Title: Advanced Passkeys for Secure Login Author: wppasskey Published: June 11, 2026 Last modified: June 11, 2026 --- Search plugins ![](https://ps.w.org/advanced-passkey-login/assets/banner-772x250.png?rev=3568208) ![](https://ps.w.org/advanced-passkey-login/assets/icon.svg?rev=3568208) # Advanced Passkeys for Secure Login By [wppasskey](https://profiles.wordpress.org/wppasskey/) [Download](https://downloads.wordpress.org/plugin/advanced-passkey-login.1.1.6.zip) * [Details](https://wordpress.org/plugins/advanced-passkey-login/#description) * [Reviews](https://wordpress.org/plugins/advanced-passkey-login/#reviews) * [Installation](https://wordpress.org/plugins/advanced-passkey-login/#installation) * [Development](https://wordpress.org/plugins/advanced-passkey-login/#developers) [Support](https://wordpress.org/support/plugin/advanced-passkey-login/) ## Description Passwords are the single biggest security risk for your WordPress site. They get leaked, reused, or broken by automated brute-force attacks. Standard Two-Factor Authentication (2FA) adds safety, but typing in temporary codes from SMS or authenticator apps introduces annoying friction to your daily workflow. **Advanced Passkeys for Secure Login** brings the future of un-phishable, modern authentication directly to your WordPress site using the official FIDO2 / WebAuthn standard. Users register a passkey just once using their device’s built-in biometric sensor( Face ID, Touch ID, Windows Hello) or a hardware security key (like a YubiKey). Future sign-ins take less than a second—completely bypassing the traditional password field. ### Why Switch to Passkeys? * **Immune to Phishing:** Passkeys are cryptographically bound to your specific domain. A fake login page cannot trick or steal a passkey. * **Goodbye Brute-Force:** Because there is no static password on the server to guess, automated bot attacks are completely neutralized. * **Ultimate Ecosystem Sync:** Works seamlessly with iCloud Keychain, Google Password Manager, and 1Password for painless cross-device access. ### Ecosystem-Wide Integrations Included Unlike basic alternatives, this plugin features intelligent, dependency-aware integration modules that automatically inject passkey entry points into your favorite plugins. It features out-of-the-box support for **WooCommerce, Easy Digital Downloads, MemberPress, Ultimate Member, LearnDash, BuddyBoss, Gravity Forms, and PMPro**. ### Features * **One-Click Passwordless Auth:** Adds a native “Sign in with Passkey” button directly to the WordPress login screen. * **Ecosystem Integrations:** Built-in aware modules, blocks, and shortcodes for WooCommerce, MemberPress, LearnDash, BuddyBoss, and more. * **Gutenberg Blocks & Shortcodes:** Automatically registers custom login cards and shortcodes based on active plugins. * **Admin Dashboard Overview:** Keep track of credential performance with an Authenticator Overview card and Last Login activity logs. * **Granular Role Controls:** Easily configure exactly which user roles are permitted to use passkey authentication (Default: Administrators). * **Brute-Force Rate Limiting:** Hardened local security with built-in login rate- limiting and automated daily log cleanups. * **Multisite Compatible:** Network-aware provisioning instantly configures security settings for newly created network sites. * **Clean Performance & Housekeeping:** Lightweight footprint with a clean uninstall routine that leaves zero orphaned tables or options behind. ### Developer Hooks: Last Used Pill Developers can use these filters inside a theme or functionality plugin to globally customize or suppress the login form’s Last used passkey indicator pill. #### Available filters * `advapafo_last_used_pill_freshness_days` — default 90 days * `advapafo_last_used_pill_visible` — final on/off override * `advapafo_last_used_pill_label` — customize label text #### Example implementation ``` roles, true ) ) { return false; } return $visible; }, 10, 4 ); // Label override. add_filter( 'advapafo_last_used_pill_label', function ( $label, $user ) { unset( $user ); return 'Previously used'; }, 10, 2 ); ``` ## Screenshots [⌊The seamless "Sign in with Passkey" action on the core WordPress login screen.⌉⌊ The seamless "Sign in with Passkey" action on the core WordPress login screen.⌉[ The seamless “Sign in with Passkey” action on the core WordPress login screen. [⌊Registering an authenticated biometric credential inside the user profile page.