From cff6fdbf546228e9dccc1b750e6a29256b046d15 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 17:07:12 +0100
Subject: [PATCH 01/37] Implementing passkeys as new login method for Hypha.

---
 hypha/apply/users/forms.py                    |   6 +-
 hypha/apply/users/middleware.py               |   6 +-
 hypha/apply/users/migrations/0028_passkeys.py |  45 +++
 hypha/apply/users/models.py                   |  28 ++
 hypha/apply/users/passkey_views.py            | 264 ++++++++++++++++++
 .../apply/users/templates/users/account.html  |  23 +-
 .../users}/includes/org_login_button.html     |   0
 .../users/includes/passkey_login_button.html  |  15 +
 .../includes/password_login_button.html       |   0
 .../includes/passwordless_login_button.html   |   0
 .../templates/users}/includes/user_menu.html  |   2 +-
 hypha/apply/users/templates/users/login.html  |  13 +-
 .../users/templates/users/partials/list.html  |  58 ++++
 .../users/passwordless_login_signup.html      |  17 +-
 hypha/apply/users/urls.py                     |  42 +++
 hypha/settings/base.py                        |  11 +
 hypha/static_src/javascript/passkeys.js       | 207 ++++++++++++++
 hypha/templates/base-apply.html               |   2 +-
 pyproject.toml                                |   1 +
 requirements/dev.txt                          |  51 ++++
 requirements/prod.txt                         |  51 ++++
 uv.lock                                       |  74 +++++
 22 files changed, 904 insertions(+), 12 deletions(-)
 create mode 100644 hypha/apply/users/migrations/0028_passkeys.py
 create mode 100644 hypha/apply/users/passkey_views.py
 rename hypha/{templates => apply/users/templates/users}/includes/org_login_button.html (100%)
 create mode 100644 hypha/apply/users/templates/users/includes/passkey_login_button.html
 rename hypha/{templates => apply/users/templates/users}/includes/password_login_button.html (100%)
 rename hypha/{templates => apply/users/templates/users}/includes/passwordless_login_button.html (100%)
 rename hypha/{templates => apply/users/templates/users}/includes/user_menu.html (97%)
 create mode 100644 hypha/apply/users/templates/users/partials/list.html
 create mode 100644 hypha/static_src/javascript/passkeys.js

diff --git a/hypha/apply/users/forms.py b/hypha/apply/users/forms.py
index 9a5a97031b..8c30835fbc 100644
--- a/hypha/apply/users/forms.py
+++ b/hypha/apply/users/forms.py
@@ -36,6 +36,8 @@ def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.user_settings = AuthSettings.load(request_or_site=self.request)
         self.extra_text = self.user_settings.extra_text
+        # Enable passkey autofill (conditional mediation) on the username field
+        self.fields["username"].widget.attrs["autocomplete"] = "username webauthn"
         if self.user_settings.consent_show:
             self.fields["consent"] = forms.BooleanField(
                 label=self.user_settings.consent_text,
@@ -55,7 +57,9 @@ class PasswordlessAuthForm(forms.Form):
         label=_("Email address"),
         required=True,
         max_length=254,
-        widget=forms.EmailInput(attrs={"autofocus": True, "autocomplete": "email"}),
+        widget=forms.EmailInput(
+            attrs={"autofocus": True, "autocomplete": "username webauthn"}
+        ),
     )
 
     if settings.SESSION_COOKIE_AGE <= settings.SESSION_COOKIE_AGE_LONG:
diff --git a/hypha/apply/users/middleware.py b/hypha/apply/users/middleware.py
index 07414f48fb..e632226ce4 100644
--- a/hypha/apply/users/middleware.py
+++ b/hypha/apply/users/middleware.py
@@ -103,7 +103,11 @@ def __call__(self, request):
         # code to execute before the view
         user = request.user
         if user.is_authenticated:
-            if user.social_auth.exists() or user.is_verified():
+            if (
+                user.social_auth.exists()
+                or user.is_verified()
+                or request.session.get("passkey_authenticated")
+            ):
                 return self._accept(request)
 
             # Allow rounds and lab detail pages
diff --git a/hypha/apply/users/migrations/0028_passkeys.py b/hypha/apply/users/migrations/0028_passkeys.py
new file mode 100644
index 0000000000..95c73c1f6e
--- /dev/null
+++ b/hypha/apply/users/migrations/0028_passkeys.py
@@ -0,0 +1,45 @@
+# Generated by Django 5.2.12 on 2026-03-23 15:16
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("users", "0027_remove_drupal_id_field"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Passkey",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("name", models.CharField(blank=True, max_length=255)),
+                ("credential_id", models.TextField(unique=True)),
+                ("public_key", models.TextField()),
+                ("sign_count", models.PositiveBigIntegerField(default=0)),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("last_used_at", models.DateTimeField(blank=True, null=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="passkeys",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "ordering": ["-created_at"],
+            },
+        ),
+    ]
diff --git a/hypha/apply/users/models.py b/hypha/apply/users/models.py
index 2653b1ea94..f0b188bd3b 100644
--- a/hypha/apply/users/models.py
+++ b/hypha/apply/users/models.py
@@ -470,3 +470,31 @@ class Meta:
         ordering = ("modified",)
         verbose_name = _("Confirm Access Token")
         verbose_name_plural = _("Confirm Access Tokens")
+
+
+class Passkey(models.Model):
+    """Stores a WebAuthn passkey credential for a user.
+
+    credential_id and public_key are stored as base64url-encoded strings,
+    matching the convention used by django-two-factor-auth's WebAuthn plugin.
+    """
+
+    user = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.CASCADE,
+        related_name="passkeys",
+    )
+    name = models.CharField(max_length=255, blank=True)
+    # base64url-encoded credential id (unique per authenticator)
+    credential_id = models.TextField(unique=True)
+    # base64url-encoded CASE public key
+    public_key = models.TextField()
+    sign_count = models.PositiveBigIntegerField(default=0)
+    created_at = models.DateTimeField(auto_now_add=True)
+    last_used_at = models.DateTimeField(null=True, blank=True)
+
+    class Meta:
+        ordering = ["-created_at"]
+
+    def __str__(self):
+        return self.name or f"Passkey {self.pk}"
diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
new file mode 100644
index 0000000000..74c6a4b59c
--- /dev/null
+++ b/hypha/apply/users/passkey_views.py
@@ -0,0 +1,264 @@
+import base64
+import json
+
+from django.conf import settings
+from django.contrib.auth import get_user_model, login
+from django.contrib.auth.decorators import login_required
+from django.core.exceptions import PermissionDenied
+from django.http import JsonResponse
+from django.shortcuts import get_object_or_404, render
+from django.utils import timezone
+from django.utils.decorators import method_decorator
+from django.views import View
+from django.views.decorators.csrf import csrf_protect
+from webauthn import (
+    generate_authentication_options,
+    generate_registration_options,
+    options_to_json,
+    verify_authentication_response,
+    verify_registration_response,
+)
+from webauthn.helpers import base64url_to_bytes, bytes_to_base64url
+from webauthn.helpers.structs import (
+    AuthenticationCredential,
+    AuthenticatorAssertionResponse,
+    AuthenticatorAttestationResponse,
+    AuthenticatorSelectionCriteria,
+    PublicKeyCredentialDescriptor,
+    RegistrationCredential,
+    ResidentKeyRequirement,
+    UserVerificationRequirement,
+)
+
+from .models import Passkey
+
+User = get_user_model()
+
+SESSION_CHALLENGE_KEY = "webauthn_challenge"
+
+
+def _get_rp_id(request):
+    rp_id = getattr(settings, "WEBAUTHN_RP_ID", None)
+    if rp_id:
+        return rp_id
+    return request.get_host().split(":")[0]
+
+
+def _get_rp_name():
+    return getattr(settings, "WEBAUTHN_RP_NAME", None) or settings.ORG_LONG_NAME
+
+
+def _get_origin(request):
+    origin = getattr(settings, "WEBAUTHN_ORIGIN", None)
+    if origin:
+        return origin
+    scheme = "https" if request.is_secure() else "http"
+    return f"{scheme}://{request.get_host()}"
+
+
+def _store_challenge(request, challenge: bytes):
+    request.session[SESSION_CHALLENGE_KEY] = base64.b64encode(challenge).decode()
+
+
+def _load_challenge(request) -> bytes:
+    encoded = request.session.pop(SESSION_CHALLENGE_KEY, None)
+    if not encoded:
+        raise PermissionDenied("No active WebAuthn challenge.")
+    return base64.b64decode(encoded)
+
+
+# ---------------------------------------------------------------------------
+# Registration — requires an authenticated user
+# ---------------------------------------------------------------------------
+
+
+@method_decorator(login_required, name="dispatch")
+@method_decorator(csrf_protect, name="dispatch")
+class PasskeyRegisterBeginView(View):
+    def post(self, request):
+        user = request.user
+        existing = [
+            PublicKeyCredentialDescriptor(id=base64url_to_bytes(pk.credential_id))
+            for pk in user.passkeys.all()
+        ]
+        options = generate_registration_options(
+            rp_id=_get_rp_id(request),
+            rp_name=_get_rp_name(),
+            user_id=str(user.pk).encode(),
+            user_name=user.email,
+            user_display_name=user.get_full_name() or user.email,
+            authenticator_selection=AuthenticatorSelectionCriteria(
+                resident_key=ResidentKeyRequirement.REQUIRED,
+                user_verification=UserVerificationRequirement.REQUIRED,
+            ),
+            exclude_credentials=existing,
+        )
+        _store_challenge(request, options.challenge)
+        return JsonResponse(json.loads(options_to_json(options)))
+
+
+@method_decorator(login_required, name="dispatch")
+@method_decorator(csrf_protect, name="dispatch")
+class PasskeyRegisterCompleteView(View):
+    def post(self, request):
+        try:
+            data = json.loads(request.body)
+        except (json.JSONDecodeError, ValueError):
+            return JsonResponse({"error": "Invalid JSON"}, status=400)
+
+        try:
+            challenge = _load_challenge(request)
+        except PermissionDenied as e:
+            return JsonResponse({"error": str(e)}, status=400)
+
+        try:
+            credential = RegistrationCredential(
+                id=data["id"],
+                raw_id=base64url_to_bytes(data["rawId"]),
+                response=AuthenticatorAttestationResponse(
+                    client_data_json=base64url_to_bytes(
+                        data["response"]["clientDataJSON"]
+                    ),
+                    attestation_object=base64url_to_bytes(
+                        data["response"]["attestationObject"]
+                    ),
+                    transports=data["response"].get("transports", []),
+                ),
+            )
+            verification = verify_registration_response(
+                credential=credential,
+                expected_challenge=challenge,
+                expected_rp_id=_get_rp_id(request),
+                expected_origin=_get_origin(request),
+                require_user_verification=True,
+            )
+        except Exception as exc:
+            return JsonResponse({"error": str(exc)}, status=400)
+
+        name = (data.get("name") or "").strip() or timezone.now().strftime(
+            "Passkey %Y-%m-%d"
+        )
+        Passkey.objects.create(
+            user=request.user,
+            name=name,
+            credential_id=bytes_to_base64url(verification.credential_id),
+            public_key=bytes_to_base64url(verification.credential_public_key),
+            sign_count=verification.sign_count,
+        )
+        return JsonResponse({"status": "ok"})
+
+
+# ---------------------------------------------------------------------------
+# Authentication — public (no session required)
+# ---------------------------------------------------------------------------
+
+
+@method_decorator(csrf_protect, name="dispatch")
+class PasskeyAuthBeginView(View):
+    def post(self, request):
+        options = generate_authentication_options(
+            rp_id=_get_rp_id(request),
+            user_verification=UserVerificationRequirement.REQUIRED,
+        )
+        _store_challenge(request, options.challenge)
+        return JsonResponse(json.loads(options_to_json(options)))
+
+
+@method_decorator(csrf_protect, name="dispatch")
+class PasskeyAuthCompleteView(View):
+    def post(self, request):
+        try:
+            data = json.loads(request.body)
+        except (json.JSONDecodeError, ValueError):
+            return JsonResponse({"error": "Invalid JSON"}, status=400)
+
+        try:
+            challenge = _load_challenge(request)
+        except PermissionDenied as e:
+            return JsonResponse({"error": str(e)}, status=400)
+
+        credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
+        try:
+            passkey = Passkey.objects.select_related("user").get(
+                credential_id=credential_id_b64
+            )
+        except Passkey.DoesNotExist:
+            return JsonResponse({"error": "Unknown credential"}, status=400)
+
+        try:
+            user_handle = data["response"].get("userHandle")
+            credential = AuthenticationCredential(
+                id=data["id"],
+                raw_id=base64url_to_bytes(data["rawId"]),
+                response=AuthenticatorAssertionResponse(
+                    client_data_json=base64url_to_bytes(
+                        data["response"]["clientDataJSON"]
+                    ),
+                    authenticator_data=base64url_to_bytes(
+                        data["response"]["authenticatorData"]
+                    ),
+                    signature=base64url_to_bytes(data["response"]["signature"]),
+                    user_handle=base64url_to_bytes(user_handle)
+                    if user_handle
+                    else None,
+                ),
+            )
+            verification = verify_authentication_response(
+                credential=credential,
+                expected_challenge=challenge,
+                expected_rp_id=_get_rp_id(request),
+                expected_origin=_get_origin(request),
+                credential_public_key=base64url_to_bytes(passkey.public_key),
+                credential_current_sign_count=passkey.sign_count,
+                require_user_verification=True,
+            )
+        except Exception as exc:
+            return JsonResponse({"error": str(exc)}, status=400)
+
+        passkey.sign_count = verification.new_sign_count
+        passkey.last_used_at = timezone.now()
+        passkey.save(update_fields=["sign_count", "last_used_at"])
+
+        user = passkey.user
+        login(request, user, backend="django.contrib.auth.backends.ModelBackend")
+        request.session["passkey_authenticated"] = True
+
+        next_url = request.POST.get("next") or data.get("next") or "/"
+        return JsonResponse({"status": "ok", "redirect_url": next_url})
+
+
+# ---------------------------------------------------------------------------
+# Passkey management — account page
+# ---------------------------------------------------------------------------
+
+
+@method_decorator(login_required, name="dispatch")
+class PasskeyListView(View):
+    template_name = "users/partials/list.html"
+
+    def get(self, request):
+        passkeys = request.user.passkeys.all()
+        return render(request, self.template_name, {"passkeys": passkeys})
+
+
+@method_decorator(login_required, name="dispatch")
+@method_decorator(csrf_protect, name="dispatch")
+class PasskeyDeleteView(View):
+    def post(self, request, pk):
+        passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
+        passkey.delete()
+        passkeys = request.user.passkeys.all()
+        return render(request, "users/partials/list.html", {"passkeys": passkeys})
+
+
+@method_decorator(login_required, name="dispatch")
+@method_decorator(csrf_protect, name="dispatch")
+class PasskeyRenameView(View):
+    def post(self, request, pk):
+        passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
+        name = request.POST.get("name", "").strip()
+        if name:
+            passkey.name = name
+            passkey.save(update_fields=["name"])
+        passkeys = request.user.passkeys.all()
+        return render(request, "users/partials/list.html", {"passkeys": passkeys})
diff --git a/hypha/apply/users/templates/users/account.html b/hypha/apply/users/templates/users/account.html
index b3561c7feb..3bfcaf0871 100644
--- a/hypha/apply/users/templates/users/account.html
+++ b/hypha/apply/users/templates/users/account.html
@@ -1,5 +1,5 @@
 {% extends 'base-apply.html' %}
-{% load i18n users_tags wagtailcore_tags heroicons %}
+{% load i18n users_tags wagtailcore_tags heroicons static %}
 
 {% block title %}{% trans "Account" %}{% endblock %}
 
@@ -93,6 +93,23 @@ <h3 class="mb-2 text-sm font-semibold">
                 {% endif %}
             </p>
 
+            <h3 class="mt-6 mb-2 text-sm font-semibold">{% trans "Passkeys" %}</h3>
+            <p class="mb-2 text-sm text-fg-muted">
+                {% trans "Passkeys use your device's biometrics or PIN to sign in securely without a password." %}
+            </p>
+
+            {# Hidden inputs supply the API URLs to passkeys.js #}
+            <input type="hidden" id="passkey-register-begin-url" value="{% url 'users:passkey_register_begin' %}">
+            <input type="hidden" id="passkey-register-complete-url" value="{% url 'users:passkey_register_complete' %}">
+
+            <div
+                hx-get="{% url 'users:passkey_list' %}"
+                hx-trigger="load"
+                hx-swap="innerHTML"
+            >
+                <div class="w-full h-8 rounded animate-pulse bg-base-300"></div>
+            </div>
+
             {# Remove the comment block tags below when such need arises. e.g. adding new providers #}
             {% comment %}
             {% can_use_oauth as show_oauth_link %}
@@ -108,3 +125,7 @@ <h3 class="mb-2 text-base">{% trans "Manage OAuth" %}</h3>
         </div>
     </div>
 {% endblock %}
+
+{% block extra_js %}
+    <script src="{% static 'js/passkeys.js' %}"></script>
+{% endblock %}
diff --git a/hypha/templates/includes/org_login_button.html b/hypha/apply/users/templates/users/includes/org_login_button.html
similarity index 100%
rename from hypha/templates/includes/org_login_button.html
rename to hypha/apply/users/templates/users/includes/org_login_button.html
diff --git a/hypha/apply/users/templates/users/includes/passkey_login_button.html b/hypha/apply/users/templates/users/includes/passkey_login_button.html
new file mode 100644
index 0000000000..e4c880ecf7
--- /dev/null
+++ b/hypha/apply/users/templates/users/includes/passkey_login_button.html
@@ -0,0 +1,15 @@
+{% load i18n heroicons %}
+<button
+    type="button"
+    id="btn-passkey-login"
+    class="btn btn-secondary btn-outline"
+    data-passkey-ui
+    hidden
+    onclick="hypha.passkeys.authenticate()"
+>
+    {% heroicon_micro "key" class="inline size-4" aria_hidden=true %}
+    {% trans "Sign in with passkey" %}
+</button>
+<p id="passkey-auth-error" class="mt-2 text-sm text-error" hidden></p>
+<input type="hidden" id="passkey-auth-begin-url" value="{% url 'users:passkey_auth_begin' %}">
+<input type="hidden" id="passkey-auth-complete-url" value="{% url 'users:passkey_auth_complete' %}">
diff --git a/hypha/templates/includes/password_login_button.html b/hypha/apply/users/templates/users/includes/password_login_button.html
similarity index 100%
rename from hypha/templates/includes/password_login_button.html
rename to hypha/apply/users/templates/users/includes/password_login_button.html
diff --git a/hypha/templates/includes/passwordless_login_button.html b/hypha/apply/users/templates/users/includes/passwordless_login_button.html
similarity index 100%
rename from hypha/templates/includes/passwordless_login_button.html
rename to hypha/apply/users/templates/users/includes/passwordless_login_button.html
diff --git a/hypha/templates/includes/user_menu.html b/hypha/apply/users/templates/users/includes/user_menu.html
similarity index 97%
rename from hypha/templates/includes/user_menu.html
rename to hypha/apply/users/templates/users/includes/user_menu.html
index 6e1f049280..462fd66d76 100644
--- a/hypha/templates/includes/user_menu.html
+++ b/hypha/apply/users/templates/users/includes/user_menu.html
@@ -95,7 +95,7 @@
 {% else %}
     <a
         class="btn btn-outline btn-secondary"
-        href="{{ APPLY_SITE.root_url }}{% url 'users:passwordless_login_signup' %}{% if redirect_url %}?next={{ redirect_url }}{% endif %}"
+        href="{% url 'users:passwordless_login_signup' %}{% if redirect_url %}?next={{ redirect_url }}{% endif %}"
     >
         {% heroicon_micro "user" class="inline align-text-bottom size-4 me-1" aria_hidden=true %}
         {% trans "Log in" %} {% if ENABLE_PUBLIC_SIGNUP %} {% trans " or Sign up" %} {% endif %}
diff --git a/hypha/apply/users/templates/users/login.html b/hypha/apply/users/templates/users/login.html
index 0bab347af5..91803c144e 100644
--- a/hypha/apply/users/templates/users/login.html
+++ b/hypha/apply/users/templates/users/login.html
@@ -1,5 +1,5 @@
 {% extends "base-apply.html" %}
-{% load i18n wagtailcore_tags heroicons %}
+{% load i18n wagtailcore_tags heroicons static %}
 
 {% block title %}{% trans "Log in" %}{% endblock %}
 
@@ -91,9 +91,10 @@ <h1 class="mb-4 text-h1">
 
                     <section class="flex-wrap card-actions">
                         {% if GOOGLE_OAUTH2 %}
-                            {% include "includes/org_login_button.html" %}
+                            {% include "users/includes/org_login_button.html" %}
                         {% endif %}
-                        {% include "includes/passwordless_login_button.html" %}
+                        {% include "users/includes/passwordless_login_button.html" %}
+                        {% include "users/includes/passkey_login_button.html" %}
                     </section>
 
                 {% else %}
@@ -142,6 +143,12 @@ <h1 class="mb-4 text-h1">
 
 {% block extra_js %}
     {{ block.super }}
+    <script src="{% static 'js/passkeys.js' %}"></script>
+    <script>
+        document.addEventListener("DOMContentLoaded", function () {
+            hypha.passkeys.initUI();
+        });
+    </script>
     {# Fix copy of dynamic fields label #}
     <script>
         var labelOtpToken = document.querySelector("label[for=id_token-otp_token]");
diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
new file mode 100644
index 0000000000..6fd320a48c
--- /dev/null
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -0,0 +1,58 @@
+{% load i18n heroicons %}
+<div id="passkey-list">
+    {% if passkeys %}
+        <ul class="flex flex-col gap-2">
+            {% for passkey in passkeys %}
+                <li class="flex gap-2 items-center p-2 rounded border bg-base-100">
+                    {% heroicon_micro "key" class="shrink-0 size-4 text-fg-muted" aria_hidden=true %}
+                    <form
+                        hx-post="{% url 'users:passkey_rename' passkey.pk %}"
+                        hx-target="#passkey-list"
+                        hx-swap="outerHTML"
+                        class="flex flex-1 gap-2 items-center"
+                    >
+                        {% csrf_token %}
+                        <input
+                            type="text"
+                            name="name"
+                            value="{{ passkey.name }}"
+                            class="flex-1 input input-xs input-ghost"
+                            aria-label="{% trans 'Passkey name' %}"
+                            required
+                        />
+                        <button type="submit" class="btn btn-ghost btn-xs" title="{% trans 'Save name' %}">
+                            {% heroicon_micro "check" class="size-3" aria_hidden=true %}
+                        </button>
+                    </form>
+                    <span class="text-xs text-fg-muted shrink-0">{{ passkey.created_at|date:"Y-m-d" }}</span>
+                    <form
+                        hx-post="{% url 'users:passkey_delete' passkey.pk %}"
+                        hx-target="#passkey-list"
+                        hx-swap="outerHTML"
+                        hx-confirm="{% trans 'Delete this passkey?' %}"
+                    >
+                        {% csrf_token %}
+                        <button type="submit" class="btn btn-ghost btn-xs text-error" title="{% trans 'Delete passkey' %}">
+                            {% heroicon_micro "trash" class="size-3" aria_hidden=true %}
+                        </button>
+                    </form>
+                </li>
+            {% endfor %}
+        </ul>
+    {% else %}
+        <p class="text-sm text-fg-muted">{% trans "No passkeys registered." %}</p>
+    {% endif %}
+
+    <div class="mt-3">
+        <button
+            type="button"
+            id="btn-add-passkey"
+            class="btn btn-sm btn-secondary btn-outline"
+            onclick="hypha.passkeys.register(this)"
+        >
+            {% heroicon_micro "plus" class="size-3" aria_hidden=true %}
+            {% trans "Add passkey" %}
+        </button>
+    </div>
+    <p id="passkey-error" class="mt-2 text-sm text-error" hidden></p>
+</div>
diff --git a/hypha/apply/users/templates/users/passwordless_login_signup.html b/hypha/apply/users/templates/users/passwordless_login_signup.html
index 20c88f8433..a694ed0b00 100644
--- a/hypha/apply/users/templates/users/passwordless_login_signup.html
+++ b/hypha/apply/users/templates/users/passwordless_login_signup.html
@@ -1,5 +1,5 @@
 {% extends base_template %}
-{% load i18n wagtailcore_tags heroicons %}
+{% load i18n wagtailcore_tags heroicons static %}
 
