Years ago, I wrote an article for the KrautPress Advent calendar about the Two Factor plugin. This plugin, designed to enhance login security, remains a standard feature in every WordPress installation I manage. I’ve also been experimenting with installing an additional plugin in recent months. WebAuthn Provider for Two Factor extends the original Two Factor plugin by adding another authentication method: the so-called “WebAuthn,” also referred to as “Passkeys” by most operating systems and services.
The WebAuthn Provider for Two Factor plugin creates its own settings page but adds the most critical parts of its configuration directly to the Two Factor plugin’s settings under Users / Profile.
Initially, setting up the plugin was a bit complicated, but it has since received several updates. The process involves creating a security key for each user, enabling them to authenticate with this key as a second factor in addition to their username and password. Most modern browsers and operating systems already support Passkeys, and many of them (along with many password managers) even allow Passkeys to be synchronized across multiple devices.
As with the original Two Factor plugin, multiple authentication methods can still be used as a second factor. For example, a one-time code stored in a bank vault (depending on your level of paranoia) can be set up as an emergency fallback.
However, two important limitations must be kept in mind: First, this remains a second-factor method. Unlike Passkeys for many other services, WebAuthn Provider for Two Factor does not replace the username and password. Second, Passkeys have lost momentum in recent months after their initial hype subsided. Nonetheless, support in modern software remains strong enough to make testing worthwhile.