Hi there,
my suggested topic for GSOC 2023 is this:
The idea is to bring WebAuthn/FIDO2/Passkeys support into Plone for password-less authentication.
I would like to get some feedback regarding if we want to see password-less authentication as primary and only authentication option or using this functionality as a 2nd factor.
These days, most larger sites (e.g. Github, Twitter) support WebAuthn/FIDO2/Passkeys as a second factor besides the primary standard username+password authentication.
Looking into the future, username + password will likely disappear and WebAuthn/FIDO2/Passkeys would be the primary and only authentication method (idea: you type your username into the Plone login form and authentication using TouchID or FaceID or whatever).
Q: Should the proposal focus on the future (getting rid of username/passwords completely) or do you want to see WebAuthn/FIDO2/Passkeys as 2nd factor option besides the standard username/password authentication?