 {% block title %}
     {% trans "Log in" %}{% if ENABLE_PUBLIC_SIGNUP %} {% trans "or" %} {% trans "Sign up" %}{% endif %}
@@ -51,12 +51,21 @@ <h1 class="mb-4 text-h1">
 
                 <section class="flex-wrap card-actions">
                     {% if GOOGLE_OAUTH2 %}
-                        {% include "includes/org_login_button.html" %}
+                        {% include "users/includes/org_login_button.html" %}
                     {% endif %}
-
-                    {% include "includes/password_login_button.html" %}
+                    {% include "users/includes/password_login_button.html" %}
+                    {% include "users/includes/passkey_login_button.html" %}
                 </section>
             </form>
         </section>
     </div>
 {% endblock %}
+
+{% block extra_js %}
+    <script src="{% static 'js/passkeys.js' %}"></script>
+    <script>
+        document.addEventListener("DOMContentLoaded", function () {
+            hypha.passkeys.initUI();
+        });
+    </script>
+{% endblock %}
diff --git a/hypha/apply/users/urls.py b/hypha/apply/users/urls.py
index 23d51f75f2..1d52bc3131 100644
--- a/hypha/apply/users/urls.py
+++ b/hypha/apply/users/urls.py
@@ -6,6 +6,15 @@
 
 from hypha.elevate.views import elevate as elevate_view
 
+from .passkey_views import (
+    PasskeyAuthBeginView,
+    PasskeyAuthCompleteView,
+    PasskeyDeleteView,
+    PasskeyListView,
+    PasskeyRegisterBeginView,
+    PasskeyRegisterCompleteView,
+    PasskeyRenameView,
+)
 from .views import (
     AccountView,
     ActivationView,
@@ -39,6 +48,17 @@
     ),
     path("login/", LoginView.as_view(), name="login"),
     path("logout/", auth_views.LogoutView.as_view(next_page="/"), name="logout"),
+    # Passkey authentication — public (no login required)
+    path(
+        "passkeys/auth/begin/",
+        PasskeyAuthBeginView.as_view(),
+        name="passkey_auth_begin",
+    ),
+    path(
+        "passkeys/auth/complete/",
+        PasskeyAuthCompleteView.as_view(),
+        name="passkey_auth_complete",
+    ),
 ]
 
 account_urls = [
@@ -115,6 +135,28 @@
         name="activate",
     ),
     path("hijack/", hijack_view, name="hijack"),
+    # Passkey management
+    path("passkeys/", PasskeyListView.as_view(), name="passkey_list"),
+    path(
+        "passkeys/register/begin/",
+        PasskeyRegisterBeginView.as_view(),
+        name="passkey_register_begin",
+    ),
+    path(
+        "passkeys/register/complete/",
+        PasskeyRegisterCompleteView.as_view(),
+        name="passkey_register_complete",
+    ),
+    path(
+        "passkeys/<int:pk>/delete/",
+        PasskeyDeleteView.as_view(),
+        name="passkey_delete",
+    ),
+    path(
+        "passkeys/<int:pk>/rename/",
+        PasskeyRenameView.as_view(),
+        name="passkey_rename",
+    ),
     path("activate/", create_password, name="activate_password"),
     path("oauth", oauth, name="oauth"),
     # 2FA
diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index 181ac8b0ec..24b6fef630 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -33,6 +33,17 @@
 # IF Hypha should enforce 2FA for all users.
 ENFORCE_TWO_FACTOR = env.bool("ENFORCE_TWO_FACTOR", False)
 
+# WebAuthn / Passkey settings.
+# WEBAUTHN_RP_ID: the relying party domain, e.g. "example.com" (no port, no scheme).
+#   Defaults to the request host if not set.
+# WEBAUTHN_ORIGIN: the full origin, e.g. "https://example.com".
+#   Defaults to the request origin if not set.
+# WEBAUTHN_RP_NAME: display name shown in the browser passkey UI.
+#   Defaults to ORG_LONG_NAME.
+WEBAUTHN_RP_ID = env.str("WEBAUTHN_RP_ID", None)
+WEBAUTHN_RP_NAME = env.str("WEBAUTHN_RP_NAME", None)
+WEBAUTHN_ORIGIN = env.str("WEBAUTHN_ORIGIN", None)
+
 # Set the allowed file extension for all uploads fields.
 FILE_ALLOWED_EXTENSIONS = [
     "doc",
diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
new file mode 100644
index 0000000000..1211c4f9a8
--- /dev/null
+++ b/hypha/static_src/javascript/passkeys.js
@@ -0,0 +1,207 @@
+/**
+ * WebAuthn passkey support using native browser APIs.
+ *
+ * Uses the stable native APIs available in all major browsers since March 2025:
+ *   - PublicKeyCredential.parseCreationOptionsFromJSON()
+ *   - PublicKeyCredential.parseRequestOptionsFromJSON()
+ *   - PublicKeyCredential.prototype.toJSON()
+ *
+ * Availability is checked via isUserVerifyingPlatformAuthenticatorAvailable()
+ * (not just window.PublicKeyCredential) so macOS Touch ID, Windows Hello,
+ * iOS Face ID etc. are properly detected.
+ */
+
+window.hypha = window.hypha || {};
+
+window.hypha.passkeys = (function () {
+  function getCsrfToken() {
+    const el = document.querySelector("[name=csrfmiddlewaretoken]");
+    if (el) return el.value;
+    const cookie = document.cookie
+      .split(";")
+      .find((c) => c.trim().startsWith("csrftoken="));
+    return cookie ? cookie.split("=")[1] : "";
+  }
+
+  function jsonPost(url, body) {
+    return fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-CSRFToken": getCsrfToken(),
+      },
+      body: JSON.stringify(body),
+    });
+  }
+
+  /**
+   * Returns true when the current device has a platform authenticator
+   * (Touch ID, Windows Hello, Face ID, …) and the browser supports passkeys.
+   */
+  async function isPlatformAuthenticatorAvailable() {
+    if (
+      !window.PublicKeyCredential ||
+      !PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable
+    )
+      return false;
+    return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+  }
+
+  /**
+   * Show passkey-related UI elements only when the platform supports them.
+   * Call this on DOMContentLoaded — elements with data-passkey-ui are hidden
+   * by default and revealed here.
+   */
+  async function initUI() {
+    const [platformOk, conditionalOk] = await Promise.all([
+      isPlatformAuthenticatorAvailable().catch(() => false),
+      (
+        window.PublicKeyCredential?.isConditionalMediationAvailable?.() ??
+        Promise.resolve(false)
+      ).catch(() => false),
+    ]);
+
+    if (platformOk) {
+      document
+        .querySelectorAll("[data-passkey-ui]")
+        .forEach((el) => el.removeAttribute("hidden"));
+    }
+
+    if (conditionalOk) {
+      _startConditionalMediation();
+    }
+  }
+
+  /**
+   * Register a new passkey for the currently authenticated user.
+   * Called from the account page "Add passkey" button.
+   */
+  async function register(triggerEl) {
+    const beginUrl = document.getElementById(
+      "passkey-register-begin-url"
+    )?.value;
+    const completeUrl = document.getElementById(
+      "passkey-register-complete-url"
+    )?.value;
+    if (!beginUrl || !completeUrl) return;
+
+    const name = prompt("Name this passkey (e.g. 'MacBook Touch ID'):", "");
+    if (name === null) return; // user cancelled
+
+    const errorEl = document.getElementById("passkey-error");
+
+    try {
+      if (triggerEl) triggerEl.disabled = true;
+
+      // Step 1: fetch registration options from server
+      const beginResp = await jsonPost(beginUrl, {});
+      if (!beginResp.ok) {
+        const err = await beginResp.json();
+        throw new Error(err.error || "Server error");
+      }
+      const options = await beginResp.json();
+
+      // Step 2: trigger native OS passkey creation UI (Touch ID / Windows Hello / …)
+      const credential = await navigator.credentials.create({
+        publicKey: PublicKeyCredential.parseCreationOptionsFromJSON(options),
+      });
+
+      // Step 3: send the signed response to the server
+      const completeResp = await jsonPost(completeUrl, {
+        ...credential.toJSON(),
+        name: name.trim(),
+      });
+      if (!completeResp.ok) {
+        const err = await completeResp.json();
+        throw new Error(err.error || "Registration failed");
+      }
+
+      // Reload to show the new passkey in the list
+      window.location.reload();
+    } catch (err) {
+      // NotAllowedError means the user dismissed the native OS dialog — not an error.
+      if (err.name !== "NotAllowedError" && errorEl) {
+        errorEl.textContent = err.message;
+        errorEl.hidden = false;
+      }
+    } finally {
+      if (triggerEl) triggerEl.disabled = false;
+    }
+  }
+
+  /**
+   * Authenticate with a passkey via an explicit button click on the login page.
+   */
+  async function authenticate() {
+    const beginUrl = document.getElementById("passkey-auth-begin-url")?.value;
+    const completeUrl = document.getElementById(
+      "passkey-auth-complete-url"
+    )?.value;
+    if (!beginUrl || !completeUrl) return;
+
+    const errorEl = document.getElementById("passkey-auth-error");
+
+    try {
+      const beginResp = await jsonPost(beginUrl, {});
+      if (!beginResp.ok) throw new Error("Failed to begin authentication");
+      const authOptions = await beginResp.json();
+
+      // Triggers native OS passkey selection UI
+      const credential = await navigator.credentials.get({
+        publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(authOptions),
+      });
+
+      const completeResp = await jsonPost(completeUrl, credential.toJSON());
+      if (!completeResp.ok) {
+        const err = await completeResp.json();
+        throw new Error(err.error || "Authentication failed");
+      }
+      const data = await completeResp.json();
+      window.location.href = data.redirect_url || "/";
+    } catch (err) {
+      // NotAllowedError / AbortError = user dismissed the native UI.
+      if (err.name !== "NotAllowedError" && err.name !== "AbortError") {
+        if (errorEl) {
+          errorEl.textContent = err.message;
+          errorEl.hidden = false;
+        }
+      }
+    }
+  }
+
+  /**
+   * Internal: start conditional mediation (passkey autofill on the login page).
+   * The email input needs autocomplete="username webauthn" for this to work.
+   */
+  async function _startConditionalMediation() {
+    const beginUrl = document.getElementById("passkey-auth-begin-url")?.value;
+    const completeUrl = document.getElementById(
+      "passkey-auth-complete-url"
+    )?.value;
+    if (!beginUrl || !completeUrl) return;
+
+    try {
+      const beginResp = await jsonPost(beginUrl, {});
+      if (!beginResp.ok) return;
+      const authOptions = await beginResp.json();
+
+      // mediation:"conditional" shows registered passkeys in the browser
+      // autofill dropdown next to the email field — no explicit user gesture needed.
+      const credential = await navigator.credentials.get({
+        publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(authOptions),
+        mediation: "conditional",
+      });
+
+      if (!credential) return;
+
+      const completeResp = await jsonPost(completeUrl, credential.toJSON());
+      if (!completeResp.ok) return;
+      const data = await completeResp.json();
+      window.location.href = data.redirect_url || "/";
+    } catch (_err) {
+      // Expected: aborted when user submits the password form normally.
+    }
+  }
+
+  return { initUI, register, authenticate };
+})();
diff --git a/hypha/templates/base-apply.html b/hypha/templates/base-apply.html
index 89b3bd160c..b53581de0e 100644
--- a/hypha/templates/base-apply.html
+++ b/hypha/templates/base-apply.html
@@ -44,7 +44,7 @@
                 {% endif %}
 
                 {% if request.path != '/auth/' and request.path != '/login/' %}
-                    {% include "includes/user_menu.html" %}
+                    {% include "users/includes/user_menu.html" %}
                 {% endif %}
 
                 <button
diff --git a/pyproject.toml b/pyproject.toml
index b04372935a..126875d883 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -54,6 +54,7 @@ dependencies = [
     "svgwrite~=1.4.3",
     "wagtail-modeladmin~=2.2.0",
     "wagtail~=7.0.5",
+    "webauthn~=2.2.0",
     "whitenoise~=6.11.0",
     "xhtml2pdf~=0.2.17",
 ]
diff --git a/requirements/dev.txt b/requirements/dev.txt
index fde007049c..32e280c59d 100644
--- a/requirements/dev.txt
+++ b/requirements/dev.txt
@@ -35,6 +35,7 @@ asn1crypto==1.5.1 \
     #   oscrypto
     #   pyhanko
     #   pyhanko-certvalidator
+    #   webauthn
 ast-serialize==0.4.0 \
     --hash=sha256:074032142777e3e6091977dc3c5146a8ca58ae6825b7f64e9a0b604153ddabd8 \
     --hash=sha256:1026f565a7ab846337c630909089b3346a2fe417bf1552b1581ab01852137407 \
@@ -141,6 +142,45 @@ bracex==2.6 \
     --hash=sha256:0b0049264e7340b3ec782b5cb99beb325f36c3782a32e36e876452fd49a09952 \
     --hash=sha256:98f1347cd77e22ee8d967a30ad4e310b233f7754dbf31ff3fceb76145ba47dc7
     # via wcmatch
+cbor2==5.9.0 \
+    --hash=sha256:0322296b9d52f55880e300ba8ba09ecf644303b99b51138bbb1c0fb644fa7c3e \
+    --hash=sha256:0485d3372fc832c5e16d4eb45fa1a20fc53e806e6c29a1d2b0d3e176cedd52b9 \
+    --hash=sha256:08388ea54195738602b4c4999966bcaef6f0b17d293c9658658409d9fff96f57 \
+    --hash=sha256:1d02b65f070fd726bdc310d927228975bb655d155bf059b6eb7cacefb3dca86f \
+    --hash=sha256:1f223dffb1bcdd2764665f04c1152943d9daa4bc124a576cd8dee1cad4264313 \
+    --hash=sha256:23606d31ba1368bd1b6602e3020ee88fe9523ca80e8630faf6b2fc904fd84560 \
+    --hash=sha256:2372d357d403e7912f104ff085950ffc82a5854d6d717f1ca1ce16a40a0ef5a7 \
+    --hash=sha256:25bec7beb2089465382b1be72e78667fe9090598800826559c3e3008cf0db743 \
+    --hash=sha256:27695cbd70c90b8de5c4a284642c2836449b14e2c2e07e3ffe0744cb7669a01b \
+    --hash=sha256:2a54fbb32cb828c214f7f333a707e4aec61182e7efdc06ea5d9596d3ecee624a \
+    --hash=sha256:3095dc49e75572841a9534cbfdabc2a17487ea4ee33341436abc4a7ac7245a3a \
+    --hash=sha256:34a6cb15e6ab6a8eae94ad2041731cd3ef786af43a8df99f847969af5b902ee7 \
+    --hash=sha256:380e534482b843e43442b87d8777a7bf9bed20cb7526f89b780c3400f617304b \
+    --hash=sha256:420d2490c7836c81151b4bd591c35cffc55391e33e7e333c50fda391bcea7d31 \
+    --hash=sha256:422817286c1d0ce947fb2f7eca9212b39bddd7231e8b452e2d2cc52f15332dba \
+    --hash=sha256:4753a6d1bc71054d9179557bc65740860f185095ccb401d46637fff028a5b3ec \
+    --hash=sha256:4aa07b392cc3d76fb31c08a46a226b58c320d1c172ff3073e864409ced7bc50f \
+    --hash=sha256:4cd43d8fc374b31643b2830910f28177a606a7bc84975a62675dd3f2e320fc7b \
+    --hash=sha256:5326336f633cc89dfe543c78829c16c3a6449c2c03277d1ddba99086c3323363 \
+    --hash=sha256:55bea0dd9a7d354e35f4e5fe58ceab393e76962713749dc3a0a64a0e5d19545e \
+    --hash=sha256:5e702b02d42a5ace45425b595ffe70fe35aebaf9a3cdfdc2c758b6189c744422 \
+    --hash=sha256:7221483fad0c63afa4244624d552abf89d7dfdbc5f5edfc56fc1ff2b4b818975 \
+    --hash=sha256:7d1ddc4541e7367ac58c2470cc0df847f7137167fe4f5729e2d3cc0b993d7da4 \
+    --hash=sha256:837754ece9052b3f607047e1741e5f852a538aa2b0ee3db11c82a8fa11804aa4 \
+    --hash=sha256:85c7a46279ac8f226e1059275221e6b3d0e370d2bb6bd0500f9780781615bcea \
+    --hash=sha256:86baf870d4c0bfc6f79de3801f3860a84ab76d9c8b0abb7f081f2c14c38d79d3 \
+    --hash=sha256:971d425b3a23b75953d8853d5f9911bdeefa09d759ee3b5e6b07b5ff3cbd9073 \
+    --hash=sha256:9a4907e0c3035bb8836116854ed8e56d8aef23909d601fa59706320897ec2551 \
+    --hash=sha256:a9d6e4e0f988b0e766509a8071975a8ee99f930e14a524620bf38083106158d2 \
+    --hash=sha256:ac684fe195c39821fca70d18afbf748f728aefbfbf88456018d299e559b8cae0 \
+    --hash=sha256:ae6c706ac1d85a0b3cb3395308fd0c4d55e3202b4760773675957e93cdff45fc \
+    --hash=sha256:cc5efec69055c3c470997935d95762be7e4bfd1248d88fb1a33bb7e0f45712e9 \
+    --hash=sha256:d1a21c006760f95acd9509cc5a7d15d6fc82e58f721f94fa9039b4e77189a6e5 \
+    --hash=sha256:dcf0f695873e5c94bd072d6af8698e72b8fb7f7a18f37e0bced1041b7111a6cf \
+    --hash=sha256:f7c9751a9611601ab326d8f5837f01379195bbf06175fb4effeb552140e7c9e8 \
+    --hash=sha256:fb7afe77f8d269e42d7c4b515c6fd14f1ccc0625379fb6829b269f493d16eddd \
+    --hash=sha256:fbb06f34aa645b4deca66643bba3d400d20c15312d1fe88d429be60c1ab50f27
+    # via webauthn
 celery==5.6.3 \
     --hash=sha256:0808f42f80909c4d5833202360ffafb2a4f83f4d8e23e1285d926610e9a7afa6 \
     --hash=sha256:177006bd2054b882e9f01be59abd8529e88879ef50d7918a7050c5a9f4e12912
@@ -532,6 +572,8 @@ cryptography==48.0.0 \
     #   pyhanko
     #   pyhanko-certvalidator
     #   pyjwt
+    #   pyopenssl
+    #   webauthn
 cssselect2==0.9.0 \
     --hash=sha256:6a99e5f91f9a016a304dd929b0966ca464bcfda15177b6fb4a118fc0fb5d9563 \
     --hash=sha256:759aa22c216326356f65e62e791d66160a0f9c91d1424e8d8adc5e74dddfc6fb
@@ -1789,6 +1831,10 @@ pymdown-extensions==10.21.3 \
     # via
     #   mkdocs-material
     #   mkdocstrings
+pyopenssl==26.0.0 \
+    --hash=sha256:df94d28498848b98cc1c0ffb8ef1e71e40210d3b0a8064c9d29571ed2904bf81 \
+    --hash=sha256:f293934e52936f2e3413b89c6ce36df66a0b34ae1ea3a053b8c5020ff2f513fc
+    # via webauthn
 pypdf==6.11.0 \
     --hash=sha256:062b51c81b0910e6d2755e99e1c5547a0a23b7d0a32322af66240d8edcfabe87 \
     --hash=sha256:769394d5756d5b304c9b6bef88b54b1816b328e7e6fc9254e625529a15ed4ab8
@@ -2316,6 +2362,7 @@ typing-extensions==4.15.0 \
     #   pydantic
     #   pydantic-core
     #   pyjwt
+    #   pyopenssl
     #   pypdf
     #   python-docx
     #   rich
@@ -2416,6 +2463,10 @@ wcwidth==0.7.0 \
     --hash=sha256:5d69154c429a82910e241c738cd0e2976fac8a2dd47a1a805f4afed1c0f136f2 \
     --hash=sha256:90e3a7ea092341c44b99562e75d09e4d5160fe7a3974c6fb842a101a95e7eed0
     # via prompt-toolkit
+webauthn==2.2.0 \
+    --hash=sha256:70e4f318d293125e3a8609838be0561119f4f8846bc430d524f8da4052ee18cc \
+    --hash=sha256:e8e2daace85dde8f6fb436c1bca9aa72d5931dac8829ecc1562cc4e7cc169f6c
+    # via hypha
 webencodings==0.5.1 \
     --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \
     --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923
diff --git a/requirements/prod.txt b/requirements/prod.txt
index 1be6e7451e..7418553dad 100644
--- a/requirements/prod.txt
+++ b/requirements/prod.txt
@@ -30,6 +30,7 @@ asn1crypto==1.5.1 \
     #   oscrypto
     #   pyhanko
     #   pyhanko-certvalidator
+    #   webauthn
 async-timeout==5.0.1 ; python_full_version < '3.11.3' \
     --hash=sha256:39e3809566ff85354557ec2398b55e096c8364bacac9405a7a1fa429e77fe76c \
     --hash=sha256:d9321a7a3d5a6a5e187e824d2fa0793ce379a202935782d555d6e9d2735677d3
@@ -88,6 +89,45 @@ botocore==1.42.97 \
     # via
     #   boto3
     #   s3transfer
+cbor2==5.9.0 \
+    --hash=sha256:0322296b9d52f55880e300ba8ba09ecf644303b99b51138bbb1c0fb644fa7c3e \
+    --hash=sha256:0485d3372fc832c5e16d4eb45fa1a20fc53e806e6c29a1d2b0d3e176cedd52b9 \
+    --hash=sha256:08388ea54195738602b4c4999966bcaef6f0b17d293c9658658409d9fff96f57 \
+    --hash=sha256:1d02b65f070fd726bdc310d927228975bb655d155bf059b6eb7cacefb3dca86f \
+    --hash=sha256:1f223dffb1bcdd2764665f04c1152943d9daa4bc124a576cd8dee1cad4264313 \
+    --hash=sha256:23606d31ba1368bd1b6602e3020ee88fe9523ca80e8630faf6b2fc904fd84560 \
+    --hash=sha256:2372d357d403e7912f104ff085950ffc82a5854d6d717f1ca1ce16a40a0ef5a7 \
+    --hash=sha256:25bec7beb2089465382b1be72e78667fe9090598800826559c3e3008cf0db743 \
+    --hash=sha256:27695cbd70c90b8de5c4a284642c2836449b14e2c2e07e3ffe0744cb7669a01b \
+    --hash=sha256:2a54fbb32cb828c214f7f333a707e4aec61182e7efdc06ea5d9596d3ecee624a \
+    --hash=sha256:3095dc49e75572841a9534cbfdabc2a17487ea4ee33341436abc4a7ac7245a3a \
+    --hash=sha256:34a6cb15e6ab6a8eae94ad2041731cd3ef786af43a8df99f847969af5b902ee7 \
+    --hash=sha256:380e534482b843e43442b87d8777a7bf9bed20cb7526f89b780c3400f617304b \
+    --hash=sha256:420d2490c7836c81151b4bd591c35cffc55391e33e7e333c50fda391bcea7d31 \
+    --hash=sha256:422817286c1d0ce947fb2f7eca9212b39bddd7231e8b452e2d2cc52f15332dba \
+    --hash=sha256:4753a6d1bc71054d9179557bc65740860f185095ccb401d46637fff028a5b3ec \
+    --hash=sha256:4aa07b392cc3d76fb31c08a46a226b58c320d1c172ff3073e864409ced7bc50f \
+    --hash=sha256:4cd43d8fc374b31643b2830910f28177a606a7bc84975a62675dd3f2e320fc7b \
+    --hash=sha256:5326336f633cc89dfe543c78829c16c3a6449c2c03277d1ddba99086c3323363 \
+    --hash=sha256:55bea0dd9a7d354e35f4e5fe58ceab393e76962713749dc3a0a64a0e5d19545e \
+    --hash=sha256:5e702b02d42a5ace45425b595ffe70fe35aebaf9a3cdfdc2c758b6189c744422 \
+    --hash=sha256:7221483fad0c63afa4244624d552abf89d7dfdbc5f5edfc56fc1ff2b4b818975 \
+    --hash=sha256:7d1ddc4541e7367ac58c2470cc0df847f7137167fe4f5729e2d3cc0b993d7da4 \
+    --hash=sha256:837754ece9052b3f607047e1741e5f852a538aa2b0ee3db11c82a8fa11804aa4 \
+    --hash=sha256:85c7a46279ac8f226e1059275221e6b3d0e370d2bb6bd0500f9780781615bcea \
+    --hash=sha256:86baf870d4c0bfc6f79de3801f3860a84ab76d9c8b0abb7f081f2c14c38d79d3 \
+    --hash=sha256:971d425b3a23b75953d8853d5f9911bdeefa09d759ee3b5e6b07b5ff3cbd9073 \
+    --hash=sha256:9a4907e0c3035bb8836116854ed8e56d8aef23909d601fa59706320897ec2551 \
+    --hash=sha256:a9d6e4e0f988b0e766509a8071975a8ee99f930e14a524620bf38083106158d2 \
+    --hash=sha256:ac684fe195c39821fca70d18afbf748f728aefbfbf88456018d299e559b8cae0 \
+    --hash=sha256:ae6c706ac1d85a0b3cb3395308fd0c4d55e3202b4760773675957e93cdff45fc \
+    --hash=sha256:cc5efec69055c3c470997935d95762be7e4bfd1248d88fb1a33bb7e0f45712e9 \
+    --hash=sha256:d1a21c006760f95acd9509cc5a7d15d6fc82e58f721f94fa9039b4e77189a6e5 \
+    --hash=sha256:dcf0f695873e5c94bd072d6af8698e72b8fb7f7a18f37e0bced1041b7111a6cf \
+    --hash=sha256:f7c9751a9611601ab326d8f5837f01379195bbf06175fb4effeb552140e7c9e8 \
+    --hash=sha256:fb7afe77f8d269e42d7c4b515c6fd14f1ccc0625379fb6829b269f493d16eddd \
+    --hash=sha256:fbb06f34aa645b4deca66643bba3d400d20c15312d1fe88d429be60c1ab50f27
+    # via webauthn
 celery==5.6.3 \
     --hash=sha256:0808f42f80909c4d5833202360ffafb2a4f83f4d8e23e1285d926610e9a7afa6 \
     --hash=sha256:177006bd2054b882e9f01be59abd8529e88879ef50d7918a7050c5a9f4e12912
@@ -357,6 +397,8 @@ cryptography==48.0.0 \
     #   pyhanko
     #   pyhanko-certvalidator
     #   pyjwt
+    #   pyopenssl
+    #   webauthn
 cssselect2==0.9.0 \
     --hash=sha256:6a99e5f91f9a016a304dd929b0966ca464bcfda15177b6fb4a118fc0fb5d9563 \
     --hash=sha256:759aa22c216326356f65e62e791d66160a0f9c91d1424e8d8adc5e74dddfc6fb
@@ -1028,6 +1070,10 @@ pyjwt==2.12.1 \
     --hash=sha256:28ca37c070cad8ba8cd9790cd940535d40274d22f80ab87f3ac6a713e6e8454c \
     --hash=sha256:c74a7a2adf861c04d002db713dd85f84beb242228e671280bf709d765b03672b
     # via social-auth-core
+pyopenssl==26.0.0 \
+    --hash=sha256:df94d28498848b98cc1c0ffb8ef1e71e40210d3b0a8064c9d29571ed2904bf81 \
+    --hash=sha256:f293934e52936f2e3413b89c6ce36df66a0b34ae1ea3a053b8c5020ff2f513fc
+    # via webauthn
 pypdf==6.11.0 \
     --hash=sha256:062b51c81b0910e6d2755e99e1c5547a0a23b7d0a32322af66240d8edcfabe87 \
     --hash=sha256:769394d5756d5b304c9b6bef88b54b1816b328e7e6fc9254e625529a15ed4ab8
@@ -1325,6 +1371,7 @@ typing-extensions==4.15.0 \
     #   mistune
     #   psycopg
     #   pyjwt
+    #   pyopenssl
     #   pypdf
     #   python-docx
 tzdata==2026.2 \
@@ -1374,6 +1421,10 @@ wcwidth==0.7.0 \
     --hash=sha256:5d69154c429a82910e241c738cd0e2976fac8a2dd47a1a805f4afed1c0f136f2 \
     --hash=sha256:90e3a7ea092341c44b99562e75d09e4d5160fe7a3974c6fb842a101a95e7eed0
     # via prompt-toolkit
+webauthn==2.2.0 \
+    --hash=sha256:70e4f318d293125e3a8609838be0561119f4f8846bc430d524f8da4052ee18cc \
+    --hash=sha256:e8e2daace85dde8f6fb436c1bca9aa72d5931dac8829ecc1562cc4e7cc169f6c
+    # via hypha
 webencodings==0.5.1 \
     --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \
     --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923
diff --git a/uv.lock b/uv.lock
index a418b87e07..783e799b04 100644
--- a/uv.lock
+++ b/uv.lock
@@ -332,6 +332,50 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/9e/96/d32b941a501ab566a16358d68b6eb4e4acc373fab3c3c4d7d9e649f7b4bb/catalogue-2.0.10-py3-none-any.whl", hash = "sha256:58c2de0020aa90f4a2da7dfad161bf7b3b054c86a5f09fcedc0b2b740c109a9f", size = 17325, upload-time = "2023-09-25T06:29:23.337Z" },
 ]
 