⌉⌊ Registering an authenticated biometric credential inside the user profile page.⌉[ Registering an authenticated biometric credential inside the user profile page. [⌊The centralized passkeys management table featuring real-time revoking controls.⌉⌊ The centralized passkeys management table featuring real-time revoking controls.⌉[ The centralized passkeys management table featuring real-time revoking controls. [⌊The Advanced Passkeys configuration dashboard featuring active integration indicators.⌉⌊ The Advanced Passkeys configuration dashboard featuring active integration indicators .⌉[ The Advanced Passkeys configuration dashboard featuring active integration indicators. [[ [[ [[ ## Blocks This plugin provides 4 blocks. * Passkey Login Button * Passkey Register Button * Account Passkeys * Passkey Setup Prompt ## Installation #### Automatic installation 1. In your WordPress admin, go to **Plugins > Add New** 2. Search for **Advanced Passkeys for Secure Login** 3. Click **Install Now** then **Activate** 4. Go to **Settings > Advanced Passkeys for Secure Login** and enable passkeys #### Manual installation 1. Download the plugin ZIP from WordPress.org 2. Go to **Plugins > Add New > Upload Plugin** and upload the ZIP 3. Click **Activate** 4. Go to **Settings > Advanced Passkeys for Secure Login** and enable passkeys #### After activation 1. Go to **Settings > Advanced Passkeys for Secure Login** — verify passkeys are enabled and select which roles may use them. 2. Visit **Users > Your Profile** and register your first passkey. 3. Sign out and confirm the **Sign in with Passkey** button appears on the login page. 4. Register a backup passkey on a second device to avoid lockout. #### Production & Local Environments Passkeys require a secure (HTTPS) connection context. The plugin will actively block passkey flows over plain HTTP in production. If you are testing locally without an SSL certificate, you can bypass this restriction by adding the following line to your `wp-config.php` file: ``` define( 'ADVAPAFO_ALLOW_HTTP', true ); (*Never use this in production!*) ``` ## FAQ ### Does this replace passwords entirely? No. Passkeys act as a seamless, high-security alternative sign-in method. Users retain their standard WordPress passwords as a reliable fallback. ### Which browsers and devices are supported? Any browser supporting the WebAuthn standard (all major platforms since 2022) including Chrome, Safari, Firefox, and Edge. Supported hardware includes iPhones, iPads, Macs, Android devices, Windows Hello machines, and physical FIDO2/U2F security keys like YubiKeys. ### Is HTTPS required? Yes, in production environments. The official WebAuthn specification mandates a secure context. See the local development instructions in the Installation tab to test locally via HTTP. ### What PHP extensions do I need? The plugin relies on `openssl`, `mbstring`, and `json`. These core extensions are compiled by default on almost every modern managed WordPress host. ### Can I control which user roles can use passkeys? Yes. Navigate to **Settings > Advanced Passkeys for Secure Login > Eligible Roles**. While it defaults strictly to Administrators, you can provision passkeys for any core or custom role on your site. ### Which shortcodes are available? **Core shortcodes:** * `[advapafo_login_button]` * `[advapafo_register_button]`*`[ advapafo_passkey_profile]` * `[advapafo_passkey_prompt]` **Integration-specific shortcodes:** (active when corresponding plugins are running) *`[ advapafo_woocommerce_login]` * `[advapafo_edd_login]` * `[advapafo_memberpress_login]`*`[ advapafo_ultimate_member_login]` * `[advapafo_learndash_login]` * `[advapafo_buddyboss_login]`*`[ advapafo_gravityforms_login]` * `[advapafo_pmp_login]` ### Which integration Gutenberg blocks are available? When an integration dependency is active, the plugin registers matching blocks: *` advanced-passkey-login/woocommerce-login-card` * `advanced-passkey-login/edd-login- card` * `advanced-passkey-login/memberpress-login-card` * `advanced-passkey-login/ ultimate-member-login-card` * `advanced-passkey-login/learndash-login-card` * `advanced- passkey-login/buddyboss-login-card` * `advanced-passkey-login/gravityforms-login- card` * `advanced-passkey-login/pmp-login-card` ### What happens if I deactivate or delete the plugin? Deactivating keeps your data safe. Deleting (uninstalling) triggers a strict housekeeping routine that cleanly drops the `wp_wpk_credentials`, `wp_wpk_rate_limits`, and ` wp_wpk_logs` tables alongside all `advapafo_*` options. ### Is the plugin multisite compatible? Yes. Database tables partition dynamically per site via `$wpdb->prefix`. Network activation auto-provisions existing sites and seamlessly configures any newly deployed network sites. ### Can I use a custom RP ID for subdomain setups? Yes. Simply add `define( 'ADVAPAFO_RP_ID', 'example.com' );` directly into your site’s `wp-config.php` file. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Advanced Passkeys for Secure Login” is open source software. The following people have contributed to this plugin. Contributors * [ wppasskey ](https://profiles.wordpress.org/wppasskey/) * [ mbuiux ](https://profiles.wordpress.org/mbuiux/) [Translate “Advanced Passkeys for Secure Login” into your language.](https://translate.wordpress.org/projects/wp-plugins/advanced-passkey-login) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/advanced-passkey-login/), check out the [SVN repository](https://plugins.svn.wordpress.org/advanced-passkey-login/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/advanced-passkey-login/) by [RSS](https://plugins.trac.wordpress.org/log/advanced-passkey-login/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.1.6 * Improved: include WordPress.org assets directory in release source so banners, icon, and screenshots deploy via SVN automation. #### 1.1.5 * Improved: sanitize-early handling for transports and credential request inputs. * Improved: stricter nonce-gated debug query handling in settings. * Improved: output escaping hardening for integration-rendered markup and dynamic admin classes. * Improved: release and quality workflow validation guardrails (actionlint gate). #### 1.1.4 * Added: Dashboard tab with an Authenticator Overview card. * Added: Last Login activity card in the Dashboard tab. * Improved: nonce and capability enforcement across sensitive request handlers. * Improved: release packaging workflow with strict file allowlist validation. * Fixed: release automation now publishes real GitHub releases with attached installable ZIP. #### 1.1.2 * Added: integration manager for popular ecosystem plugins with dependency-aware module loading. * Added: integration-specific shortcodes and Gutenberg blocks. * Added: integration controls in settings with installed/not installed indicators. * Added: shortcode quick-start helper and improved shortcode documentation in admin UI. * Changed: removed legacy shortcode alias registrations and related legacy copy. * Changed: refreshed docs and translation template strings for current shortcode names. #### 1.1.1 * Updated: plugin name and user-facing references to “Advanced Passkeys for Secure Login”. * Updated: settings/UI copy to use the full plugin name. #### 1.1.0 * Added: dismissible “set up your passkey” nudge notice for eligible users. * Added: Passkeys column in the admin Users list showing count per user. * Added: Scheduled daily cleanup of expired rate-limit rows and old log entries. * Added: Challenge timeout setting in Settings > Advanced Passkeys for Secure Login > Advanced. * Added: Login redirect URL field in settings (fallback after passkey login). * Added: `[advapafo_login_button]` and `[advapafo_register_button]` shortcodes. * Added: Log retention period setting (days). * Improved: `get_challenge_ttl()` now reads from the settings UI. #### 1.0.0 * Initial release. ## Meta * Version **1.1.6** * Last updated **10 hours ago** * Active installations **Fewer than 10** * WordPress version ** 6.0 or higher ** * Tested up to **7.0** * PHP version ** 8.0 or higher ** * Tags * [login](https://wordpress.org/plugins/tags/login/)[passkeys](https://wordpress.org/plugins/tags/passkeys/) [passwordless](https://wordpress.org/plugins/tags/passwordless/)[security](https://wordpress.org/plugins/tags/security/) [webauthn](https://wordpress.org/plugins/tags/webauthn/) * [Advanced View](https://wordpress.org/plugins/advanced-passkey-login/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/advanced-passkey-login/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/advanced-passkey-login/reviews/) ## Contributors * [ wppasskey ](https://profiles.wordpress.org/wppasskey/) * [ mbuiux ](https://profiles.wordpress.org/mbuiux/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/advanced-passkey-login/)