github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 23:52:05 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

Passkey as 2FA #778

New Issue
Open
opened 2026-03-13 08:03:52 -05:00 by GiteaMirror · 13 comments
GiteaMirror commented 2026-03-13 08:03:52 -05:00
Owner
Copy Link

Originally created by @LukaVerzijl on GitHub (Mar 4, 2025).

Is this suited for github?

  • Yes, this is suited for github

Is your feature request related to a problem? Please describe.

For my use case i want users to log in with their credentials, then have a forced 2FA. But in the 2FA plugin is only OTP and TOTP. Those two methods work fine, but it feels like im missing passkey for this. To make it more easy for the user.

Describe the solution you'd like

If posible to add passkey support to the 2FA plugin, so it can be used as a two factor. Instead of only as direct sign in.

Describe alternatives you've considered

Im currently using OTP and TOPT as mentioned earlier.

Additional context

No response

Originally created by @LukaVerzijl on GitHub (Mar 4, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. For my use case i want users to log in with their credentials, then have a forced 2FA. But in the 2FA plugin is only OTP and TOTP. Those two methods work fine, but it feels like im missing passkey for this. To make it more easy for the user. ### Describe the solution you'd like If posible to add passkey support to the 2FA plugin, so it can be used as a two factor. Instead of only as direct sign in. ### Describe alternatives you've considered Im currently using OTP and TOPT as mentioned earlier. ### Additional context _No response_
GiteaMirror commented 2026-03-13 08:03:53 -05:00
Author
Owner
Copy Link

@GregorWedlich commented on GitHub (Mar 7, 2025):

I’m not sure if it’s possible to integrate Passkey verification into the login process for credential or social logins via a hook.

Right now, if a user logs in with a username and password and then registers a Passkey, they can log in with the Passkey but still use their username and password. From a security perspective, this doesn’t seem like the right approach. If a Passkey is registered, it should be required for authentication—similar to how 2FA works. At least, that’s my take on it.

@GregorWedlich commented on GitHub (Mar 7, 2025): I’m not sure if it’s possible to integrate Passkey verification into the login process for credential or social logins via a hook. Right now, if a user logs in with a username and password and then registers a Passkey, they can log in with the Passkey but still use their username and password. From a security perspective, this doesn’t seem like the right approach. If a Passkey is registered, it should be required for authentication—similar to how 2FA works. At least, that’s my take on it.
GiteaMirror commented 2026-03-13 08:03:53 -05:00
Author
Owner
Copy Link

@GregorWedlich commented on GitHub (Mar 12, 2025):

Ok. My solution for now is I check if a user has passkeys ascociated with there account and then I redirect to the /auth/passkey-verification page. If a user has no passkeys I use the signIn.email() method.

But for now this works for credential login, not social login.

  const onSubmit = form.handleSubmit(
    async (values: z.infer<typeof LoginSchema>) => {
      setError('');
      setSuccess('');

      startTransition(async () => {
        let hasPasskey = false;
        try {
          hasPasskey = await checkUserHasPasskey(values.email);
        } catch (error) {
          console.error('Error checking for passkey:', error);
        }

        if (hasPasskey === true) {
          router.push(
            `/auth/passkey-verification?email=${encodeURIComponent(values.email)}`,
          );
          return;
        }

        const { data, error: loginError } = await signIn.email({
          email: values.email,
          password: values.password,
          callbackURL: '/dashboard',
        });

        if (loginError) {
          setError(loginError.message || 'Login failed');
          return;
        }

        if (
          data &&
          typeof data === 'object' &&
          'twoFactorRedirect' in data &&
          data.twoFactorRedirect
        ) {
          router.push(
            `/auth/two-factor?email=${encodeURIComponent(values.email)}`,
          );
          return;
        }

        setSuccess('Login successful! Redirecting...');
        router.push('/dashboard');
      });
    },
  );