+[[package]]
+name = "cbor2"
+version = "5.9.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/bd/cb/09939728be094d155b5d4ac262e39877875f5f7e36eea66beb359f647bd0/cbor2-5.9.0.tar.gz", hash = "sha256:85c7a46279ac8f226e1059275221e6b3d0e370d2bb6bd0500f9780781615bcea", size = 111231, upload-time = "2026-03-22T15:56:50.638Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e0/bf/12b337e5354e47f6378da18989480c0c1e2cc5fe9b865e6fab45d6332aa6/cbor2-5.9.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:55bea0dd9a7d354e35f4e5fe58ceab393e76962713749dc3a0a64a0e5d19545e", size = 70577, upload-time = "2026-03-22T15:55:54.174Z" },
+    { url = "https://files.pythonhosted.org/packages/45/7b/74c524ce81c1ddc6c44b4865028ffb7d3a8e7ae653b1061650375a28cbb1/cbor2-5.9.0-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3095dc49e75572841a9534cbfdabc2a17487ea4ee33341436abc4a7ac7245a3a", size = 261074, upload-time = "2026-03-22T15:55:55.654Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/97/c496c71422b2ca18ff2acc5f49e8c45cd7294b7df1359eccec78021b428e/cbor2-5.9.0-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:25bec7beb2089465382b1be72e78667fe9090598800826559c3e3008cf0db743", size = 255498, upload-time = "2026-03-22T15:55:57.256Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/40/9bd7e66dba7aea674a440e004faea406de42c49aeac23453954b67768532/cbor2-5.9.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:cc5efec69055c3c470997935d95762be7e4bfd1248d88fb1a33bb7e0f45712e9", size = 255683, upload-time = "2026-03-22T15:55:58.721Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/d1/fa3e158dbe4c08091495b720c604624b285bc272afdbcfac2150725d955b/cbor2-5.9.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:420d2490c7836c81151b4bd591c35cffc55391e33e7e333c50fda391bcea7d31", size = 250798, upload-time = "2026-03-22T15:55:59.953Z" },
+    { url = "https://files.pythonhosted.org/packages/7c/16/3186084b441c4b0caebfaaa2c66a57bde82ceaacd469570c77c8030b6b95/cbor2-5.9.0-cp310-cp310-win_amd64.whl", hash = "sha256:d1a21c006760f95acd9509cc5a7d15d6fc82e58f721f94fa9039b4e77189a6e5", size = 69436, upload-time = "2026-03-22T15:56:01.466Z" },
+    { url = "https://files.pythonhosted.org/packages/36/1f/57d00cd13e0f9391bcd616795aa78409210a7464570fe21e3b9cd42eb5a7/cbor2-5.9.0-cp310-cp310-win_arm64.whl", hash = "sha256:08388ea54195738602b4c4999966bcaef6f0b17d293c9658658409d9fff96f57", size = 65312, upload-time = "2026-03-22T15:56:02.804Z" },
+    { url = "https://files.pythonhosted.org/packages/43/aa/317c7118b8dda4c9563125c1a12c70c5b41e36677964a49c72b1aac061ec/cbor2-5.9.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:0485d3372fc832c5e16d4eb45fa1a20fc53e806e6c29a1d2b0d3e176cedd52b9", size = 70578, upload-time = "2026-03-22T15:56:03.835Z" },
+    { url = "https://files.pythonhosted.org/packages/31/43/fe29b1f897770011a5e7497f4523c2712282ee4a6cbf775ea6383fb7afb9/cbor2-5.9.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:a9d6e4e0f988b0e766509a8071975a8ee99f930e14a524620bf38083106158d2", size = 268738, upload-time = "2026-03-22T15:56:05.222Z" },
+    { url = "https://files.pythonhosted.org/packages/0a/1a/e494568f3d8aafbcdfe361df44c3bcf5cdab5183e25ea08e3d3f9fcf4075/cbor2-5.9.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:5326336f633cc89dfe543c78829c16c3a6449c2c03277d1ddba99086c3323363", size = 262571, upload-time = "2026-03-22T15:56:06.411Z" },
+    { url = "https://files.pythonhosted.org/packages/42/2e/92acd6f87382fd44a34d9d7e85cc45372e6ba664040b72d1d9df648b25d0/cbor2-5.9.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:5e702b02d42a5ace45425b595ffe70fe35aebaf9a3cdfdc2c758b6189c744422", size = 262356, upload-time = "2026-03-22T15:56:08.236Z" },
+    { url = "https://files.pythonhosted.org/packages/3f/68/52c039a28688baeeb78b0be7483855e6c66ea05884a937444deede0c87b8/cbor2-5.9.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:2372d357d403e7912f104ff085950ffc82a5854d6d717f1ca1ce16a40a0ef5a7", size = 257604, upload-time = "2026-03-22T15:56:09.835Z" },
+    { url = "https://files.pythonhosted.org/packages/5b/e4/10d96a7f73ed9227090ce6e3df5d73329eb6a267dab7d5b989e6fbf6c504/cbor2-5.9.0-cp311-cp311-win_amd64.whl", hash = "sha256:1d02b65f070fd726bdc310d927228975bb655d155bf059b6eb7cacefb3dca86f", size = 69388, upload-time = "2026-03-22T15:56:11.28Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/c6/eea5829aa5a649db540f47ea35f4bf2313383d28246f0cbc50432cfad6b3/cbor2-5.9.0-cp311-cp311-win_arm64.whl", hash = "sha256:837754ece9052b3f607047e1741e5f852a538aa2b0ee3db11c82a8fa11804aa4", size = 65315, upload-time = "2026-03-22T15:56:12.326Z" },
+    { url = "https://files.pythonhosted.org/packages/ee/39/72d8a5a4b06565561ec28f4fcb41aff7bb77f51705c01f00b8254a2aca4f/cbor2-5.9.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:1f223dffb1bcdd2764665f04c1152943d9daa4bc124a576cd8dee1cad4264313", size = 71223, upload-time = "2026-03-22T15:56:13.68Z" },
+    { url = "https://files.pythonhosted.org/packages/09/fd/7ddf3d3153b54c69c3be77172b8d9aa3a9d74f62a7fbde614d53eaeed9a4/cbor2-5.9.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ae6c706ac1d85a0b3cb3395308fd0c4d55e3202b4760773675957e93cdff45fc", size = 287865, upload-time = "2026-03-22T15:56:14.813Z" },
+    { url = "https://files.pythonhosted.org/packages/db/9d/7ede2cc42f9bb4260492e7d29d2aab781eacbbcfb09d983de1e695077199/cbor2-5.9.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4cd43d8fc374b31643b2830910f28177a606a7bc84975a62675dd3f2e320fc7b", size = 288246, upload-time = "2026-03-22T15:56:16.113Z" },
+    { url = "https://files.pythonhosted.org/packages/ce/9d/588ebc7c5bc5843f609b05fe07be8575c7dec987735b0bbc908ac9c1264a/cbor2-5.9.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:4aa07b392cc3d76fb31c08a46a226b58c320d1c172ff3073e864409ced7bc50f", size = 280214, upload-time = "2026-03-22T15:56:17.519Z" },
+    { url = "https://files.pythonhosted.org/packages/f7/a1/6fc8f4b15c6a27e7fbb7966c30c2b4b18c274a3221fa2f5e6235502d34bc/cbor2-5.9.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:971d425b3a23b75953d8853d5f9911bdeefa09d759ee3b5e6b07b5ff3cbd9073", size = 282162, upload-time = "2026-03-22T15:56:18.975Z" },
+    { url = "https://files.pythonhosted.org/packages/cf/20/9a22cfe08be16ddfeef2542cf4eeed1b29f3f57ddbba0b42f7e0bb8331fd/cbor2-5.9.0-cp312-cp312-win_amd64.whl", hash = "sha256:34a6cb15e6ab6a8eae94ad2041731cd3ef786af43a8df99f847969af5b902ee7", size = 70049, upload-time = "2026-03-22T15:56:20.502Z" },
+    { url = "https://files.pythonhosted.org/packages/c6/9e/695f92d09006614034e25a9f5b10620f3b219f79c1bec3c37b7c6f27a7a9/cbor2-5.9.0-cp312-cp312-win_arm64.whl", hash = "sha256:7d1ddc4541e7367ac58c2470cc0df847f7137167fe4f5729e2d3cc0b993d7da4", size = 65382, upload-time = "2026-03-22T15:56:21.526Z" },
+    { url = "https://files.pythonhosted.org/packages/81/c5/4901e21a8afe9448fd947b11e8f383903207cd6dd0800e5f5a386838de5b/cbor2-5.9.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:fbb06f34aa645b4deca66643bba3d400d20c15312d1fe88d429be60c1ab50f27", size = 71284, upload-time = "2026-03-22T15:56:22.836Z" },
+    { url = "https://files.pythonhosted.org/packages/1b/10/df643a381aebc3f05486de4813662bc58accb640fc3275cb276a75e89694/cbor2-5.9.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ac684fe195c39821fca70d18afbf748f728aefbfbf88456018d299e559b8cae0", size = 287682, upload-time = "2026-03-22T15:56:24.024Z" },
+    { url = "https://files.pythonhosted.org/packages/c6/0c/8aa6b766059ae4a0ca1ec3ff96fe3823a69a7be880dba2e249f7fbe2700b/cbor2-5.9.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:2a54fbb32cb828c214f7f333a707e4aec61182e7efdc06ea5d9596d3ecee624a", size = 288009, upload-time = "2026-03-22T15:56:25.305Z" },
+    { url = "https://files.pythonhosted.org/packages/74/07/6236bc25c183a9cf7e8062e5dddf9eae9b0b14ebf14a58a69fe5a1e872c6/cbor2-5.9.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4753a6d1bc71054d9179557bc65740860f185095ccb401d46637fff028a5b3ec", size = 280437, upload-time = "2026-03-22T15:56:26.479Z" },
+    { url = "https://files.pythonhosted.org/packages/4e/0a/84328d23c3c68874ac6497edb9b1900579a1028efa54734df3f1762bbc15/cbor2-5.9.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:380e534482b843e43442b87d8777a7bf9bed20cb7526f89b780c3400f617304b", size = 282247, upload-time = "2026-03-22T15:56:28.644Z" },
+    { url = "https://files.pythonhosted.org/packages/9b/f6/89b4627e09d028c8e5fcaf7cb55f225c33ce6e037ec1844e65d02bcfa945/cbor2-5.9.0-cp313-cp313-win_amd64.whl", hash = "sha256:dcf0f695873e5c94bd072d6af8698e72b8fb7f7a18f37e0bced1041b7111a6cf", size = 70089, upload-time = "2026-03-22T15:56:29.801Z" },
+    { url = "https://files.pythonhosted.org/packages/e2/7c/efadcd5f0102db692490e4e206988a2f98d39a09912090db497a2b800885/cbor2-5.9.0-cp313-cp313-win_arm64.whl", hash = "sha256:f7c9751a9611601ab326d8f5837f01379195bbf06175fb4effeb552140e7c9e8", size = 65466, upload-time = "2026-03-22T15:56:30.823Z" },
+    { url = "https://files.pythonhosted.org/packages/08/7d/9ccc36d10ef96e6038e48046ebe1ce35a1e7814da0e1e204d09e6ef09b8d/cbor2-5.9.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:23606d31ba1368bd1b6602e3020ee88fe9523ca80e8630faf6b2fc904fd84560", size = 71500, upload-time = "2026-03-22T15:56:31.876Z" },
+    { url = "https://files.pythonhosted.org/packages/70/e1/a6cca2cc72e13f00030c6a649f57ae703eb2c620806ab70c40db8eab33fa/cbor2-5.9.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0322296b9d52f55880e300ba8ba09ecf644303b99b51138bbb1c0fb644fa7c3e", size = 286953, upload-time = "2026-03-22T15:56:33.292Z" },
+    { url = "https://files.pythonhosted.org/packages/08/3c/24cd5ef488a957d90e016f200a3aad820e4c2f85edd61c9fe4523007a1ee/cbor2-5.9.0-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:422817286c1d0ce947fb2f7eca9212b39bddd7231e8b452e2d2cc52f15332dba", size = 285454, upload-time = "2026-03-22T15:56:34.703Z" },
+    { url = "https://files.pythonhosted.org/packages/a4/35/dca96818494c0ba47cdd73e8d809b27fa91f8fa0ce32a068a09237687454/cbor2-5.9.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:9a4907e0c3035bb8836116854ed8e56d8aef23909d601fa59706320897ec2551", size = 279441, upload-time = "2026-03-22T15:56:35.888Z" },
+    { url = "https://files.pythonhosted.org/packages/a4/44/d3362378b16e53cf7e535a3f5aed8476e2109068154e24e31981ef5bde9e/cbor2-5.9.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:fb7afe77f8d269e42d7c4b515c6fd14f1ccc0625379fb6829b269f493d16eddd", size = 279673, upload-time = "2026-03-22T15:56:37.08Z" },
+    { url = "https://files.pythonhosted.org/packages/43/d1/3533a697e5842fff7c2f64912eb251f8dcab3a8b5d88e228d6eebc3b5021/cbor2-5.9.0-cp314-cp314-win_amd64.whl", hash = "sha256:86baf870d4c0bfc6f79de3801f3860a84ab76d9c8b0abb7f081f2c14c38d79d3", size = 71940, upload-time = "2026-03-22T15:56:38.366Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/e2/c6ba75f3fb25dfa15ab6999cc8709c821987e9ed8e375d7f58539261bcb9/cbor2-5.9.0-cp314-cp314-win_arm64.whl", hash = "sha256:7221483fad0c63afa4244624d552abf89d7dfdbc5f5edfc56fc1ff2b4b818975", size = 67639, upload-time = "2026-03-22T15:56:39.39Z" },
+    { url = "https://files.pythonhosted.org/packages/42/ff/b83492b096fbef26e9cb62c1a4bf2d3cef579ea7b33138c6c37c4ae66f67/cbor2-5.9.0-py3-none-any.whl", hash = "sha256:27695cbd70c90b8de5c4a284642c2836449b14e2c2e07e3ffe0744cb7669a01b", size = 24627, upload-time = "2026-03-22T15:56:48.847Z" },
+]
+
 [[package]]
 name = "celery"
 version = "5.6.3"
@@ -1833,6 +1877,7 @@ dependencies = [
     { name = "svgwrite" },
     { name = "wagtail" },
     { name = "wagtail-modeladmin" },
+    { name = "webauthn" },
     { name = "whitenoise" },
     { name = "xhtml2pdf" },
 ]
@@ -1926,6 +1971,7 @@ requires-dist = [
     { name = "svgwrite", specifier = "~=1.4.3" },
     { name = "wagtail", specifier = "~=7.0.5" },
     { name = "wagtail-modeladmin", specifier = "~=2.2.0" },
+    { name = "webauthn", specifier = "~=2.2.0" },
     { name = "whitenoise", specifier = "~=6.11.0" },
     { name = "xhtml2pdf", specifier = "~=0.2.17" },
 ]
@@ -3909,6 +3955,19 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/7e/85/545a951eecc270fcd688288c600017e2050a1aacb56c711d208586d3e470/pymdown_extensions-10.21.3-py3-none-any.whl", hash = "sha256:d7a5d08014fc571e80ca21dd6f854e31f94c489800350564d55d15b3c41e76b6", size = 269002, upload-time = "2026-05-13T12:57:30.296Z" },
 ]
 
+[[package]]
+name = "pyopenssl"
+version = "26.0.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "cryptography" },
+    { name = "typing-extensions", marker = "python_full_version < '3.13'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/8e/11/a62e1d33b373da2b2c2cd9eb508147871c80f12b1cacde3c5d314922afdd/pyopenssl-26.0.0.tar.gz", hash = "sha256:f293934e52936f2e3413b89c6ce36df66a0b34ae1ea3a053b8c5020ff2f513fc", size = 185534, upload-time = "2026-03-15T14:28:26.353Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/fb/7d/d4f7d908fa8415571771b30669251d57c3cf313b36a856e6d7548ae01619/pyopenssl-26.0.0-py3-none-any.whl", hash = "sha256:df94d28498848b98cc1c0ffb8ef1e71e40210d3b0a8064c9d29571ed2904bf81", size = 57969, upload-time = "2026-03-15T14:28:24.864Z" },
+]
+
 [[package]]
 name = "pypdf"
 version = "6.11.0"
@@ -5474,6 +5533,21 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/0a/07/57ebf7a6798b016c064bd0ca81b4c6a99daa4dc377b898bc7b41eb6b5af0/weasel-1.0.0-py3-none-any.whl", hash = "sha256:89518acee027f49d743126c3502d35e6dd14f5768be5c37c9af47c171b6005cc", size = 50713, upload-time = "2026-03-20T08:10:23.637Z" },
 ]
 
+[[package]]
+name = "webauthn"
+version = "2.2.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "asn1crypto" },
+    { name = "cbor2" },
+    { name = "cryptography" },
+    { name = "pyopenssl" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/8b/51/c3262e0a361b4f21b5f562f5705e74352e1c64dd9dc69d0cb3a232a50b5a/webauthn-2.2.0.tar.gz", hash = "sha256:70e4f318d293125e3a8609838be0561119f4f8846bc430d524f8da4052ee18cc", size = 113978, upload-time = "2024-06-25T17:39:59.09Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/53/97/2d37cdf3f88a81a84340862b94eb9e9f76b07bd1a460fa1ce28485ba6fe5/webauthn-2.2.0-py3-none-any.whl", hash = "sha256:e8e2daace85dde8f6fb436c1bca9aa72d5931dac8829ecc1562cc4e7cc169f6c", size = 67738, upload-time = "2024-06-25T17:39:57.588Z" },
+]
+
 [[package]]
 name = "webencodings"
 version = "0.5.1"

From 70bcff1af8410104ba4ade17365fcb6fdc971974 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 18:38:09 +0100
Subject: [PATCH 02/37] Add some url checks. Show last_used_at for each
 passkey. Inline form to set passkey name.

