What is Web Authentication (WebAuthn) and How Do You Use it in Joomla! 4.0?

User security is always a concern when you must have a website that is housing sensitive data.  Joomla! 4.0 has implemented support for WebAuthn (W3C Web Authentication). This option allows you to use security keys and passwordless login provided that you have an authenticator and a valid SSL certificate applied to the site.

This article will go over the details on the requirements for use of WebAuthn.  We will also demonstrate how you enable it for your users and where it can be disabled in the Joomla interface.

What is WebAuthn and How is it Supported in Joomla 4.0?

WebAuthn is a W3C (World Wide Web Consortium) standard for secure authentication on the Web supported by major internet browsers.  WebAuthn stands for Web Authentication and allows for passwords to be stored outside of the application, the verification of the use of HTTPS, and the use of an authentication system – through compatible browsers, applications, or hardware keys. The specific requirements as listed by Joomla developers can be found in this document:  PR#289044.  To summarize:

  • You must have a valid SSL certificate that allows access to your site through HTTPS
  • You must have an authenticator.  A FIDO (Fast IDentity Online) or FIDO2 compatible hardware key is considered to be the best solution.  But a software FIDO key may also be used.  (Note: WebAuthn works through the Chrome browser)
  • WebAuth compatible browser – currently, Google Chrome and Firefox are listed as working solutions

When you load Joomla! 4.0 then you should have WebAuthn enabled by default.  You can tell if you have a working SSL certificate and your login screen looks like this:

Web Authentication option when logging into Joomla

How Do You Enable WebAuthn For Your Users?

Before you can use WebAuthn for your login, you must let your users know that at this point the browsers they can use for login are either Google Chrome or Mozilla Firefox.  You will also need to make sure that your SSL certificate is valid and your website can use HTTPS when displayed in a browser. 

If you intend to allow the use of hardware keys like Yubikey, or Google Titan then these devices must be FIDO or FIDO2 compatible.  Also, users should be warned of the consequences of losing a key.  If you are a company and have employees using the Webauthn log-in with a key, then you should have a policy in place for replacement keys and backups.  

If you are a small operation or you’re the only one logging in with a key, then look into the backup policies and advice provided by the vendor who supplies your key.  For example, Yubikey advises that you keep a backup key. 

While they are considered the most secure option, the main drawback of using hardware keys is that they are not free.  You can expect to spend from $30+ for each key purchased. 

To enable Webauthn for your users, make sure that they meet the requirements of having a compatible browser or hardware key.  Then follow these steps:

  1. Log in to the Joomla Administrator Dashboard and click on Users in the main menu at the left.
  2. Click on the user that you want to modify.
  3. You will see the user with a tab for Web Authentication:

    web authentication tab

  4. Click on the W3C Web Authentication tab.  You will see the option to add an authenticator at the bottom.

    Add authentication device button

  5. Click on the green bar and you will get the option to add an authenticator.  In this example screenshot, I have the choice of a USB security key or This device.

    select authentication device

  6. When I completed adding the device, it confirms it on the screen.

    Authentication device added

  7. Make sure to click on SAVE or SAVE & CLOSE in the top left corner.

At this point, WebAuthn has been enabled for the user and you can test it at the login screen. When the login screen appears, click on the Web Authentication button, a popup will appear asking for a password.

Once you type in the corresponding password then it will log you straight into the application.

How to Enable/Disable Passwordless Logins in Joomla

The option to enable or disable passwordless logins can be found in the System Plugins section.  Here are the steps to get to that section.

  1. Log in to the Joomla Administrator Dashboard
  2. Look for the Plugins button on the front page.  Click on this button.

    Plugins on Dashboard

  3. You can disable the plugin for passwordless login by clicking on the green checkmark to disable it.

    Enable or Disable passwordless option

If this option is disabled, then you will not see the web authentication login button on the login screen.

This completes our tutorial on WebAuthn in Joomla! 4.0 and how it’s used.  If you want to continue learning more about using Joomla, then please visit our InMotion Hosting Support Center website.

Discover how InMotion Hosting's virtual private servers can deliver power and performance for your Joomla site with our reliable Joomla Hosting plans.
Arnel Custodio Content Writer I

As a writer for InMotion Hosting, Arnel has always aimed to share helpful information and provide knowledge that will help solve problems and aid in achieving goals. He's also been active with WordPress local community groups and events since 2004.

More Articles by Arnel

Was this article helpful? Join the conversation!