[#47380] - [5.4] Fix passkey silent MFA enforcement
- Closed
- 20 Mar 2026
- Medium
- Build: 5.4-dev
- # 47380
- Diff
- eshantharjun9-hub:fix-passkey-silent-mfa
User tests: Successful: Unsuccessful:
Pull Request resolves #47362.
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
- Ensure the WebAuthn login handler mirrors the com_users silent-login configuration by reading
mfaonsilentandsilentresponses. - Normalize response types (case/whitespace) and flag
com_users.mfa_checkedwhen a silent login (e.g. passkey) completes, skipping the captive MFA screen when that option is disabled.
Testing Instructions
- In Administrator → Users → User Options → Multi-factor Authentication, set Multi-factor Authentication after silent login to No (keep silent response types as
cookie, passwordless). - Register a passkey for a user account (Users → Multi-factor Authentication → Passkey → Add).
- Log out, then use the passkey button to log back in.
- Confirm you land directly in the app without seeing the captive MFA validation page.
Actual result BEFORE applying this Pull Request
Passkey logins still trigger the captive MFA page even though “Multi-factor Authentication after silent login” is set to No.
Expected result AFTER applying this Pull Request
Passkey logins honor the “Multi-factor Authentication after silent login” setting, skipping the extra MFA screen when the login is considered silent.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End Plugins |
| Title |
|
||||||
| Labels |
Added:
PR-5.4-dev
|
||
| Title |
|
||||||
@eshantharjun9-hub sadly, not working for me, I'm getting The credential ID is invalid. I have tried several times...
Also, curiosity question, are you sure that you didn't use AI to generate the testing instructions? I ask because among other things:
Register a passkey for a user account (Users → Multi-factor Authentication → Passkey → Add).
I find that to be incorrect steps, it would be User Menu > Edit Account > Multi-Factor Authentication -> Passkey Login. Click + Add New Passkey
I have done it on my own just got some references from AI and i will solve the issue as mentioned
@eshantharjun9-hub I've allowed myself to fix the indentation of the since tag. Please pull changes from your remote into your git client or IDE so if you continue to work on your PR for some reasom, these changes won't get lost.
@eshantharjun9-hub I've allowed myself to fix the indentation of the since tag. Please pull changes from your remote into your git client or IDE so if you continue to work on your PR for some reason, these changes won't get lost.
Is the issue solved or need to do any modifications
Is the issue solved or need to do any modifications
@eshantharjun9-hub The code style issue which I had mentioned is resolved.
@richard67
Will the pr be merged or is there any other issue to be solved please let me know so that i can work on it
@richard67 Will the pr be merged or is there any other issue to be solved please let me know so that i can work on it
@eshantharjun9-hub Thank you for your contribution. The next requirement is that this PR (like any other) must have two successful tests by other users and the results must be submitted to the Joomla issue tracker. If you are looking for more issues to fix, take a look at the open Issues. It is also very helpful to test other developers’ PRs.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-03-20 09:31:51 |
| Closed_By | ⇒ | HLeithner |
As written in the issue it's wrong to remove the second or more steps for MFA, since it's intended for Multi Factor to have more than one Factor.
I don't know what have been fixed in #43796 at least Joomla still checks for multi factor which is the right thing.
I'm closing this PR.
Hi Harald,
thank you for your opinion.
As the passkey needs to be saved securely somewhere, e.g. Fido-Key, this Fido-Key has it´s own authentication, like a PIN, I would say, this is sufficient to be considered as second factor. Microsoft is accepting FIDO Keys as phishing-resistent MFA, too, with I think the same argument.
However, there is the option, MFA after silent login, why is this there, if the setting is not considered?
To be more precise, I highly support you, if someone wants to have a second factor to secure all logins, even with passkey, they should have this option and it should be default.
But some are replacing TOTP through passkey for having a better user experience without lowering the security to protect against phishing, brute-force and password re-use, than it is fair to give them the option to change this MFA setting.
If you insist of having this as a second factor, than it would be good, if we could use it as a second factor, meaning first login with password and than use passkey for the second factor... Currently it is anoying to have passkey and TOTP... If someone like this, they can do this, but it is more convenient to use a password and the passkey instead of passkey + TOTP...
Edit: I see there are two places to add Passkeys... You can add them in Passkey Logon and under MFA... With passkey under MFA you can use passkey as MFA, which is sufficient for me...
Thanks in advance,
Stephan
@eshantharjun9-hub sadly, not working for me, I'm getting The credential ID is invalid.
I have tried several times...
Also, curiosity question, are you sure that you didn't use AI to generate the testing instructions? I ask because among other things:
Register a passkey for a user account (Users → Multi-factor Authentication → Passkey → Add).
I find that to be incorrect steps, it would be User Menu > Edit Account > Multi-Factor Authentication -> Passkey Login. Click + Add New Passkey