---
 hypha/apply/users/passkey_views.py            | 29 +++++++++-----
 .../users/includes/passkey_login_button.html  |  7 +++-
 .../users/templates/users/partials/list.html  | 32 ++++++++++-----
 hypha/static_src/javascript/passkeys.js       | 40 +++++++++++++------
 4 files changed, 74 insertions(+), 34 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 74c6a4b59c..0d7d803f13 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -2,15 +2,16 @@
 import json
 
 from django.conf import settings
-from django.contrib.auth import get_user_model, login
+from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django.http import JsonResponse
 from django.shortcuts import get_object_or_404, render
 from django.utils import timezone
 from django.utils.decorators import method_decorator
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.views import View
-from django.views.decorators.csrf import csrf_protect
+from django_ratelimit.decorators import ratelimit
 from webauthn import (
     generate_authentication_options,
     generate_registration_options,
@@ -32,8 +33,6 @@
 
 from .models import Passkey
 
-User = get_user_model()
-
 SESSION_CHALLENGE_KEY = "webauthn_challenge"
 
 
@@ -73,7 +72,6 @@ def _load_challenge(request) -> bytes:
 
 
 @method_decorator(login_required, name="dispatch")
-@method_decorator(csrf_protect, name="dispatch")
 class PasskeyRegisterBeginView(View):
     def post(self, request):
         user = request.user
@@ -98,7 +96,6 @@ def post(self, request):
 
 
 @method_decorator(login_required, name="dispatch")
-@method_decorator(csrf_protect, name="dispatch")
 class PasskeyRegisterCompleteView(View):
     def post(self, request):
         try:
@@ -153,7 +150,10 @@ def post(self, request):
 # ---------------------------------------------------------------------------
 
 
-@method_decorator(csrf_protect, name="dispatch")
+@method_decorator(
+    ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST"),
+    name="dispatch",
+)
 class PasskeyAuthBeginView(View):
     def post(self, request):
         options = generate_authentication_options(
@@ -164,7 +164,10 @@ def post(self, request):
         return JsonResponse(json.loads(options_to_json(options)))
 
 
-@method_decorator(csrf_protect, name="dispatch")
+@method_decorator(
+    ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST"),
+    name="dispatch",
+)
 class PasskeyAuthCompleteView(View):
     def post(self, request):
         try:
@@ -223,7 +226,13 @@ def post(self, request):
         login(request, user, backend="django.contrib.auth.backends.ModelBackend")
         request.session["passkey_authenticated"] = True
 
-        next_url = request.POST.get("next") or data.get("next") or "/"
+        next_url = data.get("next") or "/"
+        if not url_has_allowed_host_and_scheme(
+            next_url,
+            allowed_hosts={request.get_host()},
+            require_https=request.is_secure(),
+        ):
+            next_url = settings.LOGIN_REDIRECT_URL
         return JsonResponse({"status": "ok", "redirect_url": next_url})
 
 
@@ -242,7 +251,6 @@ def get(self, request):
 
 
 @method_decorator(login_required, name="dispatch")
-@method_decorator(csrf_protect, name="dispatch")
 class PasskeyDeleteView(View):
     def post(self, request, pk):
         passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
@@ -252,7 +260,6 @@ def post(self, request, pk):
 
 
 @method_decorator(login_required, name="dispatch")
-@method_decorator(csrf_protect, name="dispatch")
 class PasskeyRenameView(View):
     def post(self, request, pk):
         passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
diff --git a/hypha/apply/users/templates/users/includes/passkey_login_button.html b/hypha/apply/users/templates/users/includes/passkey_login_button.html
index e4c880ecf7..72c2d81ab0 100644
--- a/hypha/apply/users/templates/users/includes/passkey_login_button.html
+++ b/hypha/apply/users/templates/users/includes/passkey_login_button.html
@@ -10,6 +10,11 @@
     {% heroicon_micro "key" class="inline size-4" aria_hidden=true %}
     {% trans "Sign in with passkey" %}
 </button>
-<p id="passkey-auth-error" class="mt-2 text-sm text-error" hidden></p>
+<p id="passkey-auth-error"
+   class="mt-2 text-sm text-error"
+   data-error-begin="{% trans "Failed to begin authentication" %}"
+   data-error-auth="{% trans "Authentication failed" %}"
+   hidden></p>
 <input type="hidden" id="passkey-auth-begin-url" value="{% url 'users:passkey_auth_begin' %}">
 <input type="hidden" id="passkey-auth-complete-url" value="{% url 'users:passkey_auth_complete' %}">
+<input type="hidden" id="passkey-next-url" value="{{ redirect_url|default:'' }}">
diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
index 6fd320a48c..91de6e4f26 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -24,7 +24,13 @@
                             {% heroicon_micro "check" class="size-3" aria_hidden=true %}
                         </button>
                     </form>
-                    <span class="text-xs text-fg-muted shrink-0">{{ passkey.created_at|date:"Y-m-d" }}</span>
+                    <span class="text-xs text-fg-muted shrink-0" title="{{ passkey.created_at|date:'Y-m-d' }}">
+                        {% if passkey.last_used_at %}
+                            {% blocktrans with when=passkey.last_used_at|timesince %}Used {{ when }} ago{% endblocktrans %}
+                        {% else %}
+                            {% trans "Never used" %}
+                        {% endif %}
+                    </span>
                     <form
                         hx-post="{% url 'users:passkey_delete' passkey.pk %}"
                         hx-target="#passkey-list"
@@ -43,16 +49,24 @@
         <p class="text-sm text-fg-muted">{% trans "No passkeys registered." %}</p>
     {% endif %}
 
-    <div class="mt-3">
-        <button
-            type="button"
-            id="btn-add-passkey"
-            class="btn btn-sm btn-secondary btn-outline"
-            onclick="hypha.passkeys.register(this)"
-        >
+    <form
+        class="flex gap-2 mt-3"
+        data-error-server="{% trans "Server error" %}"
+        data-error-register="{% trans "Registration failed" %}"
+        onsubmit="hypha.passkeys.register(this); return false;"
+    >
+        <input
+            type="text"
+            name="name"
+            class="flex-1 input input-sm"
+            placeholder="{% trans "e.g. MacBook Touch ID" %}"
+            aria-label="{% trans "Passkey name" %}"
+            required
+        />
+        <button type="submit" class="btn btn-sm btn-secondary btn-outline">
             {% heroicon_micro "plus" class="size-3" aria_hidden=true %}
             {% trans "Add passkey" %}
         </button>
-    </div>
+    </form>
     <p id="passkey-error" class="mt-2 text-sm text-error" hidden></p>
 </div>
diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index 1211c4f9a8..8925b766b5 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -74,9 +74,10 @@ window.hypha.passkeys = (function () {
 
   /**
    * Register a new passkey for the currently authenticated user.
-   * Called from the account page "Add passkey" button.
+   * Called from the account page "Add passkey" form (onsubmit).
+   * @param {HTMLFormElement} formEl  The <form> element containing a [name=name] input.
    */
-  async function register(triggerEl) {
+  async function register(formEl) {
     const beginUrl = document.getElementById(
       "passkey-register-begin-url"
     )?.value;
@@ -85,19 +86,21 @@ window.hypha.passkeys = (function () {
     )?.value;
     if (!beginUrl || !completeUrl) return;
 
-    const name = prompt("Name this passkey (e.g. 'MacBook Touch ID'):", "");
-    if (name === null) return; // user cancelled
-
+    const nameInput = formEl?.querySelector("[name=name]");
     const errorEl = document.getElementById("passkey-error");
+    const submitBtn = formEl?.querySelector("[type=submit]");
 
     try {
-      if (triggerEl) triggerEl.disabled = true;
+      if (submitBtn) submitBtn.disabled = true;
+      if (errorEl) errorEl.hidden = true;
 
       // Step 1: fetch registration options from server
       const beginResp = await jsonPost(beginUrl, {});
       if (!beginResp.ok) {
         const err = await beginResp.json();
-        throw new Error(err.error || "Server error");
+        throw new Error(
+          err.error || formEl?.dataset.errorServer || "Server error"
+        );
       }
       const options = await beginResp.json();
 
@@ -109,11 +112,13 @@ window.hypha.passkeys = (function () {
       // Step 3: send the signed response to the server
       const completeResp = await jsonPost(completeUrl, {
         ...credential.toJSON(),
-        name: name.trim(),
+        name: nameInput?.value.trim() || "",
       });
       if (!completeResp.ok) {
         const err = await completeResp.json();
-        throw new Error(err.error || "Registration failed");
+        throw new Error(
+          err.error || formEl?.dataset.errorRegister || "Registration failed"
+        );
       }
 
       // Reload to show the new passkey in the list
@@ -125,7 +130,7 @@ window.hypha.passkeys = (function () {
         errorEl.hidden = false;
       }
     } finally {
-      if (triggerEl) triggerEl.disabled = false;
+      if (submitBtn) submitBtn.disabled = false;
     }
   }
 
@@ -139,11 +144,15 @@ window.hypha.passkeys = (function () {
     )?.value;
     if (!beginUrl || !completeUrl) return;
 
+    const nextUrl = document.getElementById("passkey-next-url")?.value || "";
     const errorEl = document.getElementById("passkey-auth-error");
 
     try {
       const beginResp = await jsonPost(beginUrl, {});
-      if (!beginResp.ok) throw new Error("Failed to begin authentication");
+      if (!beginResp.ok)
+        throw new Error(
+          errorEl?.dataset.errorBegin || "Failed to begin authentication"
+        );
       const authOptions = await beginResp.json();
 
       // Triggers native OS passkey selection UI
@@ -151,10 +160,15 @@ window.hypha.passkeys = (function () {
         publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(authOptions),
       });
 
-      const completeResp = await jsonPost(completeUrl, credential.toJSON());
+      const completeResp = await jsonPost(completeUrl, {
+        ...credential.toJSON(),
+        next: nextUrl,
+      });
       if (!completeResp.ok) {
         const err = await completeResp.json();
-        throw new Error(err.error || "Authentication failed");
+        throw new Error(
+          err.error || errorEl?.dataset.errorAuth || "Authentication failed"
+        );
       }
       const data = await completeResp.json();
       window.location.href = data.redirect_url || "/";

From 79c083115341c131ec05b483b2c1a05673569308 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 18:56:17 +0100
Subject: [PATCH 03/37] Some ux improvments to the user account buttons.

---
 hypha/apply/users/templates/users/account.html       | 6 +++---
 hypha/apply/users/templates/users/partials/list.html | 7 +++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/hypha/apply/users/templates/users/account.html b/hypha/apply/users/templates/users/account.html
index 3bfcaf0871..80b9657045 100644
--- a/hypha/apply/users/templates/users/account.html
+++ b/hypha/apply/users/templates/users/account.html
@@ -86,10 +86,10 @@ <h3 class="mb-2 text-sm font-semibold">
             </h3>
             <p class="card-actions">
                 {% if default_device %}
-                    <a class="btn btn-primary" href="{% url 'users:backup_tokens' %}">{% trans "Backup codes" %}</a>
-                    <a class="btn btn-warning" href="{% url 'two_factor:disable' %}">{% trans "Disable 2FA" %}</a>
+                    <a class="btn btn-secondary btn-outline" href="{% url 'users:backup_tokens' %}">{% trans "Backup codes" %}</a>
+                    <a class="btn btn-warning btn-outline" href="{% url 'two_factor:disable' %}">{% trans "Disable 2FA" %}</a>
                 {% else %}
-                    <a class="btn btn-primary" href="{% url 'two_factor:setup' %}">{% trans "Enable 2FA" %}</a>
+                    <a class="btn btn-secondary btn-outline" href="{% url 'two_factor:setup' %}">{% trans "Enable 2FA" %}</a>
                 {% endif %}
             </p>
 
diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
index 91de6e4f26..9eed27fc20 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -6,6 +6,7 @@
                 <li class="flex gap-2 items-center p-2 rounded border bg-base-100">
                     {% heroicon_micro "key" class="shrink-0 size-4 text-fg-muted" aria_hidden=true %}
                     <form
+                        x-data="{ dirty: false }"
                         hx-post="{% url 'users:passkey_rename' passkey.pk %}"
                         hx-target="#passkey-list"
                         hx-swap="outerHTML"
@@ -18,10 +19,12 @@
                             value="{{ passkey.name }}"
                             class="flex-1 input input-xs input-ghost"
                             aria-label="{% trans 'Passkey name' %}"
+                            data-tippy-content="{% trans 'Click to edit name' %}"
+                            @input="dirty = true"
                             required
                         />
-                        <button type="submit" class="btn btn-ghost btn-xs" title="{% trans 'Save name' %}">
-                            {% heroicon_micro "check" class="size-3" aria_hidden=true %}
+                        <button type="submit" class="btn btn-ghost btn-xs" :class="dirty && 'text-success'" title="{% trans 'Save name' %}">
+                            {% heroicon_micro "check" class="size-4" aria_hidden=true %}
                         </button>
                     </form>
                     <span class="text-xs text-fg-muted shrink-0" title="{{ passkey.created_at|date:'Y-m-d' }}">

From 046197bfed9e5d9cd55a1f2e9f8486953b61d469 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 19:20:04 +0100
Subject: [PATCH 04/37] Tighting up the passkeys.js.

---
 hypha/apply/users/passkey_views.py | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 0d7d803f13..1db84d3011 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -129,8 +129,8 @@ def post(self, request):
                 expected_origin=_get_origin(request),
                 require_user_verification=True,
             )
-        except Exception as exc:
-            return JsonResponse({"error": str(exc)}, status=400)
+        except Exception:
+            return JsonResponse({"error": "Verification failed"}, status=400)
 
         name = (data.get("name") or "").strip() or timezone.now().strftime(
             "Passkey %Y-%m-%d"
@@ -180,7 +180,11 @@ def post(self, request):
         except PermissionDenied as e:
             return JsonResponse({"error": str(e)}, status=400)
 
-        credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
+        try:
+            credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
+        except (KeyError, Exception):
+            return JsonResponse({"error": "Invalid credential"}, status=400)
+
         try:
             passkey = Passkey.objects.select_related("user").get(
                 credential_id=credential_id_b64
@@ -215,8 +219,8 @@ def post(self, request):
                 credential_current_sign_count=passkey.sign_count,
                 require_user_verification=True,
             )
-        except Exception as exc:
-            return JsonResponse({"error": str(exc)}, status=400)
+        except Exception:
+            return JsonResponse({"error": "Verification failed"}, status=400)
 
         passkey.sign_count = verification.new_sign_count
         passkey.last_used_at = timezone.now()

From e3f61fd8aaed670b106a3f99bd1615c29f871fd6 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 19:59:33 +0100
Subject: [PATCH 05/37] More generic errors and pass through next on passkey
 login.

---
 hypha/apply/users/passkey_views.py      | 10 +++++-----
 hypha/static_src/javascript/passkeys.js |  6 +++++-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 1db84d3011..eb6fa20ae1 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -105,8 +105,8 @@ def post(self, request):
 
         try:
             challenge = _load_challenge(request)
-        except PermissionDenied as e:
-            return JsonResponse({"error": str(e)}, status=400)
+        except PermissionDenied:
+            return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
 
         try:
             credential = RegistrationCredential(
@@ -177,12 +177,12 @@ def post(self, request):
 
         try:
             challenge = _load_challenge(request)
-        except PermissionDenied as e:
-            return JsonResponse({"error": str(e)}, status=400)
+        except PermissionDenied:
+            return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
 
         try:
             credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
-        except (KeyError, Exception):
+        except Exception:
             return JsonResponse({"error": "Invalid credential"}, status=400)
 
         try:
diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index 8925b766b5..b574c21d02 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -208,7 +208,11 @@ window.hypha.passkeys = (function () {
 
       if (!credential) return;
 
-      const completeResp = await jsonPost(completeUrl, credential.toJSON());
+      const nextUrl = document.getElementById("passkey-next-url")?.value || "";
+      const completeResp = await jsonPost(completeUrl, {
+        ...credential.toJSON(),
+        next: nextUrl,
+      });
       if (!completeResp.ok) return;
       const data = await completeResp.json();
       window.location.href = data.redirect_url || "/";

From a40e8fbb50d50f81b441af41e83948245c975b1f Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 20:56:45 +0100
Subject: [PATCH 06/37] Add MAX_PASSKEYS_PER_USER. Add ratelimit to more views.

---
 hypha/apply/users/passkey_views.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index eb6fa20ae1..a8b56959a1 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -71,13 +71,26 @@ def _load_challenge(request) -> bytes:
 # ---------------------------------------------------------------------------
 
 
+MAX_PASSKEYS_PER_USER = 10
+
+
 @method_decorator(login_required, name="dispatch")
+@method_decorator(
+    ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST"),
+    name="dispatch",
+)
 class PasskeyRegisterBeginView(View):
     def post(self, request):
         user = request.user
+        existing_passkeys = list(user.passkeys.all())
+        if len(existing_passkeys) >= MAX_PASSKEYS_PER_USER:
+            return JsonResponse(
+                {"error": f"Maximum of {MAX_PASSKEYS_PER_USER} passkeys allowed"},
+                status=400,
+            )
         existing = [
             PublicKeyCredentialDescriptor(id=base64url_to_bytes(pk.credential_id))
-            for pk in user.passkeys.all()
+            for pk in existing_passkeys
         ]
         options = generate_registration_options(
             rp_id=_get_rp_id(request),
@@ -96,6 +109,10 @@ def post(self, request):
 
 
 @method_decorator(login_required, name="dispatch")
+@method_decorator(
+    ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST"),
+    name="dispatch",
+)
 class PasskeyRegisterCompleteView(View):
     def post(self, request):
         try:

From a026b02e5d1e4248084b61774e982a62a779d166 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 21:23:15 +0100
Subject: [PATCH 07/37] Make sure it works for Linux desktop users with
 hardware keys etc. as well.

---
 hypha/static_src/javascript/passkeys.js | 32 ++++++++-----------------
 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index b574c21d02..e5eeaeade1 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -34,34 +34,22 @@ window.hypha.passkeys = (function () {
     });
   }
 
-  /**
-   * Returns true when the current device has a platform authenticator
-   * (Touch ID, Windows Hello, Face ID, …) and the browser supports passkeys.
-   */
-  async function isPlatformAuthenticatorAvailable() {
-    if (
-      !window.PublicKeyCredential ||
-      !PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable
-    )
-      return false;
-    return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
-  }
-
   /**
    * Show passkey-related UI elements only when the platform supports them.
    * Call this on DOMContentLoaded — elements with data-passkey-ui are hidden
    * by default and revealed here.
    */
   async function initUI() {
-    const [platformOk, conditionalOk] = await Promise.all([
-      isPlatformAuthenticatorAvailable().catch(() => false),
-      (
-        window.PublicKeyCredential?.isConditionalMediationAvailable?.() ??
-        Promise.resolve(false)
-      ).catch(() => false),
-    ]);
-
-    if (platformOk) {
+    const webAuthnAvailable = !!(
+      window.PublicKeyCredential && navigator.credentials
+    );
+
+    const conditionalOk = await (
+      window.PublicKeyCredential?.isConditionalMediationAvailable?.() ??
+      Promise.resolve(false)
+    ).catch(() => false);
+
+    if (webAuthnAvailable) {
       document
         .querySelectorAll("[data-passkey-ui]")
         .forEach((el) => el.removeAttribute("hidden"));

From 119f24d7099bfa0c994d929cd0e03c7181e26b1f Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 22:09:39 +0100
Subject: [PATCH 08/37] Use CharField insgead of TextField and fix a comment.

---
 hypha/apply/users/migrations/0028_passkeys.py | 6 +++---
 hypha/apply/users/models.py                   | 6 +++---
 hypha/static_src/javascript/passkeys.js       | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/hypha/apply/users/migrations/0028_passkeys.py b/hypha/apply/users/migrations/0028_passkeys.py
index 95c73c1f6e..448194b290 100644
--- a/hypha/apply/users/migrations/0028_passkeys.py
+++ b/hypha/apply/users/migrations/0028_passkeys.py
@@ -1,4 +1,4 @@
-# Generated by Django 5.2.12 on 2026-03-23 15:16
+# Generated by Django 5.2.12 on 2026-03-23 21:07
 
 import django.db.models.deletion
 from django.conf import settings
@@ -24,8 +24,8 @@ class Migration(migrations.Migration):
                     ),
                 ),
                 ("name", models.CharField(blank=True, max_length=255)),
-                ("credential_id", models.TextField(unique=True)),
-                ("public_key", models.TextField()),
+                ("credential_id", models.CharField(max_length=2048, unique=True)),
+                ("public_key", models.CharField(max_length=1024)),
                 ("sign_count", models.PositiveBigIntegerField(default=0)),
                 ("created_at", models.DateTimeField(auto_now_add=True)),
                 ("last_used_at", models.DateTimeField(blank=True, null=True)),
diff --git a/hypha/apply/users/models.py b/hypha/apply/users/models.py
index f0b188bd3b..82556fdc33 100644
--- a/hypha/apply/users/models.py
+++ b/hypha/apply/users/models.py
@@ -486,9 +486,9 @@ class Passkey(models.Model):
     )
     name = models.CharField(max_length=255, blank=True)
     # base64url-encoded credential id (unique per authenticator)
-    credential_id = models.TextField(unique=True)
-    # base64url-encoded CASE public key
-    public_key = models.TextField()
+    credential_id = models.CharField(max_length=2048, unique=True)
+    # base64url-encoded public key
+    public_key = models.CharField(max_length=1024)
     sign_count = models.PositiveBigIntegerField(default=0)
     created_at = models.DateTimeField(auto_now_add=True)
     last_used_at = models.DateTimeField(null=True, blank=True)
diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index e5eeaeade1..72334d4e3f 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -6,9 +6,9 @@
  *   - PublicKeyCredential.parseRequestOptionsFromJSON()
  *   - PublicKeyCredential.prototype.toJSON()
  *
- * Availability is checked via isUserVerifyingPlatformAuthenticatorAvailable()
- * (not just window.PublicKeyCredential) so macOS Touch ID, Windows Hello,
- * iOS Face ID etc. are properly detected.
+ * Availability is checked via window.PublicKeyCredential && navigator.credentials,
+ * which covers platform authenticators (Touch ID, Windows Hello, Face ID) as well
+ * as roaming authenticators (security keys) and cross-device auth (QR code).
  */
 
 window.hypha = window.hypha || {};

From be5fa7d0afc396d0c26ed85eeb6387182b0eeef2 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 22:14:58 +0100
Subject: [PATCH 09/37] Multi-tab challenge collision fix.

