Django auth, admin, and passkeys

Mostly just trying to start a conversation about passkeys, to see how people are feeling.

Passkeys are picking up steam, and look really promising as a great way to avoid storing passwords at all. Django does a great job of keeping up with making sure the way we store passwords is done well by default, but not storing them at all would be better, and with passkeys seeming like they’re getting significant traction.

I’m working on implementing Passkeys into a project of mine, and the current state of the passkey support in third party libraries is still somewhat unpolished, though I’ve definitely been greatly helped by their existence. After a bit of fighting with how things clash between my project and the third party library I’m using (django-passkeys), I’ve been able to get passkey registration going, and that feels pretty good.

Now I’m thinking about where I want to use it, and the Django Admin immediately comes to mind. I am thinking to work on figuring out how to get the Django admin working with the passkeys the way I’ve started implementing them, but I’m also thinking about what barriers, beside volunteer time and general carefulness, might hinder adoption of passkeys in the default Django admin.

We tend to want to prove things in third-party packages first and that’s good even here, but I did want to see if folks have thoughts or gotchas that it would be worth considering as I’m wondering about whether this could be contributed to Django. Right now my thinking is to keep digging into it to understand it more, and that should help me get a bit better grasp on what it might take to bundle passkeys with Django.



here is Mohamed ElKalioby, the main contributor for django-passkeys.
Thanks for the nice words.

I think if you set your ‘LOGIN_URL’ to be the same LOGIN_URL where you are allowing your users to login to the app. Django Admin will redirect to that page which will allow passkeys.

I just finished listening to Passkeys for a passwordless future with Anna Pobletts from 1Password (Changelog Interviews #544) |> Changelog

And was thinking about the Django ecosystem. I am glad there is a package out there already and if the industry keeps going that way then it probably would make sense in my mind to have something like this in the Django auth module