PHP download

Download the PHP package netresearch/nr-passkeys-be without Composer

On this page you can find all versions of the php package netresearch/nr-passkeys-be. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download netresearch/nr-passkeys-be
More information about netresearch/nr-passkeys-be
Files in netresearch/nr-passkeys-be

Vendor netresearch
Package nr-passkeys-be
Short Description Passwordless TYPO3 backend authentication via Passkeys (WebAuthn/FIDO2) - by Netresearch
License GPL-2.0-or-later
Homepage https://github.com/netresearch/t3x-nr-passkeys-be

Keywords Authentication backend typo3 Passwordless FIDO2 webauthn passkeys

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Informations about the package nr-passkeys-be

Passkeys Backend Authentication

Passwordless TYPO3 backend login via WebAuthn/FIDO2 Passkeys.
One-click authentication with TouchID, FaceID, YubiKey, and Windows Hello.

Overview

nr_passkeys_be replaces traditional password authentication in the TYPO3 backend with modern passkeys. It registers as a TYPO3 authentication service at priority 80, intercepting login requests before the standard password service. When passkey data is present, it performs full WebAuthn assertion verification. Otherwise, it falls through to password login (unless disabled).


Extension key	`nr_passkeys_be`
Package	`netresearch/nr-passkeys-be`
TYPO3	12.4 LTS, 13.4 LTS, 14.x
PHP	8.2, 8.3, 8.4, 8.5
License	GPL-2.0-or-later

Features

Primary authentication -- Passkeys replace passwords, not just augment them
Discoverable login -- Optional username-less login via resident credentials
Per-group enforcement -- 4 levels (Off, Encourage, Required, Enforced) with configurable grace periods for gradual rollout
Onboarding banner -- Dismissible banner with passkey explanation, docs link, and administrator contact for encouraged users
Setup interstitial -- PSR-15 middleware prompts users to register passkeys after login (skippable during grace period)
Admin dashboard -- Backend module with adoption stats, per-group enforcement controls, user list, and bulk actions
Admin management -- Admins can list, revoke passkeys, send reminders, and unlock locked accounts
Self-service -- Users register, rename, and remove their own passkeys in User Settings
Rate limiting -- Per-endpoint and per-account lockout protection
Replay protection -- HMAC-signed challenge tokens with single-use nonces

Supported Authenticators

Platform	Authenticator
macOS / iOS	TouchID, FaceID
Windows	Windows Hello
Cross-platform	YubiKey, other FIDO2 security keys

Installation

Activate the extension in the TYPO3 Extension Manager or via CLI:

Quick Start

After installation, follow these steps:

Review extension settings — Go to Admin Tools > Settings > Extension Configuration > nr_passkeys_be and verify the Relying Party settings (rpId, rpName, origin). The defaults auto-detect from your domain, which works for most single-domain setups.
Open the Passkey Management module — Navigate to Admin Tools > Passkey Management. The Dashboard shows adoption statistics and the Help tab provides a full rollout guide with recovery procedures and FAQ.
Register your own passkey — Go to User Settings > Passkeys and register a passkey to verify the setup works on your device.
Enable enforcement for a pilot group — On the Dashboard, set a small group (e.g., your admin team) to Encourage. Users will see a dismissible banner prompting them to set up a passkey.
Roll out gradually — Progress through Encourage → Required → Enforced as adoption grows. See the Help tab in the backend module for the complete rollout guide.

Full documentation: docs.typo3.org/p/netresearch/nr-passkeys-be · Configuration reference

Passkeys & MFA

Passkeys are inherently multi-factor: they combine something you have (your device) with something you are (biometric) or something you know (device PIN). They are also phishing-resistant — the credential is cryptographically bound to the origin.

For most TYPO3 backends, passkeys alone are more secure than password + TOTP. The FIDO Alliance and W3C consider passkeys a stronger replacement for password + OTP. Adding TYPO3's MFA on top is optional defence-in-depth, not a requirement.

Consider keeping MFA enabled alongside passkeys only if:

Your security policy explicitly mandates independent factors (e.g., PCI-DSS)
Your threat model includes authenticator device compromise

See the Help tab in Admin Tools > Passkey Management for details on MFA coexistence and middleware processing order.