---
 hypha/apply/users/passkey_views.py | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index a8b56959a1..3b0cffeb6f 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -33,7 +33,8 @@
 
 from .models import Passkey
 
-SESSION_CHALLENGE_KEY = "webauthn_challenge"
+SESSION_CHALLENGE_KEY_REGISTER = "webauthn_challenge_register"
+SESSION_CHALLENGE_KEY_AUTH = "webauthn_challenge_auth"
 
 
 def _get_rp_id(request):
@@ -55,12 +56,12 @@ def _get_origin(request):
     return f"{scheme}://{request.get_host()}"
 
 
-def _store_challenge(request, challenge: bytes):
-    request.session[SESSION_CHALLENGE_KEY] = base64.b64encode(challenge).decode()
+def _store_challenge(request, challenge: bytes, key: str):
+    request.session[key] = base64.b64encode(challenge).decode()
 
 
-def _load_challenge(request) -> bytes:
-    encoded = request.session.pop(SESSION_CHALLENGE_KEY, None)
+def _load_challenge(request, key: str) -> bytes:
+    encoded = request.session.pop(key, None)
     if not encoded:
         raise PermissionDenied("No active WebAuthn challenge.")
     return base64.b64decode(encoded)
@@ -104,7 +105,7 @@ def post(self, request):
             ),
             exclude_credentials=existing,
         )
-        _store_challenge(request, options.challenge)
+        _store_challenge(request, options.challenge, SESSION_CHALLENGE_KEY_REGISTER)
         return JsonResponse(json.loads(options_to_json(options)))
 
 
@@ -121,7 +122,7 @@ def post(self, request):
             return JsonResponse({"error": "Invalid JSON"}, status=400)
 
         try:
-            challenge = _load_challenge(request)
+            challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_REGISTER)
         except PermissionDenied:
             return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
 
@@ -177,7 +178,7 @@ def post(self, request):
             rp_id=_get_rp_id(request),
             user_verification=UserVerificationRequirement.REQUIRED,
         )
-        _store_challenge(request, options.challenge)
+        _store_challenge(request, options.challenge, SESSION_CHALLENGE_KEY_AUTH)
         return JsonResponse(json.loads(options_to_json(options)))
 
 
@@ -193,7 +194,7 @@ def post(self, request):
             return JsonResponse({"error": "Invalid JSON"}, status=400)
 
         try:
-            challenge = _load_challenge(request)
+            challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_AUTH)
         except PermissionDenied:
             return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
 

From acc9f1abfd36acab58c69a2b61b17851e7f2531a Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 22:25:12 +0100
Subject: [PATCH 10/37] Store the transports info.

---
 hypha/apply/users/migrations/0028_passkeys.py | 3 ++-
 hypha/apply/users/models.py                   | 1 +
 hypha/apply/users/passkey_views.py            | 7 ++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/migrations/0028_passkeys.py b/hypha/apply/users/migrations/0028_passkeys.py
index 448194b290..409247990d 100644
--- a/hypha/apply/users/migrations/0028_passkeys.py
+++ b/hypha/apply/users/migrations/0028_passkeys.py
@@ -1,4 +1,4 @@
-# Generated by Django 5.2.12 on 2026-03-23 21:07
+# Generated by Django 5.2.12 on 2026-03-23 21:24
 
 import django.db.models.deletion
 from django.conf import settings
@@ -27,6 +27,7 @@ class Migration(migrations.Migration):
                 ("credential_id", models.CharField(max_length=2048, unique=True)),
                 ("public_key", models.CharField(max_length=1024)),
                 ("sign_count", models.PositiveBigIntegerField(default=0)),
+                ("transports", models.JSONField(blank=True, default=list)),
                 ("created_at", models.DateTimeField(auto_now_add=True)),
                 ("last_used_at", models.DateTimeField(blank=True, null=True)),
                 (
diff --git a/hypha/apply/users/models.py b/hypha/apply/users/models.py
index 82556fdc33..73f3cddaaa 100644
--- a/hypha/apply/users/models.py
+++ b/hypha/apply/users/models.py
@@ -490,6 +490,7 @@ class Passkey(models.Model):
     # base64url-encoded public key
     public_key = models.CharField(max_length=1024)
     sign_count = models.PositiveBigIntegerField(default=0)
+    transports = models.JSONField(default=list, blank=True)
     created_at = models.DateTimeField(auto_now_add=True)
     last_used_at = models.DateTimeField(null=True, blank=True)
 
diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 3b0cffeb6f..59aae4bff2 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -25,6 +25,7 @@
     AuthenticatorAssertionResponse,
     AuthenticatorAttestationResponse,
     AuthenticatorSelectionCriteria,
+    AuthenticatorTransport,
     PublicKeyCredentialDescriptor,
     RegistrationCredential,
     ResidentKeyRequirement,
@@ -90,7 +91,10 @@ def post(self, request):
                 status=400,
             )
         existing = [
-            PublicKeyCredentialDescriptor(id=base64url_to_bytes(pk.credential_id))
+            PublicKeyCredentialDescriptor(
+                id=base64url_to_bytes(pk.credential_id),
+                transports=[AuthenticatorTransport(t) for t in pk.transports] or None,
+            )
             for pk in existing_passkeys
         ]
         options = generate_registration_options(
@@ -159,6 +163,7 @@ def post(self, request):
             credential_id=bytes_to_base64url(verification.credential_id),
             public_key=bytes_to_base64url(verification.credential_public_key),
             sign_count=verification.sign_count,
+            transports=data["response"].get("transports", []),
         )
         return JsonResponse({"status": "ok"})
 

From 0bcabfb02cd34a5e59c664cce1b80c862429ec02 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 23 Mar 2026 22:59:39 +0100
Subject: [PATCH 11/37] Fix login bug.

---
 hypha/apply/users/passkey_views.py      |  9 +++++----
 hypha/static_src/javascript/passkeys.js | 10 ++++++++++
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 59aae4bff2..ec3c234a59 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -6,7 +6,7 @@
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django.http import JsonResponse
-from django.shortcuts import get_object_or_404, render
+from django.shortcuts import get_object_or_404, render, resolve_url
 from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.utils.http import url_has_allowed_host_and_scheme
@@ -250,16 +250,17 @@ def post(self, request):
         passkey.save(update_fields=["sign_count", "last_used_at"])
 
         user = passkey.user
-        login(request, user, backend="django.contrib.auth.backends.ModelBackend")
+        user.backend = settings.CUSTOM_AUTH_BACKEND
+        login(request, user)
         request.session["passkey_authenticated"] = True
 
-        next_url = data.get("next") or "/"
+        next_url = data.get("next") or resolve_url(settings.LOGIN_REDIRECT_URL)
         if not url_has_allowed_host_and_scheme(
             next_url,
             allowed_hosts={request.get_host()},
             require_https=request.is_secure(),
         ):
-            next_url = settings.LOGIN_REDIRECT_URL
+            next_url = resolve_url(settings.LOGIN_REDIRECT_URL)
         return JsonResponse({"status": "ok", "redirect_url": next_url})
 
 
diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index 72334d4e3f..e4e842cc50 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -14,6 +14,7 @@
 window.hypha = window.hypha || {};
 
 window.hypha.passkeys = (function () {
+  let _conditionalAbortController = null;
   function getCsrfToken() {
     const el = document.querySelector("[name=csrfmiddlewaretoken]");
     if (el) return el.value;
@@ -126,6 +127,12 @@ window.hypha.passkeys = (function () {
    * Authenticate with a passkey via an explicit button click on the login page.
    */
   async function authenticate() {
+    // Abort any in-progress conditional mediation before starting explicit auth.
+    if (_conditionalAbortController) {
+      _conditionalAbortController.abort();
+      _conditionalAbortController = null;
+    }
+
     const beginUrl = document.getElementById("passkey-auth-begin-url")?.value;
     const completeUrl = document.getElementById(
       "passkey-auth-complete-url"
@@ -182,6 +189,8 @@ window.hypha.passkeys = (function () {
     )?.value;
     if (!beginUrl || !completeUrl) return;
 
+    _conditionalAbortController = new AbortController();
+
     try {
       const beginResp = await jsonPost(beginUrl, {});
       if (!beginResp.ok) return;
@@ -192,6 +201,7 @@ window.hypha.passkeys = (function () {
       const credential = await navigator.credentials.get({
         publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(authOptions),
         mediation: "conditional",
+        signal: _conditionalAbortController.signal,
       });
 
       if (!credential) return;

From cb880742c04fecbb5eecd24057157d1d3d02b252 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Tue, 24 Mar 2026 09:19:20 +0100
Subject: [PATCH 12/37] Remove shrink-0 class, not needed.

---
 hypha/apply/users/templates/users/partials/list.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
index 9eed27fc20..93bd2d4072 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -4,7 +4,7 @@
         <ul class="flex flex-col gap-2">
             {% for passkey in passkeys %}
                 <li class="flex gap-2 items-center p-2 rounded border bg-base-100">
-                    {% heroicon_micro "key" class="shrink-0 size-4 text-fg-muted" aria_hidden=true %}
+                    {% heroicon_micro "key" class="size-4 text-fg-muted" aria_hidden=true %}
                     <form
                         x-data="{ dirty: false }"
                         hx-post="{% url 'users:passkey_rename' passkey.pk %}"
@@ -27,7 +27,7 @@
                             {% heroicon_micro "check" class="size-4" aria_hidden=true %}
                         </button>
                     </form>
-                    <span class="text-xs text-fg-muted shrink-0" title="{{ passkey.created_at|date:'Y-m-d' }}">
+                    <span class="text-xs text-fg-muted" title="{{ passkey.created_at|date:'Y-m-d' }}">
                         {% if passkey.last_used_at %}
                             {% blocktrans with when=passkey.last_used_at|timesince %}Used {{ when }} ago{% endblocktrans %}
                         {% else %}

From a1fdc352f5177f86614d0d7ea0c8db40f41a6768 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Tue, 24 Mar 2026 10:10:32 +0100
Subject: [PATCH 13/37] Improve some strings.

---
 hypha/apply/users/templates/users/account.html | 2 +-
 hypha/settings/base.py                         | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/templates/users/account.html b/hypha/apply/users/templates/users/account.html
index 80b9657045..968e8e6c03 100644
--- a/hypha/apply/users/templates/users/account.html
+++ b/hypha/apply/users/templates/users/account.html
@@ -95,7 +95,7 @@ <h3 class="mb-2 text-sm font-semibold">
 
             <h3 class="mt-6 mb-2 text-sm font-semibold">{% trans "Passkeys" %}</h3>
             <p class="mb-2 text-sm text-fg-muted">
-                {% trans "Passkeys use your device's biometrics or PIN to sign in securely without a password." %}
+                {% trans "With passkeys you can use your fingerprint, face, or screen lock to login securely without a password." %}
             </p>
 
             {# Hidden inputs supply the API URLs to passkeys.js #}
diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index 24b6fef630..41c3c618d7 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -30,7 +30,8 @@
 # DEFAULT_RATE_LIMIT is used by login, password, 2FA, etc
 DEFAULT_RATE_LIMIT = env.str("DEFAULT_RATE_LIMIT", "5/m")
 
-# IF Hypha should enforce 2FA for all users.
+# If Hypha should enforce 2FA for all users.
+# Users that login with passkeys are excluded since that is even more secure.
 ENFORCE_TWO_FACTOR = env.bool("ENFORCE_TWO_FACTOR", False)
 
 # WebAuthn / Passkey settings.

From f466f9dcf7b35fac91eba7acb3039cf55b6253c7 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 1 Apr 2026 18:53:47 +0200
Subject: [PATCH 14/37] Fix migration after rebase.

---
 .../users/migrations/{0028_passkeys.py => 0029_passkeys.py}     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename hypha/apply/users/migrations/{0028_passkeys.py => 0029_passkeys.py} (96%)

diff --git a/hypha/apply/users/migrations/0028_passkeys.py b/hypha/apply/users/migrations/0029_passkeys.py
similarity index 96%
rename from hypha/apply/users/migrations/0028_passkeys.py
rename to hypha/apply/users/migrations/0029_passkeys.py
index 409247990d..bb0044fa74 100644
--- a/hypha/apply/users/migrations/0028_passkeys.py
+++ b/hypha/apply/users/migrations/0029_passkeys.py
@@ -7,7 +7,7 @@
 
 class Migration(migrations.Migration):
     dependencies = [
-        ("users", "0027_remove_drupal_id_field"),
+        ("users", "0028_remove_partner_group"),
     ]
 
     operations = [

From 892ff464a774602b10f89adebff8205dbab9f6f2 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 6 Apr 2026 12:00:13 +0200
Subject: [PATCH 15/37] Change all passkey_views from class views to function
 views.

---
 hypha/apply/users/passkey_views.py | 383 ++++++++++++++---------------
 hypha/apply/users/urls.py          |  28 +--
 2 files changed, 195 insertions(+), 216 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index ec3c234a59..3c4a00fd7c 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -8,9 +8,8 @@
 from django.http import JsonResponse
 from django.shortcuts import get_object_or_404, render, resolve_url
 from django.utils import timezone
-from django.utils.decorators import method_decorator
 from django.utils.http import url_has_allowed_host_and_scheme
-from django.views import View
+from django.views.decorators.http import require_GET, require_POST
 from django_ratelimit.decorators import ratelimit
 from webauthn import (
     generate_authentication_options,
@@ -76,96 +75,88 @@ def _load_challenge(request, key: str) -> bytes:
 MAX_PASSKEYS_PER_USER = 10
 
 
-@method_decorator(login_required, name="dispatch")
-@method_decorator(
-    ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST"),
-    name="dispatch",
-)
-class PasskeyRegisterBeginView(View):
-    def post(self, request):
-        user = request.user
-        existing_passkeys = list(user.passkeys.all())
-        if len(existing_passkeys) >= MAX_PASSKEYS_PER_USER:
-            return JsonResponse(
-                {"error": f"Maximum of {MAX_PASSKEYS_PER_USER} passkeys allowed"},
-                status=400,
-            )
-        existing = [
-            PublicKeyCredentialDescriptor(
-                id=base64url_to_bytes(pk.credential_id),
-                transports=[AuthenticatorTransport(t) for t in pk.transports] or None,
-            )
-            for pk in existing_passkeys
-        ]
-        options = generate_registration_options(
-            rp_id=_get_rp_id(request),
-            rp_name=_get_rp_name(),
-            user_id=str(user.pk).encode(),
-            user_name=user.email,
-            user_display_name=user.get_full_name() or user.email,
-            authenticator_selection=AuthenticatorSelectionCriteria(
-                resident_key=ResidentKeyRequirement.REQUIRED,
-                user_verification=UserVerificationRequirement.REQUIRED,
-            ),
-            exclude_credentials=existing,
+@login_required
+@require_POST
+@ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
+def passkey_register_begin(request):
+    user = request.user
+    existing_passkeys = list(user.passkeys.all())
+    if len(existing_passkeys) >= MAX_PASSKEYS_PER_USER:
+        return JsonResponse(
+            {"error": f"Maximum of {MAX_PASSKEYS_PER_USER} passkeys allowed"},
+            status=400,
         )
-        _store_challenge(request, options.challenge, SESSION_CHALLENGE_KEY_REGISTER)
-        return JsonResponse(json.loads(options_to_json(options)))
-
-
-@method_decorator(login_required, name="dispatch")
-@method_decorator(
-    ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST"),
-    name="dispatch",
-)
-class PasskeyRegisterCompleteView(View):
-    def post(self, request):
-        try:
-            data = json.loads(request.body)
-        except (json.JSONDecodeError, ValueError):
-            return JsonResponse({"error": "Invalid JSON"}, status=400)
-
-        try:
-            challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_REGISTER)
-        except PermissionDenied:
-            return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
-
-        try:
-            credential = RegistrationCredential(
-                id=data["id"],
-                raw_id=base64url_to_bytes(data["rawId"]),
-                response=AuthenticatorAttestationResponse(
-                    client_data_json=base64url_to_bytes(
-                        data["response"]["clientDataJSON"]
-                    ),
-                    attestation_object=base64url_to_bytes(
-                        data["response"]["attestationObject"]
-                    ),
-                    transports=data["response"].get("transports", []),
+    existing = [
+        PublicKeyCredentialDescriptor(
+            id=base64url_to_bytes(pk.credential_id),
+            transports=[AuthenticatorTransport(t) for t in pk.transports] or None,
+        )
+        for pk in existing_passkeys
+    ]
+    options = generate_registration_options(
+        rp_id=_get_rp_id(request),
+        rp_name=_get_rp_name(),
+        user_id=str(user.pk).encode(),
+        user_name=user.email,
+        user_display_name=user.get_full_name() or user.email,
+        authenticator_selection=AuthenticatorSelectionCriteria(
+            resident_key=ResidentKeyRequirement.REQUIRED,
+            user_verification=UserVerificationRequirement.REQUIRED,
+        ),
+        exclude_credentials=existing,
+    )
+    _store_challenge(request, options.challenge, SESSION_CHALLENGE_KEY_REGISTER)
+    return JsonResponse(json.loads(options_to_json(options)))
+
+
+@login_required
+@require_POST
+@ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
+def passkey_register_complete(request):
+    try:
+        data = json.loads(request.body)
+    except (json.JSONDecodeError, ValueError):
+        return JsonResponse({"error": "Invalid JSON"}, status=400)
+
+    try:
+        challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_REGISTER)
+    except PermissionDenied:
+        return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
+
+    try:
+        credential = RegistrationCredential(
+            id=data["id"],
+            raw_id=base64url_to_bytes(data["rawId"]),
+            response=AuthenticatorAttestationResponse(
+                client_data_json=base64url_to_bytes(data["response"]["clientDataJSON"]),
+                attestation_object=base64url_to_bytes(
+                    data["response"]["attestationObject"]
                 ),
-            )
-            verification = verify_registration_response(
-                credential=credential,
-                expected_challenge=challenge,
-                expected_rp_id=_get_rp_id(request),
-                expected_origin=_get_origin(request),
-                require_user_verification=True,
-            )
-        except Exception:
-            return JsonResponse({"error": "Verification failed"}, status=400)
-
-        name = (data.get("name") or "").strip() or timezone.now().strftime(
-            "Passkey %Y-%m-%d"
+                transports=data["response"].get("transports", []),
+            ),
         )
-        Passkey.objects.create(
-            user=request.user,
-            name=name,
-            credential_id=bytes_to_base64url(verification.credential_id),
-            public_key=bytes_to_base64url(verification.credential_public_key),
-            sign_count=verification.sign_count,
-            transports=data["response"].get("transports", []),
+        verification = verify_registration_response(
+            credential=credential,
+            expected_challenge=challenge,
+            expected_rp_id=_get_rp_id(request),
+            expected_origin=_get_origin(request),
+            require_user_verification=True,
         )
-        return JsonResponse({"status": "ok"})
+    except Exception:
+        return JsonResponse({"error": "Verification failed"}, status=400)
+
+    name = (data.get("name") or "").strip() or timezone.now().strftime(
+        "Passkey %Y-%m-%d"
+    )
+    Passkey.objects.create(
+        user=request.user,
+        name=name,
+        credential_id=bytes_to_base64url(verification.credential_id),
+        public_key=bytes_to_base64url(verification.credential_public_key),
+        sign_count=verification.sign_count,
+        transports=data["response"].get("transports", []),
+    )
+    return JsonResponse({"status": "ok"})
 
 
 # ---------------------------------------------------------------------------
@@ -173,95 +164,85 @@ def post(self, request):
 # ---------------------------------------------------------------------------
 
 
-@method_decorator(
-    ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST"),
-    name="dispatch",
-)
-class PasskeyAuthBeginView(View):
-    def post(self, request):
-        options = generate_authentication_options(
-            rp_id=_get_rp_id(request),
-            user_verification=UserVerificationRequirement.REQUIRED,
+@require_POST
+@ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
+def passkey_auth_begin(request):
+    options = generate_authentication_options(
+        rp_id=_get_rp_id(request),
+        user_verification=UserVerificationRequirement.REQUIRED,
+    )
+    _store_challenge(request, options.challenge, SESSION_CHALLENGE_KEY_AUTH)
+    return JsonResponse(json.loads(options_to_json(options)))
+
+
+@require_POST
+@ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
+def passkey_auth_complete(request):
+    try:
+        data = json.loads(request.body)
+    except (json.JSONDecodeError, ValueError):
+        return JsonResponse({"error": "Invalid JSON"}, status=400)
+
+    try:
+        challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_AUTH)
+    except PermissionDenied:
+        return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
+
+    try:
+        credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
+    except Exception:
+        return JsonResponse({"error": "Invalid credential"}, status=400)
+
+    try:
+        passkey = Passkey.objects.select_related("user").get(
+            credential_id=credential_id_b64
+        )
+    except Passkey.DoesNotExist:
+        return JsonResponse({"error": "Unknown credential"}, status=400)
+
+    try:
+        user_handle = data["response"].get("userHandle")
+        credential = AuthenticationCredential(
+            id=data["id"],
+            raw_id=base64url_to_bytes(data["rawId"]),
+            response=AuthenticatorAssertionResponse(
+                client_data_json=base64url_to_bytes(data["response"]["clientDataJSON"]),
+                authenticator_data=base64url_to_bytes(
+                    data["response"]["authenticatorData"]
+                ),
+                signature=base64url_to_bytes(data["response"]["signature"]),
+                user_handle=base64url_to_bytes(user_handle) if user_handle else None,
+            ),
+        )
+        verification = verify_authentication_response(
+            credential=credential,
+            expected_challenge=challenge,
+            expected_rp_id=_get_rp_id(request),
+            expected_origin=_get_origin(request),
+            credential_public_key=base64url_to_bytes(passkey.public_key),
+            credential_current_sign_count=passkey.sign_count,
+            require_user_verification=True,
         )
-        _store_challenge(request, options.challenge, SESSION_CHALLENGE_KEY_AUTH)
-        return JsonResponse(json.loads(options_to_json(options)))
+    except Exception:
+        return JsonResponse({"error": "Verification failed"}, status=400)
 
+    passkey.sign_count = verification.new_sign_count
+    passkey.last_used_at = timezone.now()
+    passkey.save(update_fields=["sign_count", "last_used_at"])
 