https://github.com/user-attachments/assets/8d397ffd-42c1-48d3-889f-d0e5ee879ea8

@GregorWedlich commented on GitHub (Mar 12, 2025): Ok. My solution for now is I check if a user has passkeys ascociated with there account and then I redirect to the `/auth/passkey-verification` page. If a user has no passkeys I use the signIn.email() method. But for now this works for credential login, not social login. ```ts const onSubmit = form.handleSubmit( async (values: z.infer<typeof LoginSchema>) => { setError(''); setSuccess(''); startTransition(async () => { let hasPasskey = false; try { hasPasskey = await checkUserHasPasskey(values.email); } catch (error) { console.error('Error checking for passkey:', error); } if (hasPasskey === true) { router.push( `/auth/passkey-verification?email=${encodeURIComponent(values.email)}`, ); return; } const { data, error: loginError } = await signIn.email({ email: values.email, password: values.password, callbackURL: '/dashboard', }); if (loginError) { setError(loginError.message || 'Login failed'); return; } if ( data && typeof data === 'object' && 'twoFactorRedirect' in data && data.twoFactorRedirect ) { router.push( `/auth/two-factor?email=${encodeURIComponent(values.email)}`, ); return; } setSuccess('Login successful! Redirecting...'); router.push('/dashboard'); }); }, ); ``` https://github.com/user-attachments/assets/8d397ffd-42c1-48d3-889f-d0e5ee879ea8
GiteaMirror commented 2026-03-13 08:03:53 -05:00
Author
Owner
Copy Link

@GregorWedlich commented on GitHub (Mar 13, 2025):

I thought about it a bit more; my solution works for credential login, but it isn’t a true 2FA with a passkey because I can call my “/auth/passkey-verification” route without entering credentials, so it isn’t really 2FA.

I therefore believe that an integration of a passkey as a second factor would need to be properly implemented, especially since my solution above only works with credential login and not with social login.

Perhaps this can be tackled in the future? @Bekacru :)

@GregorWedlich commented on GitHub (Mar 13, 2025): I thought about it a bit more; my solution works for credential login, but it isn’t a true 2FA with a passkey because I can call my “/auth/passkey-verification” route without entering credentials, so it isn’t really 2FA. I therefore believe that an integration of a passkey as a second factor would need to be properly implemented, especially since my solution above only works with credential login and not with social login. Perhaps this can be tackled in the future? @Bekacru :)
GiteaMirror commented 2026-03-13 08:03:53 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jun 14, 2025):

Hi, @LukaVerzijl. I'm Dosu, and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • You requested the addition of passkey support to GitHub's 2FA plugin.
  • GregorWedlich discussed the feasibility and security implications of integrating passkey verification.
  • A workaround for credential logins was shared, but it doesn't provide true 2FA or work with social logins.
  • GregorWedlich suggested considering a proper implementation of passkeys as a second factor in the future.

Next Steps:

  • Please let me know if this issue is still relevant to the latest version of the better-auth repository by commenting here.
  • If there is no further activity, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Jun 14, 2025): Hi, @LukaVerzijl. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale. **Issue Summary:** - You requested the addition of passkey support to GitHub's 2FA plugin. - GregorWedlich discussed the feasibility and security implications of integrating passkey verification. - A workaround for credential logins was shared, but it doesn't provide true 2FA or work with social logins. - GregorWedlich suggested considering a proper implementation of passkeys as a second factor in the future. **Next Steps:** - Please let me know if this issue is still relevant to the latest version of the better-auth repository by commenting here. - If there is no further activity, this issue will be automatically closed in 7 days. Thank you for your understanding and contribution!
GiteaMirror commented 2026-03-13 08:03:54 -05:00
Author
Owner
Copy Link

@GregorWedlich commented on GitHub (Jun 15, 2025):

Hi, @LukaVerzijl. I'm Dosu, and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • You requested the addition of passkey support to GitHub's 2FA plugin.
  • GregorWedlich discussed the feasibility and security implications of integrating passkey verification.
  • A workaround for credential logins was shared, but it doesn't provide true 2FA or work with social logins.
  • GregorWedlich suggested considering a proper implementation of passkeys as a second factor in the future.

Next Steps:

  • Please let me know if this issue is still relevant to the latest version of the better-auth repository by commenting here.
  • If there is no further activity, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

I'm not up to date at the moment but I think they are working on it?

@GregorWedlich commented on GitHub (Jun 15, 2025): > Hi, [@LukaVerzijl](https://github.com/LukaVerzijl). I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale. > > **Issue Summary:** > > * You requested the addition of passkey support to GitHub's 2FA plugin. > * GregorWedlich discussed the feasibility and security implications of integrating passkey verification. > * A workaround for credential logins was shared, but it doesn't provide true 2FA or work with social logins. > * GregorWedlich suggested considering a proper implementation of passkeys as a second factor in the future. > > **Next Steps:** > > * Please let me know if this issue is still relevant to the latest version of the better-auth repository by commenting here. > * If there is no further activity, this issue will be automatically closed in 7 days. > > Thank you for your understanding and contribution! I'm not up to date at the moment but I think they are working on it?
GiteaMirror commented 2026-03-13 08:03:54 -05:00
Author
Owner
Copy Link

@LukaVerzijl commented on GitHub (Jun 15, 2025):

@GregorWedlich i checked some times the milestones but nothing is added to it. so i dont think so.