Configuration

Extension settings are available in Admin Tools > Settings > Extension Configuration > nr_passkeys_be:

Setting	Default	Description
`rpId`	(auto-detect)	Relying Party domain (e.g., `example.com`)
`rpName`	`TYPO3 Backend`	Display name shown during passkey registration
`origin`	(auto-detect)	Full origin URL (e.g., `https://example.com`)
`challengeTtlSeconds`	`120`	Challenge token lifetime in seconds
`discoverableLoginEnabled`	`true`	Allow username-less login via resident credentials
`disablePasswordLogin`	`false`	Block password login for users with registered passkeys
`rateLimitMaxAttempts`	`10`	Requests per IP per endpoint before rate limiting
`rateLimitWindowSeconds`	`300`	Rate limit window duration in seconds
`lockoutThreshold`	`5`	Failed login attempts (per IP) before account lockout
`lockoutUserThreshold`	`15`	Failed login attempts (per username, all IPs) before account lockout
`lockoutDurationSeconds`	`900`	Lockout duration in seconds (15 min)
`userVerification`	`required`	WebAuthn user verification requirement
`allowedAlgorithms`	`ES256`	Comma-separated signing algorithms

See the Configuration documentation for detailed descriptions of each setting.

How It Works

The extension registers a TYPO3 authentication service at priority 80 (above SaltedPasswordService at 50). When passkey assertion data is present in the login request, it verifies the WebAuthn assertion. When no passkey data is present, it passes through to the next auth service (standard password login) unless password login is disabled.

API Endpoints

Login (public):

POST /passkeys/login/options -- Generate authentication challenge
POST /passkeys/login/verify -- Verify passkey assertion

Self-Service (authenticated, AJAX routes):

POST /ajax/passkeys/manage/registration/options -- Generate registration challenge *
POST /ajax/passkeys/manage/registration/verify -- Complete passkey registration *
GET /ajax/passkeys/manage/list -- List own passkeys
POST /ajax/passkeys/manage/rename -- Rename a passkey label *
POST /ajax/passkeys/manage/remove -- Remove a passkey *

Admin (admin-only, AJAX routes):

GET /ajax/passkeys/admin/list?beUserUid=N -- List any user's passkeys
POST /ajax/passkeys/admin/remove -- Revoke a user's passkey *
POST /ajax/passkeys/admin/revoke-all -- Revoke all passkeys for a user *
POST /ajax/passkeys/admin/unlock -- Unlock a locked-out user *
POST /ajax/passkeys/admin/update-enforcement -- Update group enforcement level *
POST /ajax/passkeys/admin/send-reminder -- Send passkey setup reminder *
POST /ajax/passkeys/admin/clear-nudge -- Clear active nudge for a user *

Enforcement (authenticated, AJAX route):

GET /ajax/passkeys/enforcement/status -- Get enforcement status for banner

* Protected by TYPO3 Sudo Mode -- write operations require password re-verification (15 min grant lifetime).

Documentation

Online documentation: docs.typo3.org/p/netresearch/nr-passkeys-be
In the backend: Admin Tools > Passkey Management > Help tab (rollout guide, recovery, FAQ)
Source: Documentation/ directory (RST format)

Development

Security

If you discover a security vulnerability, please report it responsibly. See SECURITY.md for details.

License

GPL-2.0-or-later. See LICENSE.

Developed and maintained by Netresearch DTT GmbH

All versions of nr-passkeys-be with dependencies

PHP Build Version

Package Version

Version v0.9.3 Release 28. May 2026
create-project require 0 people chose require and
0 people chose create-project.

Download

Download latest version of nr-passkeys-be from vendor netresearch

Requires php Version ^8.2
typo3/cms-core Version ^12.4 || ^13.4 || ^14.3
typo3/cms-backend Version ^12.4 || ^13.4 || ^14.3
typo3/cms-setup Version ^12.4 || ^13.4 || ^14.3
web-auth/webauthn-lib Version ^5.3

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package netresearch/nr-passkeys-be contains the following files

Loading the files please wait ...