🚀 Feature: MFA #249

New Issue

Closed

opened 2026-02-04 18:22:00 +03:00 by OVERLORD · 7 comments

OVERLORD commented 2026-02-04 18:22:00 +03:00

Owner

Copy Link

Originally created by @RealOrangeOne on GitHub (Apr 16, 2025).

Feature description

Whilst passkeys are great, and they're significantly better than username/password, they're not implicitly multi-factor.

Adding a second factor, such as conventional TOTP, adds an additional level of protection for those using passkeys.

Pitch

Many vendors, such as Apple, implement Passkeys in a way which requires MFA (on device and biometrics), it's not always the case (for example, using a Yubikey).

Adding a second factor (opt-in, of course) adds an additional level of security, regardless of whether the Passkey itself is protected with MFA.

Originally created by @RealOrangeOne on GitHub (Apr 16, 2025). ### Feature description Whilst passkeys are great, and they're significantly better than username/password, they're not implicitly multi-factor. Adding a second factor, such as conventional TOTP, adds an additional level of protection for those using passkeys. ### Pitch Many vendors, such as Apple, implement Passkeys in a way which requires MFA (on device and biometrics), it's not always the case (for example, using a Yubikey). Adding a second factor (opt-in, of course) adds an additional level of security, regardless of whether the Passkey itself is protected with MFA.

OVERLORD added the feature label 2026-02-04 18:22:00 +03:00

OVERLORD closed this issue 2026-02-04 18:22:04 +03:00

OVERLORD commented 2026-02-04 18:22:06 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub (Apr 16, 2025):

CTAP2 (aka FIDO2) was explicitly developed to eliminate the need in both password and OTP. By spec it requires explicit consent and verification (either PIN, biometry or other method). It proves that you have an access to passkey storage and then checks your authorization again. This is exactly what password+OTP pair does: access to PIN/biometry and your authorization using passkey which replaces OTP (this is exactly why CTAP1 (aka U2F) replaced OTP when it was alive).

In case of Yubikey PIN is your first factor and passkey itself is a second factor. You cannot add non-residential passkey as far as I am aware (which is not requiring PIN). If it allows--it's a bug.

Overall I am strictly against adding any other 2FA to not over-complicate things.

@savely-krasovsky commented on GitHub (Apr 16, 2025): CTAP2 (aka FIDO2) was explicitly developed to eliminate the need in both password and OTP. By spec it requires explicit consent and verification (either PIN, biometry or other method). It proves that you have an access to passkey storage and then checks your authorization again. This is exactly what password+OTP pair does: access to PIN/biometry and your authorization using passkey which replaces OTP (this is exactly why CTAP1 (aka U2F) replaced OTP when it was alive). In case of Yubikey PIN is your first factor and passkey itself is a second factor. You cannot add non-residential passkey as far as I am aware (which is not requiring PIN). If it allows--it's a bug. Overall I am strictly against adding any other 2FA to not over-complicate things.

OVERLORD commented 2026-02-04 18:22:21 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub (Apr 17, 2025):

@savely-krasovsky Yes, you are right in your point, i talked with Elias before i added the upvote label. We don't see a need to add this just as a outright additional feature (put simplily) but are keeping it open to see if someone had a legitimate need or use case for this for now.

@kmendell commented on GitHub (Apr 17, 2025): @savely-krasovsky Yes, you are right in your point, i talked with Elias before i added the upvote label. We don't see a need to add this just as a outright additional feature (put simplily) but are keeping it open to see if someone had a legitimate need or use case for this for now.

OVERLORD commented 2026-02-04 18:22:24 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub (May 7, 2025):

I'm closing this issue, as MFA is not needed with passkeys and defeats the purpose of the spec. If there is a legitimate use for this, feel free to reopen this issue.

@kmendell commented on GitHub (May 7, 2025): I'm closing this issue, as MFA is not needed with passkeys and defeats the purpose of the spec. If there is a legitimate use for this, feel free to reopen this issue.

