Passkey support

[rvst1104]

Add passkey support as a login option.

[drgimpfen]

yes please.
passwordless with only passkey would be even better

[Dasonic]

For those interested in this, my method has been to integrate pocket ID as an OIDC provider and enable OIDC only to have a passkey only login.

Of course this involves managing a whole other app, so a native option is still ideal for those who only host Trek.

[drgimpfen]

i did the same

[mauriceboe]

Thanks for the requests, everyone — passkey login is now implemented and will ship in the next release. 🎉

It's a native, self-contained WebAuthn implementation (no external IdP required), added as an admin-gated option that's off by default:

• Sign in with a passkey on the login page (Face ID / fingerprint / PIN / hardware key).
• Enrol & manage your passkeys in account settings.
• Admin toggle under Settings → Authentication to enable it instance-wide, with optional RP-ID / allowed-origin overrides for custom reverse-proxy setups.
• A user-verified passkey also satisfies the "require 2FA" policy, so you don't have to enrol TOTP on top of it.

@Dasonic — this means the Pocket-ID-over-OIDC workaround is no longer needed; it's built in now.

@drgimpfen — for the first version the passkey sits alongside your password (the password stays as a recovery fallback, so losing all your passkeys can never lock you out).