django-allauth: Help needed testing Passkeys

The upcoming support for WebAuthn (including Passkeys) within django-allauth has reached a point where early feedback would be incredibly valuable. If you would like to help out, this is what you could do:

• Do some monkey testing of the live demo running over at https://django.demo.allauth.org/
• Similarly, test the React headless/single-page application version over at https://react.demo.allauth.org/
• Check out the updated headless API specification: allauth.headless OpenAPI Specification | django-allauth
• Try using the current main branch locally, or within your project. Note that you do need to add MFA_SUPPORTED_TYPES = ["totp", "webauthn", "recovery_codes"] and MFA_PASSKEY_LOGIN_ENABLED = True to your settings.py.

If you find anything out of the ordinary, please file an issue over at Issues · pennersr/django-allauth · GitHub

With your help, progress towards getting this in a release will be faster.

Thanks!

This is very exciting, I’m eager to smoke test the demos! However, is use of a valid email required for the demos? My first inclination was to use “a@example.com” as an email just to get through account registration, but then I’m asked to “verify my email address.” These are clearly throwaway account credentials and passkeys being demonstrated, can the email address verification be made optional for the demos?

Alas, that would would not work very well. For example, turning on 2FA for accounts with unverified email addresses is something allauth prohibits, as that would result in an attack vector that can be abused. For example, consider a service where a hacker signs up using your email. Obviously, (s)he cannot not verify the email, but if 2FA is turned on you are effectively locked out of your account…

You can use a temp email address for example from this service: https://temp-mail.org/en/