OVERLORD commented 2026-02-04 18:22:27 +03:00

Author

Owner

Copy Link

@kosli commented on GitHub (Aug 8, 2025):

Whereas I agree that passkeys are already protected by some kind of second factor itself, it is getting more common to have password managers in the browser that store the passkey (and syncs it with multiple devices) and is kept "unlocked" as long as the browser is open, by default. So it would still make sense for e.g. admin accounts to have an additional layer of security by an (external) 2FA, e.g. TOTP generated on the mobile in a separate app.
Another option is to have the application itself, e.g. paperless, ask for the 2FA, but that makes it more complicated as the (admin) user will have 2FA per application, instead of the SSO experience with a single 2FA.
I hope there are other users agreeing on having 2FA and upvoting this ;-)
btw, thanks for this great tool!
the only thing that prevents me currently for using it in preference of authelia is the 2FA.

@kosli commented on GitHub (Aug 8, 2025): Whereas I agree that passkeys are already protected by some kind of second factor itself, it is getting more common to have password managers in the browser that store the passkey (and syncs it with multiple devices) and is kept "unlocked" as long as the browser is open, by default. So it would still make sense for e.g. admin accounts to have an additional layer of security by an (external) 2FA, e.g. TOTP generated on the mobile in a separate app. Another option is to have the application itself, e.g. paperless, ask for the 2FA, but that makes it more complicated as the (admin) user will have 2FA per application, instead of the SSO experience with a single 2FA. I hope there are other users agreeing on having 2FA and upvoting this ;-) btw, thanks for this great tool! the only thing that prevents me currently for using it in preference of authelia is the 2FA.

OVERLORD commented 2026-02-04 18:22:43 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub (Aug 8, 2025):

@kosli IMO it's entirely the password managers’ problem. I understand your point, but we shouldn’t mitigate risks caused by passkey provider implementations. The FIDO2 specifications clearly state that it’s the job of the hardware token or the platform/sync passkey provider to implement those security measures, not the relying party (which we are).

You should also understand that FIDO2 was designed to be a truly passwordless solution, which includes replacing 2FA codes. That’s why you can sign in to sites like Binance or Google and bypass 2FA when using passkeys. Unfortunately, password managers undermine those efforts by providing less secure ways to use passkeys, but instead of trying to add “better security” on our side, I would push Bitwarden and other managers to fix this issue.

By the way, AFAIK, Bitwarden acknowledged the problem long ago (since the introduction of the passkey feature), but since then they haven’t done anything to fix it or provide proper user presence/verification logic.

@savely-krasovsky commented on GitHub (Aug 8, 2025): @kosli IMO it's entirely the password managers’ problem. I understand your point, but we shouldn’t mitigate risks caused by passkey provider implementations. The FIDO2 specifications clearly state that it’s the job of the hardware token or the platform/sync passkey provider to implement those security measures, not the relying party (which we are). You should also understand that FIDO2 was designed to be a truly passwordless solution, which includes replacing 2FA codes. That’s why you can sign in to sites like Binance or Google and bypass 2FA when using passkeys. Unfortunately, password managers undermine those efforts by providing less secure ways to use passkeys, but instead of trying to add “better security” on our side, I would push Bitwarden and other managers to fix this issue. By the way, AFAIK, Bitwarden acknowledged the problem long ago (since the introduction of the passkey feature), but since then they haven’t done anything to fix it or provide proper user presence/verification logic.

OVERLORD commented 2026-02-04 18:22:47 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub (Aug 8, 2025):

I would work in other direction if you want to improve passkey security: allow to use only some AAGUID for certain clients. For example I want to allow authorization only from Yubikey. Then I would add only theirs AAGUIDs and check attestation certificate chain using public key from MDS (FIDO Alliance Metadata Service) at Pocket-ID side. In this case I would have 100% verification that Yubikey was used and not Bitwarden.

@savely-krasovsky commented on GitHub (Aug 8, 2025): I would work in other direction if you want to improve passkey security: allow to use only some AAGUID for certain clients. For example I want to allow authorization only from Yubikey. Then I would add only theirs AAGUIDs and check attestation certificate chain using public key from MDS (FIDO Alliance Metadata Service) at Pocket-ID side. In this case I would have 100% verification that Yubikey was used and not Bitwarden.

OVERLORD commented 2026-02-04 18:22:53 +03:00

Author

Owner

Copy Link

@lordraiden commented on GitHub (Aug 29, 2025):

Here there is an argument to reconsider this and the use cases

https://github.com/pocket-id/pocket-id/issues/895#issuecomment-3236305390

@lordraiden commented on GitHub (Aug 29, 2025): Here there is an argument to reconsider this and the use cases https://github.com/pocket-id/pocket-id/issues/895#issuecomment-3236305390

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#249