Advanced Passkeys for Secure Login

Passwords are the single biggest security risk for your WordPress site. They get leaked, reused, or broken by automated brute-force attacks. Standard Two-Factor Authentication (2FA) adds safety, but typing in temporary codes from SMS or authenticator apps introduces annoying friction to your daily workflow.

Advanced Passkeys for Secure Login brings the future of un-phishable, modern authentication directly to your WordPress site using the official FIDO2 / WebAuthn standard.

Users register a passkey just once using their device’s built-in biometric sensor (Face ID, Touch ID, Windows Hello) or a hardware security key (like a YubiKey). Future sign-ins take less than a second—completely bypassing the traditional password field.

Why Switch to Passkeys?

• Immune to Phishing: Passkeys are cryptographically bound to your specific domain. A fake login page cannot trick or steal a passkey.
• Goodbye Brute-Force: Because there is no static password on the server to guess, automated bot attacks are completely neutralized.
• Ultimate Ecosystem Sync: Works seamlessly with iCloud Keychain, Google Password Manager, and 1Password for painless cross-device access.

Ecosystem-Wide Integrations Included

Unlike basic alternatives, this plugin features intelligent, dependency-aware integration modules that automatically inject passkey entry points into your favorite plugins. It features out-of-the-box support for WooCommerce, Easy Digital Downloads, MemberPress, Ultimate Member, LearnDash, BuddyBoss, Gravity Forms, and PMPro.

Features

• One-Click Passwordless Auth: Adds a native “Sign in with Passkey” button directly to the WordPress login screen.
• Ecosystem Integrations: Built-in aware modules, blocks, and shortcodes for WooCommerce, MemberPress, LearnDash, BuddyBoss, and more.
• Gutenberg Blocks & Shortcodes: Automatically registers custom login cards and shortcodes based on active plugins.
• Admin Dashboard Overview: Keep track of credential performance with an Authenticator Overview card and Last Login activity logs.
• Granular Role Controls: Easily configure exactly which user roles are permitted to use passkey authentication (Default: Administrators).
• Brute-Force Rate Limiting: Hardened local security with built-in login rate-limiting and automated daily log cleanups.
• Multisite Compatible: Network-aware provisioning instantly configures security settings for newly created network sites.
• Clean Performance & Housekeeping: Lightweight footprint with a clean uninstall routine that leaves zero orphaned tables or options behind.

Developer Hooks: Last Used Pill

Developers can use these filters inside a theme or functionality plugin to globally customize or suppress the login form’s Last used passkey indicator pill.

Available filters

• advapafo_last_used_pill_freshness_days — default 90 days
• advapafo_last_used_pill_visible — final on/off override
• advapafo_last_used_pill_label — customize label text

Example implementation

<?php
/**
 * Example customization for Last used login pill.
 */

// Show pill if passkey login is within 120 days.
add_filter( 'advapafo_last_used_pill_freshness_days', function ( $days, $user ) {
    unset( $user );
    return 120;
}, 10, 2 );

// Hide pill for administrator accounts.
add_filter( 'advapafo_last_used_pill_visible', function ( $visible, $timestamp, $freshness_days, $user ) {
    unset( $timestamp, $freshness_days );

    if ( $user instanceof WP_User && in_array( 'administrator', (array) $user->roles, true ) ) {
        return false;
    }

    return $visible;
}, 10, 4 );

// Label override.
add_filter( 'advapafo_last_used_pill_label', function ( $label, $user ) {
    unset( $user );
    return 'Previously used';
}, 10, 2 );