-@method_decorator(
-    ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST"),
-    name="dispatch",
-)
-class PasskeyAuthCompleteView(View):
-    def post(self, request):
-        try:
-            data = json.loads(request.body)
-        except (json.JSONDecodeError, ValueError):
-            return JsonResponse({"error": "Invalid JSON"}, status=400)
-
-        try:
-            challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_AUTH)
-        except PermissionDenied:
-            return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
-
-        try:
-            credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
-        except Exception:
-            return JsonResponse({"error": "Invalid credential"}, status=400)
-
-        try:
-            passkey = Passkey.objects.select_related("user").get(
-                credential_id=credential_id_b64
-            )
-        except Passkey.DoesNotExist:
-            return JsonResponse({"error": "Unknown credential"}, status=400)
-
-        try:
-            user_handle = data["response"].get("userHandle")
-            credential = AuthenticationCredential(
-                id=data["id"],
-                raw_id=base64url_to_bytes(data["rawId"]),
-                response=AuthenticatorAssertionResponse(
-                    client_data_json=base64url_to_bytes(
-                        data["response"]["clientDataJSON"]
-                    ),
-                    authenticator_data=base64url_to_bytes(
-                        data["response"]["authenticatorData"]
-                    ),
-                    signature=base64url_to_bytes(data["response"]["signature"]),
-                    user_handle=base64url_to_bytes(user_handle)
-                    if user_handle
-                    else None,
-                ),
-            )
-            verification = verify_authentication_response(
-                credential=credential,
-                expected_challenge=challenge,
-                expected_rp_id=_get_rp_id(request),
-                expected_origin=_get_origin(request),
-                credential_public_key=base64url_to_bytes(passkey.public_key),
-                credential_current_sign_count=passkey.sign_count,
-                require_user_verification=True,
-            )
-        except Exception:
-            return JsonResponse({"error": "Verification failed"}, status=400)
-
-        passkey.sign_count = verification.new_sign_count
-        passkey.last_used_at = timezone.now()
-        passkey.save(update_fields=["sign_count", "last_used_at"])
-
-        user = passkey.user
-        user.backend = settings.CUSTOM_AUTH_BACKEND
-        login(request, user)
-        request.session["passkey_authenticated"] = True
-
-        next_url = data.get("next") or resolve_url(settings.LOGIN_REDIRECT_URL)
-        if not url_has_allowed_host_and_scheme(
-            next_url,
-            allowed_hosts={request.get_host()},
-            require_https=request.is_secure(),
-        ):
-            next_url = resolve_url(settings.LOGIN_REDIRECT_URL)
-        return JsonResponse({"status": "ok", "redirect_url": next_url})
+    user = passkey.user
+    user.backend = settings.CUSTOM_AUTH_BACKEND
+    login(request, user)
+    request.session["passkey_authenticated"] = True
+
+    next_url = data.get("next") or resolve_url(settings.LOGIN_REDIRECT_URL)
+    if not url_has_allowed_host_and_scheme(
+        next_url,
+        allowed_hosts={request.get_host()},
+        require_https=request.is_secure(),
+    ):
+        next_url = resolve_url(settings.LOGIN_REDIRECT_URL)
+    return JsonResponse({"status": "ok", "redirect_url": next_url})
 
 
 # ---------------------------------------------------------------------------
@@ -269,31 +250,29 @@ def post(self, request):
 # ---------------------------------------------------------------------------
 
 
-@method_decorator(login_required, name="dispatch")
-class PasskeyListView(View):
-    template_name = "users/partials/list.html"
-
-    def get(self, request):
-        passkeys = request.user.passkeys.all()
-        return render(request, self.template_name, {"passkeys": passkeys})
-
-
-@method_decorator(login_required, name="dispatch")
-class PasskeyDeleteView(View):
-    def post(self, request, pk):
-        passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
-        passkey.delete()
-        passkeys = request.user.passkeys.all()
-        return render(request, "users/partials/list.html", {"passkeys": passkeys})
-
-
-@method_decorator(login_required, name="dispatch")
-class PasskeyRenameView(View):
-    def post(self, request, pk):
-        passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
-        name = request.POST.get("name", "").strip()
-        if name:
-            passkey.name = name
-            passkey.save(update_fields=["name"])
-        passkeys = request.user.passkeys.all()
-        return render(request, "users/partials/list.html", {"passkeys": passkeys})
+@login_required
+@require_GET
+def passkey_list(request):
+    passkeys = request.user.passkeys.all()
+    return render(request, "users/partials/list.html", {"passkeys": passkeys})
+
+
+@login_required
+@require_POST
+def passkey_delete(request, pk):
+    passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
+    passkey.delete()
+    passkeys = request.user.passkeys.all()
+    return render(request, "users/partials/list.html", {"passkeys": passkeys})
+
+
+@login_required
+@require_POST
+def passkey_rename(request, pk):
+    passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
+    name = request.POST.get("name", "").strip()
+    if name:
+        passkey.name = name
+        passkey.save(update_fields=["name"])
+    passkeys = request.user.passkeys.all()
+    return render(request, "users/partials/list.html", {"passkeys": passkeys})
diff --git a/hypha/apply/users/urls.py b/hypha/apply/users/urls.py
index 1d52bc3131..47c0907a65 100644
--- a/hypha/apply/users/urls.py
+++ b/hypha/apply/users/urls.py
@@ -7,13 +7,13 @@
 from hypha.elevate.views import elevate as elevate_view
 
 from .passkey_views import (
-    PasskeyAuthBeginView,
-    PasskeyAuthCompleteView,
-    PasskeyDeleteView,
-    PasskeyListView,
-    PasskeyRegisterBeginView,
-    PasskeyRegisterCompleteView,
-    PasskeyRenameView,
+    passkey_auth_begin,
+    passkey_auth_complete,
+    passkey_delete,
+    passkey_list,
+    passkey_register_begin,
+    passkey_register_complete,
+    passkey_rename,
 )
 from .views import (
     AccountView,
@@ -51,12 +51,12 @@
     # Passkey authentication — public (no login required)
     path(
         "passkeys/auth/begin/",
-        PasskeyAuthBeginView.as_view(),
+        passkey_auth_begin,
         name="passkey_auth_begin",
     ),
     path(
         "passkeys/auth/complete/",
-        PasskeyAuthCompleteView.as_view(),
+        passkey_auth_complete,
         name="passkey_auth_complete",
     ),
 ]
@@ -136,25 +136,25 @@
     ),
     path("hijack/", hijack_view, name="hijack"),
     # Passkey management
-    path("passkeys/", PasskeyListView.as_view(), name="passkey_list"),
+    path("passkeys/", passkey_list, name="passkey_list"),
     path(
         "passkeys/register/begin/",
-        PasskeyRegisterBeginView.as_view(),
+        passkey_register_begin,
         name="passkey_register_begin",
     ),
     path(
         "passkeys/register/complete/",
-        PasskeyRegisterCompleteView.as_view(),
+        passkey_register_complete,
         name="passkey_register_complete",
     ),
     path(
         "passkeys/<int:pk>/delete/",
-        PasskeyDeleteView.as_view(),
+        passkey_delete,
         name="passkey_delete",
     ),
     path(
         "passkeys/<int:pk>/rename/",
-        PasskeyRenameView.as_view(),
+        passkey_rename,
         name="passkey_rename",
     ),
     path("activate/", create_password, name="activate_password"),

From ca6a131203e1ee8f6dab9a15a9a964c0288faa1d Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Mon, 6 Apr 2026 16:45:42 +0200
Subject: [PATCH 16/37] Implement remember_me support for passkeys.

---
 hypha/apply/users/passkey_views.py      | 3 +++
 hypha/static_src/javascript/passkeys.js | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 3c4a00fd7c..23a3d4f7a4 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -235,6 +235,9 @@ def passkey_auth_complete(request):
     login(request, user)
     request.session["passkey_authenticated"] = True
 
+    if data.get("remember_me"):
+        request.session.set_expiry(settings.SESSION_COOKIE_AGE_LONG)
+
     next_url = data.get("next") or resolve_url(settings.LOGIN_REDIRECT_URL)
     if not url_has_allowed_host_and_scheme(
         next_url,
diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index e4e842cc50..9cbf833548 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -24,6 +24,13 @@ window.hypha.passkeys = (function () {
     return cookie ? cookie.split("=")[1] : "";
   }
 
+  function getRememberMe() {
+    const el =
+      document.getElementById("id_auth-remember_me") ||
+      document.getElementById("id_remember_me");
+    return el ? el.checked : false;
+  }
+
   function jsonPost(url, body) {
     return fetch(url, {
       method: "POST",
@@ -158,6 +165,7 @@ window.hypha.passkeys = (function () {
       const completeResp = await jsonPost(completeUrl, {
         ...credential.toJSON(),
         next: nextUrl,
+        remember_me: getRememberMe(),
       });
       if (!completeResp.ok) {
         const err = await completeResp.json();
@@ -210,6 +218,7 @@ window.hypha.passkeys = (function () {
       const completeResp = await jsonPost(completeUrl, {
         ...credential.toJSON(),
         next: nextUrl,
+        remember_me: getRememberMe(),
       });
       if (!completeResp.ok) return;
       const data = await completeResp.json();

From 3c1e7cfc5a4b9cd673d2f25731da28216cc3ae30 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 15 Apr 2026 19:23:06 +0200
Subject: [PATCH 17/37] Update
 hypha/apply/users/templates/users/partials/list.html

Co-authored-by: Wes Appler <145372368+wes-otf@users.noreply.github.com>
---
 hypha/apply/users/templates/users/partials/list.html | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
index 93bd2d4072..4989c9f3e6 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -6,7 +6,7 @@
                 <li class="flex gap-2 items-center p-2 rounded border bg-base-100">
                     {% heroicon_micro "key" class="size-4 text-fg-muted" aria_hidden=true %}
                     <form
-                        x-data="{ dirty: false }"
+                        x-data="{ pkcurrent: '{{ passkey.name }}', pkinput: '{{ passkey.name }}' }"
                         hx-post="{% url 'users:passkey_rename' passkey.pk %}"
                         hx-target="#passkey-list"
                         hx-swap="outerHTML"
@@ -16,14 +16,13 @@
                         <input
                             type="text"
                             name="name"
-                            value="{{ passkey.name }}"
+                            x-model="pkinput"
                             class="flex-1 input input-xs input-ghost"
                             aria-label="{% trans 'Passkey name' %}"
                             data-tippy-content="{% trans 'Click to edit name' %}"
-                            @input="dirty = true"
                             required
                         />
-                        <button type="submit" class="btn btn-ghost btn-xs" :class="dirty && 'text-success'" title="{% trans 'Save name' %}">
+                        <button type="submit" class="btn btn-ghost btn-xs text-success" :class="pkcurrent == pkinput && 'btn-disabled invisible'"  title="{% trans 'Save name' %}">
                             {% heroicon_micro "check" class="size-4" aria_hidden=true %}
                         </button>
                     </form>

From 654adfc1e67911b74e1a6b2b0d8c1515b982379e Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 15 Apr 2026 22:07:20 +0200
Subject: [PATCH 18/37] Escape user unput with escapejs and make the same
 button look like a button and turn green on save.

---
 hypha/apply/users/templates/users/partials/list.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
index 4989c9f3e6..dad0d04220 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -6,7 +6,7 @@
                 <li class="flex gap-2 items-center p-2 rounded border bg-base-100">
                     {% heroicon_micro "key" class="size-4 text-fg-muted" aria_hidden=true %}
                     <form
-                        x-data="{ pkcurrent: '{{ passkey.name }}', pkinput: '{{ passkey.name }}' }"
+                        x-data="{ pkcurrent: '{{ passkey.name|escapejs }}', pkinput: '{{ passkey.name|escapejs }}' }"
                         hx-post="{% url 'users:passkey_rename' passkey.pk %}"
                         hx-target="#passkey-list"
                         hx-swap="outerHTML"
@@ -22,7 +22,7 @@
                             data-tippy-content="{% trans 'Click to edit name' %}"
                             required
                         />
-                        <button type="submit" class="btn btn-ghost btn-xs text-success" :class="pkcurrent == pkinput && 'btn-disabled invisible'"  title="{% trans 'Save name' %}">
+                        <button type="submit" class="transition-all duration-500 border-primary text-primary btn btn-ghost btn-xs" :class="pkcurrent == pkinput && 'border-transparent text-success'" title="{% trans 'Save name' %}">
                             {% heroicon_micro "check" class="size-4" aria_hidden=true %}
                         </button>
                     </form>

From cd844e45536a7cfb8b73785f3848b1dd08e1cb95 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 15 Apr 2026 22:39:30 +0200
Subject: [PATCH 19/37] Check that redirect_url is local, just to be safe. Move
 values from hidden inputs to data attributes. Handle os errors nicer, like
 when trying to add a second icloud key.

---
 hypha/apply/users/passkey_views.py            |  2 -
 .../apply/users/templates/users/account.html  |  4 --
 .../users/includes/passkey_login_button.html  |  6 +-
 .../users/templates/users/partials/list.html  |  3 +
 hypha/static_src/javascript/passkeys.js       | 55 ++++++++++++-------
 5 files changed, 42 insertions(+), 28 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 23a3d4f7a4..18b32d4b17 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -24,7 +24,6 @@
     AuthenticatorAssertionResponse,
     AuthenticatorAttestationResponse,
     AuthenticatorSelectionCriteria,
-    AuthenticatorTransport,
     PublicKeyCredentialDescriptor,
     RegistrationCredential,
     ResidentKeyRequirement,
@@ -89,7 +88,6 @@ def passkey_register_begin(request):
     existing = [
         PublicKeyCredentialDescriptor(
             id=base64url_to_bytes(pk.credential_id),
-            transports=[AuthenticatorTransport(t) for t in pk.transports] or None,
         )
         for pk in existing_passkeys
     ]
diff --git a/hypha/apply/users/templates/users/account.html b/hypha/apply/users/templates/users/account.html
index 968e8e6c03..cd7e1e18d6 100644
--- a/hypha/apply/users/templates/users/account.html
+++ b/hypha/apply/users/templates/users/account.html
@@ -98,10 +98,6 @@ <h3 class="mt-6 mb-2 text-sm font-semibold">{% trans "Passkeys" %}</h3>
                 {% trans "With passkeys you can use your fingerprint, face, or screen lock to login securely without a password." %}
             </p>
 
-            {# Hidden inputs supply the API URLs to passkeys.js #}
-            <input type="hidden" id="passkey-register-begin-url" value="{% url 'users:passkey_register_begin' %}">
-            <input type="hidden" id="passkey-register-complete-url" value="{% url 'users:passkey_register_complete' %}">
-
             <div
                 hx-get="{% url 'users:passkey_list' %}"
                 hx-trigger="load"
diff --git a/hypha/apply/users/templates/users/includes/passkey_login_button.html b/hypha/apply/users/templates/users/includes/passkey_login_button.html
index 72c2d81ab0..1a8bccb22b 100644
--- a/hypha/apply/users/templates/users/includes/passkey_login_button.html
+++ b/hypha/apply/users/templates/users/includes/passkey_login_button.html
@@ -4,6 +4,9 @@
     id="btn-passkey-login"
     class="btn btn-secondary btn-outline"
     data-passkey-ui
+    data-begin-url="{% url 'users:passkey_auth_begin' %}"
+    data-complete-url="{% url 'users:passkey_auth_complete' %}"
+    data-next-url="{{ redirect_url|default:'' }}"
     hidden
     onclick="hypha.passkeys.authenticate()"
 >
@@ -15,6 +18,3 @@
    data-error-begin="{% trans "Failed to begin authentication" %}"
    data-error-auth="{% trans "Authentication failed" %}"
    hidden></p>
-<input type="hidden" id="passkey-auth-begin-url" value="{% url 'users:passkey_auth_begin' %}">
-<input type="hidden" id="passkey-auth-complete-url" value="{% url 'users:passkey_auth_complete' %}">
-<input type="hidden" id="passkey-next-url" value="{{ redirect_url|default:'' }}">
diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
index dad0d04220..051958dcd1 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -53,8 +53,11 @@
 
     <form
         class="flex gap-2 mt-3"
+        data-begin-url="{% url 'users:passkey_register_begin' %}"
+        data-complete-url="{% url 'users:passkey_register_complete' %}"
         data-error-server="{% trans "Server error" %}"
         data-error-register="{% trans "Registration failed" %}"
+        data-error-duplicate="{% trans "This authenticator already has a passkey registered. Try a different authenticator or device." %}"
         onsubmit="hypha.passkeys.register(this); return false;"
     >
         <input
diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index 9cbf833548..b94e3de652 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -74,12 +74,8 @@ window.hypha.passkeys = (function () {
    * @param {HTMLFormElement} formEl  The <form> element containing a [name=name] input.
    */
   async function register(formEl) {
-    const beginUrl = document.getElementById(
-      "passkey-register-begin-url"
-    )?.value;
-    const completeUrl = document.getElementById(
-      "passkey-register-complete-url"
-    )?.value;
+    const beginUrl = formEl?.dataset.beginUrl;
+    const completeUrl = formEl?.dataset.completeUrl;
     if (!beginUrl || !completeUrl) return;
 
     const nameInput = formEl?.querySelector("[name=name]");
@@ -121,7 +117,16 @@ window.hypha.passkeys = (function () {
       window.location.reload();
     } catch (err) {
       // NotAllowedError means the user dismissed the native OS dialog — not an error.
-      if (err.name !== "NotAllowedError" && errorEl) {
+      if (err.name === "NotAllowedError") {
+        // user cancelled — do nothing
+      } else if (err.name === "InvalidStateError") {
+        if (errorEl) {
+          errorEl.textContent =
+            formEl?.dataset.errorDuplicate ||
+            "This authenticator already has a passkey registered. Try a different authenticator or device.";
+          errorEl.hidden = false;
+        }
+      } else if (errorEl) {
         errorEl.textContent = err.message;
         errorEl.hidden = false;
       }
@@ -140,13 +145,12 @@ window.hypha.passkeys = (function () {
       _conditionalAbortController = null;
     }
 
-    const beginUrl = document.getElementById("passkey-auth-begin-url")?.value;
-    const completeUrl = document.getElementById(
-      "passkey-auth-complete-url"
-    )?.value;
+    const btn = document.getElementById("btn-passkey-login");
+    const beginUrl = btn?.dataset.beginUrl;
+    const completeUrl = btn?.dataset.completeUrl;
     if (!beginUrl || !completeUrl) return;
 
-    const nextUrl = document.getElementById("passkey-next-url")?.value || "";
+    const nextUrl = btn?.dataset.nextUrl || "";
     const errorEl = document.getElementById("passkey-auth-error");
 
     try {
@@ -174,7 +178,14 @@ window.hypha.passkeys = (function () {
         );
       }
       const data = await completeResp.json();
-      window.location.href = data.redirect_url || "/";
+      const redirectUrl = new URL(
+        data.redirect_url || "/",
+        window.location.origin
+      );
+      window.location.href =
+        redirectUrl.origin === window.location.origin
+          ? redirectUrl.pathname + redirectUrl.search + redirectUrl.hash
+          : "/";
     } catch (err) {
       // NotAllowedError / AbortError = user dismissed the native UI.
       if (err.name !== "NotAllowedError" && err.name !== "AbortError") {
@@ -191,10 +202,9 @@ window.hypha.passkeys = (function () {
    * The email input needs autocomplete="username webauthn" for this to work.
    */
   async function _startConditionalMediation() {
-    const beginUrl = document.getElementById("passkey-auth-begin-url")?.value;
-    const completeUrl = document.getElementById(
-      "passkey-auth-complete-url"
-    )?.value;
+    const btn = document.getElementById("btn-passkey-login");
+    const beginUrl = btn?.dataset.beginUrl;
+    const completeUrl = btn?.dataset.completeUrl;
     if (!beginUrl || !completeUrl) return;
 
     _conditionalAbortController = new AbortController();
@@ -214,7 +224,7 @@ window.hypha.passkeys = (function () {
 
       if (!credential) return;
 
-      const nextUrl = document.getElementById("passkey-next-url")?.value || "";
+      const nextUrl = btn?.dataset.nextUrl || "";
       const completeResp = await jsonPost(completeUrl, {
         ...credential.toJSON(),
         next: nextUrl,
@@ -222,7 +232,14 @@ window.hypha.passkeys = (function () {
       });
       if (!completeResp.ok) return;
       const data = await completeResp.json();
-      window.location.href = data.redirect_url || "/";
+      const redirectUrl = new URL(
+        data.redirect_url || "/",
+        window.location.origin
+      );
+      window.location.href =
+        redirectUrl.origin === window.location.origin
+          ? redirectUrl.pathname + redirectUrl.search + redirectUrl.hash
+          : "/";
     } catch (_err) {
       // Expected: aborted when user submits the password form normally.
     }

From 6359437e2490011eccf6734cf14352c9b4c59a3a Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 15 Apr 2026 23:07:13 +0200
Subject: [PATCH 20/37] Get CSRFToken from exisitng hxHeaders.

---
 hypha/static_src/javascript/passkeys.js | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index b94e3de652..0588629fdd 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -16,12 +16,8 @@ window.hypha = window.hypha || {};
 window.hypha.passkeys = (function () {
   let _conditionalAbortController = null;
   function getCsrfToken() {
-    const el = document.querySelector("[name=csrfmiddlewaretoken]");
-    if (el) return el.value;
-    const cookie = document.cookie
-      .split(";")
-      .find((c) => c.trim().startsWith("csrftoken="));
-    return cookie ? cookie.split("=")[1] : "";
+    const headers = JSON.parse(document.body.dataset.hxHeaders || "{}");
+    return headers["X-CSRFToken"] || "";
   }
 
   function getRememberMe() {

From edf7f10d123610c426a9bb1a6e352ca56fb017b3 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 08:28:07 +0200
Subject: [PATCH 21/37] Ensure passkey name is max 128 chars.

---
 hypha/apply/users/passkey_views.py                   | 7 +++++--
 hypha/apply/users/templates/users/partials/list.html | 1 +
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 18b32d4b17..efda5e7efa 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -143,7 +143,7 @@ def passkey_register_complete(request):
     except Exception:
         return JsonResponse({"error": "Verification failed"}, status=400)
 
-    name = (data.get("name") or "").strip() or timezone.now().strftime(
+    name = (data.get("name") or "").strip()[:128] or timezone.now().strftime(
         "Passkey %Y-%m-%d"
     )
     Passkey.objects.create(
@@ -200,6 +200,9 @@ def passkey_auth_complete(request):
 
     try:
         user_handle = data["response"].get("userHandle")
+        if user_handle:
+            if base64url_to_bytes(user_handle) != str(passkey.user.pk).encode():
+                return JsonResponse({"error": "User handle mismatch"}, status=400)
         credential = AuthenticationCredential(
             id=data["id"],
             raw_id=base64url_to_bytes(data["rawId"]),
@@ -271,7 +274,7 @@ def passkey_delete(request, pk):
 @require_POST
 def passkey_rename(request, pk):
     passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
-    name = request.POST.get("name", "").strip()
+    name = request.POST.get("name", "").strip()[:128]
     if name:
         passkey.name = name
         passkey.save(update_fields=["name"])
diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
index 051958dcd1..6302fa5aed 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -17,6 +17,7 @@
                             type="text"
                             name="name"
                             x-model="pkinput"
+                            maxlength="128"
                             class="flex-1 input input-xs input-ghost"
                             aria-label="{% trans 'Passkey name' %}"
                             data-tippy-content="{% trans 'Click to edit name' %}"

From 4cdcc2404f1e4055045d4a7bb5a697ce0f3ccd18 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 08:44:06 +0200
Subject: [PATCH 22/37] Add some logging.

