The idea is to bring WebAuthn/FIDO2/Passkeys support into Plone for password-less authentication.
I would like to get some feedback regarding if we want to see password-less authentication as primary and only authentication option or using this functionality as a 2nd factor.
These days, most larger sites (e.g. Github, Twitter) support WebAuthn/FIDO2/Passkeys as a second factor besides the primary standard username+password authentication.
Looking into the future, username + password will likely disappear and WebAuthn/FIDO2/Passkeys would be the primary and only authentication method (idea: you type your username into the Plone login form and authentication using TouchID or FaceID or whatever).
Q: Should the proposal focus on the future (getting rid of username/passwords completely) or do you want to see WebAuthn/FIDO2/Passkeys as 2nd factor option besides the standard username/password authentication?
It would be most useful to me if it is possible to use it either with or without username+password.
What impact does the choice have on the complexity of building it? My naive assumption would be that it should be implemented as PAS plugins, and then those plugins could be either combined with the existing auth plugins or used on their own. But I suppose maybe PAS makes it difficult to require successful authentication by multiple plugins, in order to have 2 factors?