[GH-ISSUE #791] Add support for signing in with passkeys #1107

New issue

Open

opened 2026-03-14 11:45:15 +03:00 by kerem · 1 comment

kerem commented

2026-03-14 11:45:15 +03:00

Owner

Originally created by @gracjankn on GitHub (Nov 19, 2025).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/791

I’m happy that Addy.io supports passkeys (as well as physical security keys) as 2FA, but it’s not the ideal way of implementing WebAuthn.

Passkeys alone provide way better security compared to f.e. a password with TOTP and close if not equal to a password with a U2F security key.

There's no need to require the user to enter the password before presenting a passkey. It provides little to no security benefit while making the experience worse.

It should be possible to sign in with just a passkey.

It can be done by adding a dedicated "Sign with a passkey" button to the login page. There's also a way for browsers to automatically suggest a passkey to the user if one is available (similar to password autofill), making the experience even simpler.

I'm also of the opinion that it should be possible for users to fully remove the password from the account after adding one or more passkeys, thus creating a fully passwordless and phishing-resistant account.

If I have a passkey set up, the password is not an asset — it's a liability. I don't want it to be there.

At some point, it should also become possible to be able to sign up with a passkey, having never created a password in the first place.

Originally created by @gracjankn on GitHub (Nov 19, 2025). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/791 I’m happy that Addy.io supports passkeys (as well as physical security keys) as 2FA, but it’s not the ideal way of implementing WebAuthn. Passkeys alone provide way better security compared to f.e. a password with TOTP and close if not equal to a password with a U2F security key. There's no need to require the user to enter the password before presenting a passkey. It provides little to no security benefit while making the experience worse. It should be possible to sign in with just a passkey. It can be done by adding a dedicated "Sign with a passkey" button to the login page. There's also a way for browsers to [automatically suggest a passkey](https://developers.yubico.com/WebAuthn/Concepts/Passkey_Autofill) to the user if one is available (similar to password autofill), making the experience even simpler. I'm also of the opinion that it should be possible for users to fully remove the password from the account after adding one or more passkeys, thus creating a fully passwordless and phishing-resistant account. If I have a passkey set up, the password is not an asset — it's a liability. I don't want it to be there. At some point, it should also become possible to be able to sign up with a passkey, having never created a password in the first place.

kerem commented

2026-03-14 11:45:21 +03:00

Author

Owner

@Pandooroo commented on GitHub (Feb 7, 2026):

I second this. I don't see much reason to have Passkeys available if i'm required to login with my credentials anyway whilst not having the option to log in via Passkey.

@Pandooroo commented on GitHub (Feb 7, 2026): I second this. I don't see much reason to have Passkeys available if i'm required to login with my credentials anyway whilst not having the option to log in via Passkey.

No labels

bug

pull-request

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/anonaddy#1107

No description provided.

Rows
Columns