---
 hypha/apply/users/passkey_views.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index efda5e7efa..d3980eaeac 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -1,5 +1,6 @@
 import base64
 import json
+import logging
 
 from django.conf import settings
 from django.contrib.auth import login
@@ -32,6 +33,8 @@
 
 from .models import Passkey
 
+logger = logging.getLogger(__name__)
+
 SESSION_CHALLENGE_KEY_REGISTER = "webauthn_challenge_register"
 SESSION_CHALLENGE_KEY_AUTH = "webauthn_challenge_auth"
 
@@ -141,6 +144,11 @@ def passkey_register_complete(request):
             require_user_verification=True,
         )
     except Exception:
+        logger.warning(
+            "Passkey registration verification failed for user %s",
+            request.user.pk,
+            exc_info=True,
+        )
         return JsonResponse({"error": "Verification failed"}, status=400)
 
     name = (data.get("name") or "").strip()[:128] or timezone.now().strftime(
@@ -154,6 +162,7 @@ def passkey_register_complete(request):
         sign_count=verification.sign_count,
         transports=data["response"].get("transports", []),
     )
+    logger.info("Passkey registered for user %s (name=%r)", request.user.pk, name)
     return JsonResponse({"status": "ok"})
 
 
@@ -225,6 +234,11 @@ def passkey_auth_complete(request):
             require_user_verification=True,
         )
     except Exception:
+        logger.warning(
+            "Passkey authentication verification failed for credential %s",
+            credential_id_b64,
+            exc_info=True,
+        )
         return JsonResponse({"error": "Verification failed"}, status=400)
 
     passkey.sign_count = verification.new_sign_count
@@ -265,6 +279,12 @@ def passkey_list(request):
 @require_POST
 def passkey_delete(request, pk):
     passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
+    logger.info(
+        "Passkey deleted by user %s (passkey=%s, name=%r)",
+        request.user.pk,
+        pk,
+        passkey.name,
+    )
     passkey.delete()
     passkeys = request.user.passkeys.all()
     return render(request, "users/partials/list.html", {"passkeys": passkeys})

From ad3b23429a22627287376efbc8a9a7536b6b9c92 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 08:53:33 +0200
Subject: [PATCH 23/37] Make all error strings translateble.

---
 hypha/apply/users/passkey_views.py | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index d3980eaeac..0d274c9af7 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -10,6 +10,7 @@
 from django.shortcuts import get_object_or_404, render, resolve_url
 from django.utils import timezone
 from django.utils.http import url_has_allowed_host_and_scheme
+from django.utils.translation import gettext_lazy as _
 from django.views.decorators.http import require_GET, require_POST
 from django_ratelimit.decorators import ratelimit
 from webauthn import (
@@ -85,7 +86,11 @@ def passkey_register_begin(request):
     existing_passkeys = list(user.passkeys.all())
     if len(existing_passkeys) >= MAX_PASSKEYS_PER_USER:
         return JsonResponse(
-            {"error": f"Maximum of {MAX_PASSKEYS_PER_USER} passkeys allowed"},
+            {
+                "error": _("Maximum of {max} passkeys allowed").format(
+                    max=MAX_PASSKEYS_PER_USER
+                )
+            },
             status=400,
         )
     existing = [
@@ -117,12 +122,12 @@ def passkey_register_complete(request):
     try:
         data = json.loads(request.body)
     except (json.JSONDecodeError, ValueError):
-        return JsonResponse({"error": "Invalid JSON"}, status=400)
+        return JsonResponse({"error": _("Invalid JSON")}, status=400)
 
     try:
         challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_REGISTER)
     except PermissionDenied:
-        return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
+        return JsonResponse({"error": _("No active WebAuthn challenge")}, status=400)
 
     try:
         credential = RegistrationCredential(
@@ -149,7 +154,7 @@ def passkey_register_complete(request):
             request.user.pk,
             exc_info=True,
         )
-        return JsonResponse({"error": "Verification failed"}, status=400)
+        return JsonResponse({"error": _("Verification failed")}, status=400)
 
     name = (data.get("name") or "").strip()[:128] or timezone.now().strftime(
         "Passkey %Y-%m-%d"
@@ -188,30 +193,30 @@ def passkey_auth_complete(request):
     try:
         data = json.loads(request.body)
     except (json.JSONDecodeError, ValueError):
-        return JsonResponse({"error": "Invalid JSON"}, status=400)
+        return JsonResponse({"error": _("Invalid JSON")}, status=400)
 
     try:
         challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_AUTH)
     except PermissionDenied:
-        return JsonResponse({"error": "No active WebAuthn challenge"}, status=400)
+        return JsonResponse({"error": _("No active WebAuthn challenge")}, status=400)
 
     try:
         credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
     except Exception:
-        return JsonResponse({"error": "Invalid credential"}, status=400)
+        return JsonResponse({"error": _("Invalid credential")}, status=400)
 
     try:
         passkey = Passkey.objects.select_related("user").get(
             credential_id=credential_id_b64
         )
     except Passkey.DoesNotExist:
-        return JsonResponse({"error": "Unknown credential"}, status=400)
+        return JsonResponse({"error": _("Unknown credential")}, status=400)
 
     try:
         user_handle = data["response"].get("userHandle")
         if user_handle:
             if base64url_to_bytes(user_handle) != str(passkey.user.pk).encode():
-                return JsonResponse({"error": "User handle mismatch"}, status=400)
+                return JsonResponse({"error": _("User handle mismatch")}, status=400)
         credential = AuthenticationCredential(
             id=data["id"],
             raw_id=base64url_to_bytes(data["rawId"]),
@@ -239,7 +244,7 @@ def passkey_auth_complete(request):
             credential_id_b64,
             exc_info=True,
         )
-        return JsonResponse({"error": "Verification failed"}, status=400)
+        return JsonResponse({"error": _("Verification failed")}, status=400)
 
     passkey.sign_count = verification.new_sign_count
     passkey.last_used_at = timezone.now()

From 344d8feb8b5bfabd5eafed5981b7881302e53127 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 09:03:15 +0200
Subject: [PATCH 24/37] Use transaction.atomic for passkeys loggin.

---
 hypha/apply/users/passkey_views.py | 81 +++++++++++++++++-------------
 1 file changed, 45 insertions(+), 36 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 0d274c9af7..c48a418f59 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -6,6 +6,7 @@
 from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
+from django.db import transaction
 from django.http import JsonResponse
 from django.shortcuts import get_object_or_404, render, resolve_url
 from django.utils import timezone
@@ -206,38 +207,52 @@ def passkey_auth_complete(request):
         return JsonResponse({"error": _("Invalid credential")}, status=400)
 
     try:
-        passkey = Passkey.objects.select_related("user").get(
-            credential_id=credential_id_b64
-        )
+        with transaction.atomic():
+            passkey = (
+                Passkey.objects.select_related("user")
+                .select_for_update()
+                .get(credential_id=credential_id_b64)
+            )
+
+            user_handle = data["response"].get("userHandle")
+            if user_handle:
+                if base64url_to_bytes(user_handle) != str(passkey.user.pk).encode():
+                    return JsonResponse(
+                        {"error": _("User handle mismatch")}, status=400
+                    )
+            credential = AuthenticationCredential(
+                id=data["id"],
+                raw_id=base64url_to_bytes(data["rawId"]),
+                response=AuthenticatorAssertionResponse(
+                    client_data_json=base64url_to_bytes(
+                        data["response"]["clientDataJSON"]
+                    ),
+                    authenticator_data=base64url_to_bytes(
+                        data["response"]["authenticatorData"]
+                    ),
+                    signature=base64url_to_bytes(data["response"]["signature"]),
+                    user_handle=base64url_to_bytes(user_handle)
+                    if user_handle
+                    else None,
+                ),
+            )
+            verification = verify_authentication_response(
+                credential=credential,
+                expected_challenge=challenge,
+                expected_rp_id=_get_rp_id(request),
+                expected_origin=_get_origin(request),
+                credential_public_key=base64url_to_bytes(passkey.public_key),
+                credential_current_sign_count=passkey.sign_count,
+                require_user_verification=True,
+            )
+
+            passkey.sign_count = verification.new_sign_count
+            passkey.last_used_at = timezone.now()
+            passkey.save(update_fields=["sign_count", "last_used_at"])
+
+            user = passkey.user
     except Passkey.DoesNotExist:
         return JsonResponse({"error": _("Unknown credential")}, status=400)
-
-    try:
-        user_handle = data["response"].get("userHandle")
-        if user_handle:
-            if base64url_to_bytes(user_handle) != str(passkey.user.pk).encode():
-                return JsonResponse({"error": _("User handle mismatch")}, status=400)
-        credential = AuthenticationCredential(
-            id=data["id"],
-            raw_id=base64url_to_bytes(data["rawId"]),
-            response=AuthenticatorAssertionResponse(
-                client_data_json=base64url_to_bytes(data["response"]["clientDataJSON"]),
-                authenticator_data=base64url_to_bytes(
-                    data["response"]["authenticatorData"]
-                ),
-                signature=base64url_to_bytes(data["response"]["signature"]),
-                user_handle=base64url_to_bytes(user_handle) if user_handle else None,
-            ),
-        )
-        verification = verify_authentication_response(
-            credential=credential,
-            expected_challenge=challenge,
-            expected_rp_id=_get_rp_id(request),
-            expected_origin=_get_origin(request),
-            credential_public_key=base64url_to_bytes(passkey.public_key),
-            credential_current_sign_count=passkey.sign_count,
-            require_user_verification=True,
-        )
     except Exception:
         logger.warning(
             "Passkey authentication verification failed for credential %s",
@@ -245,12 +260,6 @@ def passkey_auth_complete(request):
             exc_info=True,
         )
         return JsonResponse({"error": _("Verification failed")}, status=400)
-
-    passkey.sign_count = verification.new_sign_count
-    passkey.last_used_at = timezone.now()
-    passkey.save(update_fields=["sign_count", "last_used_at"])
-
-    user = passkey.user
     user.backend = settings.CUSTOM_AUTH_BACKEND
     login(request, user)
     request.session["passkey_authenticated"] = True

From eacc919952a8ecfa29f2e8f7a66d2103eafb6d5b Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 09:05:42 +0200
Subject: [PATCH 25/37] Log cloned authenticators.

---
 hypha/apply/users/passkey_views.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index c48a418f59..0ad1988573 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -22,6 +22,7 @@
     verify_registration_response,
 )
 from webauthn.helpers import base64url_to_bytes, bytes_to_base64url
+from webauthn.helpers.exceptions import InvalidAuthenticationResponse
 from webauthn.helpers.structs import (
     AuthenticationCredential,
     AuthenticatorAssertionResponse,
@@ -253,6 +254,21 @@ def passkey_auth_complete(request):
             user = passkey.user
     except Passkey.DoesNotExist:
         return JsonResponse({"error": _("Unknown credential")}, status=400)
+    except InvalidAuthenticationResponse as exc:
+        if "sign count" in str(exc).lower():
+            logger.error(
+                "Passkey sign count regression — possible cloned authenticator"
+                " (credential=%s): %s",
+                credential_id_b64,
+                exc,
+            )
+        else:
+            logger.warning(
+                "Passkey authentication verification failed for credential %s: %s",
+                credential_id_b64,
+                exc,
+            )
+        return JsonResponse({"error": _("Verification failed")}, status=400)
     except Exception:
         logger.warning(
             "Passkey authentication verification failed for credential %s",

From 03251f81fb93cddb1d5e5cf32f1e9306b1535a1c Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 09:50:14 +0200
Subject: [PATCH 26/37] Get CSRFToken from exisitng hxHeaders, part 2.

---
 hypha/static_src/javascript/passkeys.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
index 0588629fdd..be99503a2e 100644
--- a/hypha/static_src/javascript/passkeys.js
+++ b/hypha/static_src/javascript/passkeys.js
@@ -16,7 +16,8 @@ window.hypha = window.hypha || {};
 window.hypha.passkeys = (function () {
   let _conditionalAbortController = null;
   function getCsrfToken() {
-    const headers = JSON.parse(document.body.dataset.hxHeaders || "{}");
+    const hxheaders = document.body.getAttribute("hx-headers") || "{}";
+    const headers = JSON.parse(hxheaders);
     return headers["X-CSRFToken"] || "";
   }
 

From 652fa7a48065f6803afa23c0d79e84437e0aa060 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 09:57:51 +0200
Subject: [PATCH 27/37] Wrap create key in a try statement.

---
 hypha/apply/users/passkey_views.py | 40 +++++++++++++++++-------------
 1 file changed, 23 insertions(+), 17 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 0ad1988573..1ce89929a3 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -161,14 +161,20 @@ def passkey_register_complete(request):
     name = (data.get("name") or "").strip()[:128] or timezone.now().strftime(
         "Passkey %Y-%m-%d"
     )
-    Passkey.objects.create(
-        user=request.user,
-        name=name,
-        credential_id=bytes_to_base64url(verification.credential_id),
-        public_key=bytes_to_base64url(verification.credential_public_key),
-        sign_count=verification.sign_count,
-        transports=data["response"].get("transports", []),
-    )
+    try:
+        Passkey.objects.create(
+            user=request.user,
+            name=name,
+            credential_id=bytes_to_base64url(verification.credential_id),
+            public_key=bytes_to_base64url(verification.credential_public_key),
+            sign_count=verification.sign_count,
+            transports=data["response"].get("transports", []),
+        )
+    except Exception:
+        logger.warning(
+            "Failed to save passkey for user %s", request.user.pk, exc_info=True
+        )
+        return JsonResponse({"error": _("Could not save passkey")}, status=500)
     logger.info("Passkey registered for user %s (name=%r)", request.user.pk, name)
     return JsonResponse({"status": "ok"})
 
@@ -204,6 +210,10 @@ def passkey_auth_complete(request):
 
     try:
         credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
+        raw_user_handle = data["response"].get("userHandle")
+        user_handle_bytes = (
+            base64url_to_bytes(raw_user_handle) if raw_user_handle else None
+        )
     except Exception:
         return JsonResponse({"error": _("Invalid credential")}, status=400)
 
@@ -215,12 +225,10 @@ def passkey_auth_complete(request):
                 .get(credential_id=credential_id_b64)
             )
 
-            user_handle = data["response"].get("userHandle")
-            if user_handle:
-                if base64url_to_bytes(user_handle) != str(passkey.user.pk).encode():
-                    return JsonResponse(
-                        {"error": _("User handle mismatch")}, status=400
-                    )
+            if user_handle_bytes is not None:
+                if user_handle_bytes != str(passkey.user.pk).encode():
+                    raise InvalidAuthenticationResponse("User handle mismatch")
+
             credential = AuthenticationCredential(
                 id=data["id"],
                 raw_id=base64url_to_bytes(data["rawId"]),
@@ -232,9 +240,7 @@ def passkey_auth_complete(request):
                         data["response"]["authenticatorData"]
                     ),
                     signature=base64url_to_bytes(data["response"]["signature"]),
-                    user_handle=base64url_to_bytes(user_handle)
-                    if user_handle
-                    else None,
+                    user_handle=user_handle_bytes,
                 ),
             )
             verification = verify_authentication_response(

From fbd2a1c404fdf0684644bc27524df6558765e6ae Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 10:07:52 +0200
Subject: [PATCH 28/37] Settings comment regarding production.

---
 hypha/settings/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index 41c3c618d7..d29b6a302c 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -36,7 +36,7 @@
 
 # WebAuthn / Passkey settings.
 # WEBAUTHN_RP_ID: the relying party domain, e.g. "example.com" (no port, no scheme).
-#   Defaults to the request host if not set.
+#   Defaults to the request host if not set. OBS! Do not use default in production!
 # WEBAUTHN_ORIGIN: the full origin, e.g. "https://example.com".
 #   Defaults to the request origin if not set.
 # WEBAUTHN_RP_NAME: display name shown in the browser passkey UI.

From e5d999002e94eb30140611f8b9eb619e8eca7da0 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 16 Apr 2026 11:21:33 +0200
Subject: [PATCH 29/37] Set maxlength on new key name field as well.

---
 hypha/apply/users/templates/users/partials/list.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/list.html
index 6302fa5aed..d5767f40ee 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/list.html
@@ -64,6 +64,7 @@
         <input
             type="text"
             name="name"
+            maxlength="128"
             class="flex-1 input input-sm"
             placeholder="{% trans "e.g. MacBook Touch ID" %}"
             aria-label="{% trans "Passkey name" %}"

From e6f135f8cdd9a1db3d43809b101846acd25bd27e Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Tue, 21 Apr 2026 20:40:35 +0200
Subject: [PATCH 30/37] Up public_key to 2048.

---
 hypha/apply/users/migrations/0029_passkeys.py | 2 +-
 hypha/apply/users/models.py                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/migrations/0029_passkeys.py b/hypha/apply/users/migrations/0029_passkeys.py
index bb0044fa74..2ccada79ca 100644
--- a/hypha/apply/users/migrations/0029_passkeys.py
+++ b/hypha/apply/users/migrations/0029_passkeys.py
@@ -25,7 +25,7 @@ class Migration(migrations.Migration):
                 ),
                 ("name", models.CharField(blank=True, max_length=255)),
                 ("credential_id", models.CharField(max_length=2048, unique=True)),
-                ("public_key", models.CharField(max_length=1024)),
+                ("public_key", models.CharField(max_length=2048)),
                 ("sign_count", models.PositiveBigIntegerField(default=0)),
                 ("transports", models.JSONField(blank=True, default=list)),
                 ("created_at", models.DateTimeField(auto_now_add=True)),
diff --git a/hypha/apply/users/models.py b/hypha/apply/users/models.py
index 73f3cddaaa..a61ffc3269 100644
--- a/hypha/apply/users/models.py
+++ b/hypha/apply/users/models.py
@@ -488,7 +488,7 @@ class Passkey(models.Model):
     # base64url-encoded credential id (unique per authenticator)
     credential_id = models.CharField(max_length=2048, unique=True)
     # base64url-encoded public key
-    public_key = models.CharField(max_length=1024)
+    public_key = models.CharField(max_length=2048)
     sign_count = models.PositiveBigIntegerField(default=0)
     transports = models.JSONField(default=list, blank=True)
     created_at = models.DateTimeField(auto_now_add=True)

From f24b22b61d6c3ed87c5494fc33a10dedbfd03239 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Tue, 21 Apr 2026 20:53:02 +0200
Subject: [PATCH 31/37] Add tests.

---
 hypha/apply/users/tests/test_passkey_views.py | 627 ++++++++++++++++++
 1 file changed, 627 insertions(+)
 create mode 100644 hypha/apply/users/tests/test_passkey_views.py

