Passkeys for WordPress: Phishing-Resistant Login With WebAuthn
WordPress passkey login removes the one thing attackers rely on: a secret that can be phished. ReportedIP Hive implements passkeys with WebAuthn/FIDO2 in the core — Face ID, Touch ID, Windows Hello and YubiKey — with no Composer dependency.
This guide explains why passkeys are phishing-resistant, how Hive’s in-house implementation works, and how to offer them alongside the other 2FA methods.
What is ReportedIP Hive?
ReportedIP Hive is a complete WordPress security plugin combining 12 attack sensors, four 2FA methods, progressive blocking and opt-in community threat intelligence. Passkeys are one of the four free 2FA methods. The full ReportedIP Hive feature set covers the rest.
Why passkeys beat one-time codes
A TOTP or SMS code can be typed into a fake login page; a passkey cannot. WebAuthn binds the credential to the site’s origin, so the authenticator simply refuses to sign for a look-alike domain. There is no shared secret to steal, no code to relay, and nothing for a phishing kit to capture. That is why passkeys are the strongest second factor Hive offers.
An in-house implementation, no third-party dependency
Hive’s WebAuthn support is written in-house, including its own CBOR parsing — there is no Composer package pulled in for it. That keeps the dependency surface small and auditable: the passkey code ships in the plugin you can read on GitHub, not in a vendored black box. It works with platform authenticators (Face ID, Touch ID, Windows Hello) and roaming keys (YubiKey and other FIDO2 hardware).
Passkeys as part of the full 2FA picture
A passkey counts as a valid non-email second factor, so it satisfies the password-reset gate that blocks email-only accounts from resetting a password single-handedly. If a user loses their device, the 10 single-use recovery codes saved at enrolment get them back in. Wrong-attempt protection is shared with the rest of the 2FA suite through the same rate-limit ladder (3/5/10/15 fails → 30 s / 5 m / 30 m / 1 h, then a real block).
How to enable passkeys
Enable WebAuthn under Settings → Two-Factor, then each user registers a passkey from their profile — the browser prompts for the platform authenticator or hardware key. For headless flows, the registration and assertion handshakes are reachable through the reportedip-hive/v1 REST namespace (/2fa/challenge, /2fa/verify, /2fa/methods).
Related guides
- All four 2FA methods built into the core
- WooCommerce 2FA inside the storefront theme
- Managed mail and SMS relay for OTP fallbacks
The authentication documentation has the setup walkthrough. Browse the full ReportedIP Hive plugin guides, or read the specification at the W3C WebAuthn Level 2 page.