionality available for you.

Keep in mind, though, that setting up the WordPress authentication to only use PassKeys means that you will only be able to log in from the device that holds the private key.

If you have multiple devices that you use to work on your WordPress site, you should set up separate PassKeys for each device. To overcome that limitation, some password managers allow you to store your passkeys and synchronize them across your devices.

You can also choose to keep username/password authentication and use PassKeys as an additional security measure. Some websites, such as Cloudflare, only allow PassKeys as an option for two-factor authentication (2FA), and in this case, it’s a safer choice than SMS-based 2FA and others.

One of the popular password managers that we’ve also recommended in the previous article, 1Password, keeps a directory of websites that already support PassKeys.

Since you will need a plugin to make PassKeys available to WordPress, one of the longest advocates for PassKeys in the WordPress ecosystem has been Solid Security. Take a look at what they offer, along with other plugins that support this feature.

Conclusion

PassKeys aim to offer a more secure and convenient alternative to traditional passwords.

By leveraging public/private key cryptography, PassKeys eliminate the vulnerabilities associated with password theft and phishing attacks.

For WordPress users, implementing PassKeys can enhance the security of your site while simplifying the login process.

Although WordPress does not support PassKeys out of the box, a few plugins are available to bring this functionality to your site. Whether you choose to go entirely passwordless or use PassKeys as a 2FA, it’s well worth considering.