@LukaVerzijl commented on GitHub (Jun 15, 2025): @GregorWedlich i checked some times the milestones but nothing is added to it. so i dont think so.
GiteaMirror commented 2026-03-13 08:03:54 -05:00
Author
Owner
Copy Link

@greimela commented on GitHub (Jul 1, 2025):

I would love to see this being added.

With a passkey as a second factor it is so much harder to fall for a phishing attack, compared to TOTP.

@greimela commented on GitHub (Jul 1, 2025): I would love to see this being added. With a passkey as a second factor it is so much harder to fall for a phishing attack, compared to TOTP.
GiteaMirror commented 2026-03-13 08:03:54 -05:00
Author
Owner
Copy Link

@arenddeboer commented on GitHub (Jul 29, 2025):

Signing up with just a passkey is also an issue. You will have to generate a temp password behind the scenes, login/authenticate, add passkey, then remove the temp password/credential login.

@arenddeboer commented on GitHub (Jul 29, 2025): Signing up with just a passkey is also an issue. You will have to generate a temp password behind the scenes, login/authenticate, add passkey, then remove the temp password/credential login.
GiteaMirror commented 2026-03-13 08:03:55 -05:00
Author
Owner
Copy Link

@HofmannZ commented on GitHub (Aug 13, 2025):

The flow we’re exploring uses a magic link for initial authentication (something you have), followed by WebAuthn/Passkey as the second factor (something you are or know). But that does not seem to work well with better auth.

@HofmannZ commented on GitHub (Aug 13, 2025): The flow we’re exploring uses a magic link for initial authentication (something you have), followed by WebAuthn/Passkey as the second factor (something you are or know). But that does not seem to work well with better auth.
GiteaMirror commented 2026-03-13 08:03:55 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Nov 12, 2025):

Hi, @LukaVerzijl. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

  • You requested adding passkey support as a second factor in the 2FA plugin to improve convenience beyond OTP/TOTP.
  • A workaround for credential logins redirecting to passkey verification was shared but noted as not true 2FA and lacking social login support.
  • The issue remains unresolved with no official progress or milestones achieved.
  • Other users have shown interest in passkey 2FA for enhanced phishing resistance.
  • Challenges include signup flows and integrating passkeys with existing authentication methods.

Next Steps

  • Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open.
  • Otherwise, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Nov 12, 2025): Hi, @LukaVerzijl. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary** - You requested adding passkey support as a second factor in the 2FA plugin to improve convenience beyond OTP/TOTP. - A workaround for credential logins redirecting to passkey verification was shared but noted as not true 2FA and lacking social login support. - The issue remains unresolved with no official progress or milestones achieved. - Other users have shown interest in passkey 2FA for enhanced phishing resistance. - Challenges include signup flows and integrating passkeys with existing authentication methods. **Next Steps** - Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open. - Otherwise, this issue will be automatically closed in 7 days. Thank you for your understanding and contribution!
GiteaMirror commented 2026-03-13 08:03:55 -05:00
Author
Owner
Copy Link

@LukaVerzijl commented on GitHub (Nov 12, 2025):

Issue is still on the latest stable build of better auth.

@LukaVerzijl commented on GitHub (Nov 12, 2025): Issue is still on the latest stable build of better auth.
GiteaMirror commented 2026-03-13 08:03:56 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Feb 11, 2026):

Hi, @LukaVerzijl. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

  • You requested adding passkey support as a second factor in the 2FA plugin to improve convenience beyond current OTP/TOTP methods.
  • A workaround for credential logins redirecting to passkey verification was shared but noted as not true 2FA and lacking social login support.
  • Other users have shown interest due to the enhanced phishing resistance passkeys offer.
  • Challenges remain around signup flows and proper integration.
  • The issue remains open with no official progress from the maintainers.

Next Steps

  • Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open.
  • Otherwise, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Feb 11, 2026): Hi, @LukaVerzijl. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary** - You requested adding passkey support as a second factor in the 2FA plugin to improve convenience beyond current OTP/TOTP methods. - A workaround for credential logins redirecting to passkey verification was shared but noted as not true 2FA and lacking social login support. - Other users have shown interest due to the enhanced phishing resistance passkeys offer. - Challenges remain around signup flows and proper integration. - The issue remains open with no official progress from the maintainers. **Next Steps** - Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open. - Otherwise, this issue will be automatically closed in 7 days. Thank you for your understanding and contribution!
GiteaMirror commented 2026-03-13 08:03:56 -05:00
Author
Owner
Copy Link

@LukaVerzijl commented on GitHub (Feb 11, 2026):

Issue still relevant bumping

@LukaVerzijl commented on GitHub (Feb 11, 2026): Issue still relevant bumping
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#778
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?