Mostly just trying to start a conversation about passkeys, to see how people are feeling.
Passkeys are picking up steam, and look really promising as a great way to avoid storing passwords at all. Django does a great job of keeping up with making sure the way we store passwords is done well by default, but not storing them at all would be better, and with passkeys seeming like they’re getting significant traction.
I’m working on implementing Passkeys into a project of mine, and the current state of the passkey support in third party libraries is still somewhat unpolished, though I’ve definitely been greatly helped by their existence. After a bit of fighting with how things clash between my project and the third party library I’m using (django-passkeys), I’ve been able to get passkey registration going, and that feels pretty good.
Now I’m thinking about where I want to use it, and the Django Admin immediately comes to mind. I am thinking to work on figuring out how to get the Django admin working with the passkeys the way I’ve started implementing them, but I’m also thinking about what barriers, beside volunteer time and general carefulness, might hinder adoption of passkeys in the default Django admin.
We tend to want to prove things in third-party packages first and that’s good even here, but I did want to see if folks have thoughts or gotchas that it would be worth considering as I’m wondering about whether this could be contributed to Django. Right now my thinking is to keep digging into it to understand it more, and that should help me get a bit better grasp on what it might take to bundle passkeys with Django.