diff --git a/hypha/apply/users/tests/test_passkey_views.py b/hypha/apply/users/tests/test_passkey_views.py
new file mode 100644
index 0000000000..1b7e811b0e
--- /dev/null
+++ b/hypha/apply/users/tests/test_passkey_views.py
@@ -0,0 +1,627 @@
+"""Tests for WebAuthn passkey views (passkey_views.py)."""
+
+import base64
+import json
+from unittest.mock import MagicMock, patch
+
+from django.conf import settings
+from django.test import TestCase, override_settings
+from django.urls import reverse
+from webauthn.helpers import bytes_to_base64url
+from webauthn.helpers.exceptions import InvalidAuthenticationResponse
+
+from ..models import Passkey
+from ..passkey_views import (
+    MAX_PASSKEYS_PER_USER,
+    SESSION_CHALLENGE_KEY_AUTH,
+    SESSION_CHALLENGE_KEY_REGISTER,
+)
+from .factories import UserFactory
+
+AUTH_BEGIN_URL = reverse("users:passkey_auth_begin")
+AUTH_COMPLETE_URL = reverse("users:passkey_auth_complete")
+REGISTER_BEGIN_URL = reverse("users:passkey_register_begin")
+REGISTER_COMPLETE_URL = reverse("users:passkey_register_complete")
+PASSKEY_LIST_URL = reverse("users:passkey_list")
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def make_passkey(
+    user, credential_id=None, public_key=None, name="Test Passkey", **kwargs
+):
+    """Create a Passkey for a user with sensible defaults."""
+    kwargs.setdefault("sign_count", 0)
+    kwargs.setdefault("transports", ["internal"])
+    return Passkey.objects.create(
+        user=user,
+        name=name,
+        # base64url of b"test-cred-id" and b"test-pubkey"
+        credential_id=credential_id or bytes_to_base64url(b"test-cred-id"),
+        public_key=public_key or bytes_to_base64url(b"test-pubkey"),
+        **kwargs,
+    )
+
+
+def set_challenge(client, key, challenge_bytes=b"test-challenge"):
+    """Store a base64-encoded WebAuthn challenge in the test client session."""
+    session = client.session
+    session[key] = base64.b64encode(challenge_bytes).decode()
+    session.save()
+
+
+# ---------------------------------------------------------------------------
+# Registration begin
+# ---------------------------------------------------------------------------
+
+
+@override_settings(RATELIMIT_ENABLE=False)
+class TestPasskeyRegisterBegin(TestCase):
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def test_requires_login(self):
+        self.client.logout()
+        response = self.client.post(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 302)
+
+    def test_requires_post(self):
+        response = self.client.get(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 405)
+
+    def test_returns_registration_options(self):
+        response = self.client.post(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertIn("challenge", data)
+        self.assertIn("rp", data)
+        self.assertIn("user", data)
+
+    def test_stores_challenge_in_session(self):
+        self.client.post(REGISTER_BEGIN_URL)
+        self.assertIn(SESSION_CHALLENGE_KEY_REGISTER, self.client.session)
+
+    def test_returns_400_when_max_passkeys_reached(self):
+        for i in range(MAX_PASSKEYS_PER_USER):
+            make_passkey(
+                self.user, credential_id=bytes_to_base64url(f"cred{i}".encode())
+            )
+        response = self.client.post(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+
+# ---------------------------------------------------------------------------
+# Registration complete
+# ---------------------------------------------------------------------------
+
+
+@override_settings(RATELIMIT_ENABLE=False)
+class TestPasskeyRegisterComplete(TestCase):
+    CHALLENGE = b"test-challenge-register"
+
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def _set_challenge(self):
+        set_challenge(self.client, SESSION_CHALLENGE_KEY_REGISTER, self.CHALLENGE)
+
+    def _payload(self, name="My Key"):
+        return {
+            "id": bytes_to_base64url(b"new-cred"),
+            "rawId": bytes_to_base64url(b"new-cred"),
+            "name": name,
+            "response": {
+                "clientDataJSON": bytes_to_base64url(b"clientdata"),
+                "attestationObject": bytes_to_base64url(b"attestation"),
+                "transports": ["internal"],
+            },
+            "type": "public-key",
+        }
+
+    def test_requires_login(self):
+        self.client.logout()
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 302)
+
+    def test_invalid_json_returns_400(self):
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data="not-valid-json",
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    def test_missing_challenge_returns_400(self):
+        # No challenge placed in session
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_successful_registration_saves_passkey(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"saved-cred-id",
+            credential_public_key=b"saved-pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload(name="My Key")),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["status"], "ok")
+        self.assertEqual(self.user.passkeys.count(), 1)
+        self.assertEqual(self.user.passkeys.first().name, "My Key")
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_name_is_truncated_to_128_chars(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"cred",
+            credential_public_key=b"pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        long_name = "x" * 200
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload(name=long_name)),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.user.passkeys.first().name, "x" * 128)
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_empty_name_gets_date_default(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"cred",
+            credential_public_key=b"pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload(name="")),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        passkey = self.user.passkeys.first()
+        self.assertTrue(passkey.name.startswith("Passkey "))
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_verification_failure_returns_400_and_saves_nothing(self, mock_verify):
+        mock_verify.side_effect = Exception("crypto error")
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+        self.assertEqual(self.user.passkeys.count(), 0)
+
+    def test_challenge_is_consumed_and_cannot_be_replayed(self):
+        """The registration challenge must be single-use."""
+        self._set_challenge()
+        # First call consumes the challenge (will fail verification, that's OK)
+        self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        # Second call with the same payload must fail with "no challenge" error
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("challenge", response.json()["error"].lower())
+
+
+# ---------------------------------------------------------------------------
+# Authentication begin
+# ---------------------------------------------------------------------------
+
+
+@override_settings(RATELIMIT_ENABLE=False)
+class TestPasskeyAuthBegin(TestCase):
+    def test_requires_post(self):
+        response = self.client.get(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 405)
+
+    def test_returns_authentication_options(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertIn("challenge", data)
+        self.assertIn("rpId", data)
+
+    def test_stores_challenge_in_session(self):
+        self.client.post(AUTH_BEGIN_URL)
+        self.assertIn(SESSION_CHALLENGE_KEY_AUTH, self.client.session)
+
+    def test_accessible_without_login(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
+
+
+# ---------------------------------------------------------------------------
+# Authentication complete
+# ---------------------------------------------------------------------------
+
+CRED_ID = bytes_to_base64url(b"auth-cred-id")
+PUBKEY = bytes_to_base64url(b"auth-pubkey")
+
+
+@override_settings(RATELIMIT_ENABLE=False)
+class TestPasskeyAuthComplete(TestCase):
+    CHALLENGE = b"test-challenge-auth"
+
+    def setUp(self):
+        self.user = UserFactory()
+        self.passkey = make_passkey(
+            self.user,
+            credential_id=CRED_ID,
+            public_key=PUBKEY,
+            sign_count=0,
+        )
+
+    def _set_challenge(self):
+        set_challenge(self.client, SESSION_CHALLENGE_KEY_AUTH, self.CHALLENGE)
+
+    def _payload(self, **overrides):
+        payload = {
+            "id": CRED_ID,
+            "rawId": CRED_ID,
+            "response": {
+                "clientDataJSON": bytes_to_base64url(b"clientdata"),
+                "authenticatorData": bytes_to_base64url(b"authdata"),
+                "signature": bytes_to_base64url(b"sig"),
+            },
+            "type": "public-key",
+        }
+        payload.update(overrides)
+        return payload
+
+    def test_requires_post(self):
+        response = self.client.get(AUTH_COMPLETE_URL)
+        self.assertEqual(response.status_code, 405)
+
+    def test_invalid_json_returns_400(self):
+        self._set_challenge()
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data="not-json",
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    def test_missing_challenge_returns_400(self):
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    def test_unknown_credential_returns_400(self):
+        self._set_challenge()
+        unknown_id = bytes_to_base64url(b"no-such-cred")
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload(id=unknown_id, rawId=unknown_id)),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_successful_auth_logs_in_user(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["status"], "ok")
+        self.assertIn("redirect_url", response.json())
+        self.assertEqual(int(self.client.session["_auth_user_id"]), self.user.pk)
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_successful_auth_sets_passkey_session_flag(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertTrue(self.client.session.get("passkey_authenticated"))
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_successful_auth_updates_sign_count(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=42)
+        self._set_challenge()
+        self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.passkey.refresh_from_db()
+        self.assertEqual(self.passkey.sign_count, 42)
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_successful_auth_updates_last_used_at(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.passkey.refresh_from_db()
+        self.assertIsNotNone(self.passkey.last_used_at)
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_open_redirect_falls_back_to_login_redirect(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        payload = self._payload()
+        payload["next"] = "https://evil.example.com/steal"
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        redirect_url = response.json()["redirect_url"]
+        self.assertNotIn("evil.example.com", redirect_url)
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_valid_next_url_is_passed_through(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        payload = self._payload()
+        payload["next"] = "/apply/"
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["redirect_url"], "/apply/")
+
+    def test_user_handle_mismatch_returns_400(self):
+        """A userHandle that doesn't match the passkey owner must be rejected."""
+        other_user = UserFactory()
+        # Encode other_user's pk as the handle — view decodes and compares against
+        # str(passkey.user.pk).encode(), which is this user's pk.
+        wrong_handle = bytes_to_base64url(str(other_user.pk).encode())
+        self._set_challenge()
+        payload = self._payload()
+        payload["response"]["userHandle"] = wrong_handle
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_verification_failure_returns_400(self, mock_verify):
+        mock_verify.side_effect = InvalidAuthenticationResponse("bad signature")
+        self._set_challenge()
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    def test_challenge_is_consumed_and_cannot_be_replayed(self):
+        """The auth challenge must be single-use (popped from session)."""
+        self._set_challenge()
+        # First call pops the challenge
+        self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        # Second call must fail because challenge is gone
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("challenge", response.json()["error"].lower())
+
+
+# ---------------------------------------------------------------------------
+# Passkey list
+# ---------------------------------------------------------------------------
+
+
+class TestPasskeyList(TestCase):
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def test_requires_login(self):
+        self.client.logout()
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertEqual(response.status_code, 302)
+
+    def test_requires_get(self):
+        response = self.client.post(PASSKEY_LIST_URL)
+        self.assertEqual(response.status_code, 405)
+
+    def test_returns_200_with_no_passkeys(self):
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertEqual(response.status_code, 200)
+
+    def test_shows_own_passkeys(self):
+        make_passkey(self.user, name="My MacBook")
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertContains(response, "My MacBook")
+
+    def test_does_not_show_other_users_passkeys(self):
+        other = UserFactory()
+        make_passkey(other, name="Someone Elses Key")
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertNotContains(response, "Someone Elses Key")
+
+
+# ---------------------------------------------------------------------------
+# Passkey delete
+# ---------------------------------------------------------------------------
+
+
+class TestPasskeyDelete(TestCase):
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def test_requires_login(self):
+        self.client.logout()
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_delete", args=[passkey.pk])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 302)
+
+    def test_deletes_own_passkey(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_delete", args=[passkey.pk])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertFalse(Passkey.objects.filter(pk=passkey.pk).exists())
+
+    def test_cannot_delete_other_users_passkey(self):
+        other = UserFactory()
+        passkey = make_passkey(other)
+        url = reverse("users:passkey_delete", args=[passkey.pk])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 404)
+        self.assertTrue(Passkey.objects.filter(pk=passkey.pk).exists())
+
+    def test_returns_updated_passkey_list_partial(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_delete", args=[passkey.pk])
+        response = self.client.post(url)
+        self.assertTemplateUsed(response, "users/partials/list.html")
+
+
+# ---------------------------------------------------------------------------
+# Passkey rename
+# ---------------------------------------------------------------------------
+
+
+class TestPasskeyRename(TestCase):
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def test_requires_login(self):
+        self.client.logout()
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "New Name"})
+        self.assertEqual(response.status_code, 302)
+
+    def test_renames_own_passkey(self):
+        passkey = make_passkey(self.user, name="Old Name")
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "New Name"})
+        self.assertEqual(response.status_code, 200)
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "New Name")
+
+    def test_cannot_rename_other_users_passkey(self):
+        other = UserFactory()
+        passkey = make_passkey(other, name="Original")
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "Hacked Name"})
+        self.assertEqual(response.status_code, 404)
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "Original")
+
+    def test_whitespace_only_name_is_ignored(self):
+        passkey = make_passkey(self.user, name="Original")
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "   "})
+        self.assertEqual(response.status_code, 200)
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "Original")
+
+    def test_name_is_trimmed(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        self.client.post(url, {"name": "  Trimmed  "})
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "Trimmed")
+
+    def test_name_is_truncated_to_128_chars(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        self.client.post(url, {"name": "x" * 200})
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "x" * 128)
+
+    def test_returns_updated_passkey_list_partial(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "Updated"})
+        self.assertTemplateUsed(response, "users/partials/list.html")
+
+
+# ---------------------------------------------------------------------------
+# Middleware — passkey_authenticated session flag bypasses ENFORCE_TWO_FACTOR
+# ---------------------------------------------------------------------------
+
+
+@override_settings(ENFORCE_TWO_FACTOR=True)
+class TestPasskeyMiddlewareBypass(TestCase):
+    def test_passkey_session_flag_bypasses_2fa_enforcement(self):
+        user = UserFactory()
+        self.client.force_login(user)
+        session = self.client.session
+        session["passkey_authenticated"] = True
+        session.save()
+
+        # The middleware should let the request through — account page is always accessible.
+        response = self.client.get(reverse("users:account"), follow=True)
+        self.assertNotContains(response, "Permission Denied")
+
+    def test_without_passkey_flag_unverified_user_is_blocked(self):
+        user = UserFactory()
+        self.client.force_login(user)
+        # No passkey_authenticated flag and no OTP device
+
+        response = self.client.get(settings.LOGIN_REDIRECT_URL, follow=True)
+        self.assertContains(response, "Permission Denied")

From f8d5619aa4d7c724c999ce98da489acb81b329f0 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 22 Apr 2026 08:23:29 +0200
Subject: [PATCH 32/37] Renamed template to passkey-list.html. Made green check
 not look like a button.

---
 hypha/apply/users/passkey_views.py                          | 6 +++---
 .../users/partials/{list.html => passkey-list.html}         | 2 +-
 hypha/apply/users/tests/test_passkey_views.py               | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)
 rename hypha/apply/users/templates/users/partials/{list.html => passkey-list.html} (94%)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index 1ce89929a3..fb6facca73 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -308,7 +308,7 @@ def passkey_auth_complete(request):
 @require_GET
 def passkey_list(request):
     passkeys = request.user.passkeys.all()
-    return render(request, "users/partials/list.html", {"passkeys": passkeys})
+    return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
 
 
 @login_required
@@ -323,7 +323,7 @@ def passkey_delete(request, pk):
     )
     passkey.delete()
     passkeys = request.user.passkeys.all()
-    return render(request, "users/partials/list.html", {"passkeys": passkeys})
+    return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
 
 
 @login_required
@@ -335,4 +335,4 @@ def passkey_rename(request, pk):
         passkey.name = name
         passkey.save(update_fields=["name"])
     passkeys = request.user.passkeys.all()
-    return render(request, "users/partials/list.html", {"passkeys": passkeys})
+    return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
diff --git a/hypha/apply/users/templates/users/partials/list.html b/hypha/apply/users/templates/users/partials/passkey-list.html
similarity index 94%
rename from hypha/apply/users/templates/users/partials/list.html
rename to hypha/apply/users/templates/users/partials/passkey-list.html
index d5767f40ee..8c95dcacf8 100644
--- a/hypha/apply/users/templates/users/partials/list.html
+++ b/hypha/apply/users/templates/users/partials/passkey-list.html
@@ -23,7 +23,7 @@
                             data-tippy-content="{% trans 'Click to edit name' %}"
                             required
                         />
-                        <button type="submit" class="transition-all duration-500 border-primary text-primary btn btn-ghost btn-xs" :class="pkcurrent == pkinput && 'border-transparent text-success'" title="{% trans 'Save name' %}">
+                        <button type="submit" class="transition-all duration-500 btn btn-ghost btn-xs" :class="pkcurrent == pkinput ? 'text-success cursor-default border-transparent shadow-none hover:bg-transparent' : 'border-primary text-primary'" title="{% trans 'Save name' %}">
                             {% heroicon_micro "check" class="size-4" aria_hidden=true %}
                         </button>
                     </form>
diff --git a/hypha/apply/users/tests/test_passkey_views.py b/hypha/apply/users/tests/test_passkey_views.py
index 1b7e811b0e..09901a0e11 100644
--- a/hypha/apply/users/tests/test_passkey_views.py
+++ b/hypha/apply/users/tests/test_passkey_views.py
@@ -534,7 +534,7 @@ def test_returns_updated_passkey_list_partial(self):
         passkey = make_passkey(self.user)
         url = reverse("users:passkey_delete", args=[passkey.pk])
         response = self.client.post(url)
-        self.assertTemplateUsed(response, "users/partials/list.html")
+        self.assertTemplateUsed(response, "users/partials/passkey-list.html")
 
 
 # ---------------------------------------------------------------------------
@@ -597,7 +597,7 @@ def test_returns_updated_passkey_list_partial(self):
         passkey = make_passkey(self.user)
         url = reverse("users:passkey_rename", args=[passkey.pk])
         response = self.client.post(url, {"name": "Updated"})
-        self.assertTemplateUsed(response, "users/partials/list.html")
+        self.assertTemplateUsed(response, "users/partials/passkey-list.html")
 
 
 # ---------------------------------------------------------------------------

From b02a2d27d160919739e38ddacb425b4437865c63 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 22 Apr 2026 17:15:20 +0200
Subject: [PATCH 33/37] Move GOOGLE_OAUTH2 login button last and make login
 pages wider so buttons can be on one row.

---
 hypha/apply/users/templates/users/login.html                | 6 +++---
 .../users/templates/users/passwordless_login_signup.html    | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hypha/apply/users/templates/users/login.html b/hypha/apply/users/templates/users/login.html
index 91803c144e..868e983ce6 100644
--- a/hypha/apply/users/templates/users/login.html
+++ b/hypha/apply/users/templates/users/login.html
@@ -4,7 +4,7 @@
 {% block title %}{% trans "Log in" %}{% endblock %}
 
 {% block content %}
-    <div class="my-5 max-w-2xl">
+    <div class="my-5 max-w-3xl">
         <div class="px-4 pt-4">
             {% if wizard.steps.current == 'token' %}
                 {% if device.method == 'call' %}
@@ -90,11 +90,11 @@ <h1 class="mb-4 text-h1">
                     <div class="my-8 max-w-xs divider text-fg-muted">{% translate "OR" %}</div>
 
                     <section class="flex-wrap card-actions">
+                        {% include "users/includes/passwordless_login_button.html" %}
+                        {% include "users/includes/passkey_login_button.html" %}
                         {% if GOOGLE_OAUTH2 %}
                             {% include "users/includes/org_login_button.html" %}
                         {% endif %}
-                        {% include "users/includes/passwordless_login_button.html" %}
-                        {% include "users/includes/passkey_login_button.html" %}
                     </section>
 
                 {% else %}
diff --git a/hypha/apply/users/templates/users/passwordless_login_signup.html b/hypha/apply/users/templates/users/passwordless_login_signup.html
index a694ed0b00..6ab1d88846 100644
--- a/hypha/apply/users/templates/users/passwordless_login_signup.html
+++ b/hypha/apply/users/templates/users/passwordless_login_signup.html
@@ -6,7 +6,7 @@
 {% endblock %}
 
 {% block content %}
-    <div class="my-5 max-w-2xl">
+    <div class="my-5 max-w-3xl">
 
         <section class="px-5 pt-4">
             <form class="form form--user-login" method="post" hx-post="./" hx-swap="outerHTML transition:true" hx-target="#main">
@@ -50,11 +50,11 @@ <h1 class="mb-4 text-h1">
                 <div class="my-8 max-w-xs divider text-fg-muted">{% translate "OR" %}</div>
 
                 <section class="flex-wrap card-actions">
+                    {% include "users/includes/password_login_button.html" %}
+                    {% include "users/includes/passkey_login_button.html" %}
                     {% if GOOGLE_OAUTH2 %}
                         {% include "users/includes/org_login_button.html" %}
                     {% endif %}
-                    {% include "users/includes/password_login_button.html" %}
-                    {% include "users/includes/passkey_login_button.html" %}
                 </section>
             </form>
         </section>

From f6ca4bccb2fc418e906649d66e3f846a06610df4 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 22 Apr 2026 17:24:52 +0200
Subject: [PATCH 34/37] Update migrations after rebase.

---
 .../users/migrations/{0029_passkeys.py => 0030_passkeys.py}     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename hypha/apply/users/migrations/{0029_passkeys.py => 0030_passkeys.py} (95%)

diff --git a/hypha/apply/users/migrations/0029_passkeys.py b/hypha/apply/users/migrations/0030_passkeys.py
similarity index 95%
rename from hypha/apply/users/migrations/0029_passkeys.py
rename to hypha/apply/users/migrations/0030_passkeys.py
index 2ccada79ca..703ff3eff6 100644
--- a/hypha/apply/users/migrations/0029_passkeys.py
+++ b/hypha/apply/users/migrations/0030_passkeys.py
@@ -7,7 +7,7 @@
 
 class Migration(migrations.Migration):
     dependencies = [
-        ("users", "0028_remove_partner_group"),
+        ("users", "0029_alter_confirmaccesstoken_options_and_more"),
     ]
 
     operations = [

From b929a60f92c331d6c25c26db8090d907d1a7fc04 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Fri, 1 May 2026 21:56:15 +0200
Subject: [PATCH 35/37] Fix passkey login button so it mimic password login
 button.

---
 .../users/templates/users/includes/passkey_login_button.html  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/templates/users/includes/passkey_login_button.html b/hypha/apply/users/templates/users/includes/passkey_login_button.html
index 1a8bccb22b..2efeada156 100644
--- a/hypha/apply/users/templates/users/includes/passkey_login_button.html
+++ b/hypha/apply/users/templates/users/includes/passkey_login_button.html
@@ -10,8 +10,8 @@
     hidden
     onclick="hypha.passkeys.authenticate()"
 >
-    {% heroicon_micro "key" class="inline size-4" aria_hidden=true %}
-    {% trans "Sign in with passkey" %}
+    {% heroicon_mini "key" size=18 class="opacity-80" aria_hidden=true %}
+    {% trans "Log in with passkey" %}
 </button>
 <p id="passkey-auth-error"
    class="mt-2 text-sm text-error"

From d12a42d3f9e946b0573498b3933d85e3d262a5d0 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Tue, 19 May 2026 14:22:39 +0200
Subject: [PATCH 36/37] Only store valid transports values.

---
 hypha/apply/users/passkey_views.py            | 15 ++++++--
 hypha/apply/users/tests/test_passkey_views.py | 36 +++++++++++++++++++
 2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index fb6facca73..a08a387737 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -28,6 +28,7 @@
     AuthenticatorAssertionResponse,
     AuthenticatorAttestationResponse,
     AuthenticatorSelectionCriteria,
+    AuthenticatorTransport,
     PublicKeyCredentialDescriptor,
     RegistrationCredential,
     ResidentKeyRequirement,
@@ -72,6 +73,15 @@ def _load_challenge(request, key: str) -> bytes:
     return base64.b64decode(encoded)
 
 
+_VALID_TRANSPORTS = {t.value for t in AuthenticatorTransport}
+
+
+def _clean_transports(raw) -> list[str]:
+    if not isinstance(raw, list):
+        return []
+    return [t for t in raw if isinstance(t, str) and t in _VALID_TRANSPORTS]
+
+
 # ---------------------------------------------------------------------------
 # Registration — requires an authenticated user
 # ---------------------------------------------------------------------------
@@ -131,6 +141,7 @@ def passkey_register_complete(request):
     except PermissionDenied:
         return JsonResponse({"error": _("No active WebAuthn challenge")}, status=400)
 
+    transports = _clean_transports(data.get("response", {}).get("transports"))
     try:
         credential = RegistrationCredential(
             id=data["id"],
@@ -140,7 +151,7 @@ def passkey_register_complete(request):
                 attestation_object=base64url_to_bytes(
                     data["response"]["attestationObject"]
                 ),
-                transports=data["response"].get("transports", []),
+                transports=transports,
             ),
         )
         verification = verify_registration_response(
@@ -168,7 +179,7 @@ def passkey_register_complete(request):
             credential_id=bytes_to_base64url(verification.credential_id),
             public_key=bytes_to_base64url(verification.credential_public_key),
             sign_count=verification.sign_count,
-            transports=data["response"].get("transports", []),
+            transports=transports,
         )
     except Exception:
         logger.warning(
diff --git a/hypha/apply/users/tests/test_passkey_views.py b/hypha/apply/users/tests/test_passkey_views.py
index 09901a0e11..b710c11098 100644
--- a/hypha/apply/users/tests/test_passkey_views.py
+++ b/hypha/apply/users/tests/test_passkey_views.py
@@ -206,6 +206,42 @@ def test_empty_name_gets_date_default(self, mock_verify):
         passkey = self.user.passkeys.first()
         self.assertTrue(passkey.name.startswith("Passkey "))
 
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_unknown_transports_are_filtered_out(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"cred",
+            credential_public_key=b"pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        payload = self._payload()
+        payload["response"]["transports"] = ["internal", "junk-value", "usb", 123]
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.user.passkeys.first().transports, ["internal", "usb"])
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_non_list_transports_is_stored_as_empty_list(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"cred",
+            credential_public_key=b"pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        payload = self._payload()
+        payload["response"]["transports"] = "internal"  # not a list
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.user.passkeys.first().transports, [])
+
     @patch("hypha.apply.users.passkey_views.verify_registration_response")
     def test_verification_failure_returns_400_and_saves_nothing(self, mock_verify):
         mock_verify.side_effect = Exception("crypto error")

From 338b946b2522b805e7ae3ef67124f562c57f304c Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Tue, 19 May 2026 15:11:46 +0200
Subject: [PATCH 37/37] Disable passkeys in production unless WEBAUTHN_RP_ID is
 set.

---
 .../deployment/production/stand-alone.md      |  5 ++
 hypha/apply/users/passkey_views.py            | 27 ++++++-
 .../apply/users/templates/users/account.html  | 28 ++++---
 hypha/apply/users/templates/users/login.html  | 18 +++--
 .../users/passwordless_login_signup.html      | 18 +++--
 hypha/apply/users/tests/test_passkey_views.py | 80 +++++++++++++++++++
 hypha/core/context_processors.py              |  2 +
 hypha/settings/base.py                        |  7 +-
 hypha/settings/test.py                        |  3 +
 9 files changed, 159 insertions(+), 29 deletions(-)

diff --git a/docs/setup/deployment/production/stand-alone.md b/docs/setup/deployment/production/stand-alone.md
index 2707cc147c..c1785a28fb 100644
--- a/docs/setup/deployment/production/stand-alone.md
+++ b/docs/setup/deployment/production/stand-alone.md
@@ -185,6 +185,11 @@ SERVER_EMAIL:                                  app@example.org
 SEND_MESSAGES:                                 true
 ```
 
+**Passkeys:**
+
+To activate passkeys in production you must set at least `WEBAUTHN_RP_ID` to the relying party domain, e.g. "example.com" (no port, no scheme).
+
+
 **Turn on Hypha features that are off by default:**
 
 ```text
diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
index a08a387737..e226a1ec0b 100644
--- a/hypha/apply/users/passkey_views.py
+++ b/hypha/apply/users/passkey_views.py
@@ -1,13 +1,14 @@
 import base64
 import json
 import logging
+from functools import wraps
 
 from django.conf import settings
 from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
-from django.http import JsonResponse
+from django.http import Http404, JsonResponse
 from django.shortcuts import get_object_or_404, render, resolve_url
 from django.utils import timezone
 from django.utils.http import url_has_allowed_host_and_scheme
@@ -43,6 +44,23 @@
 SESSION_CHALLENGE_KEY_AUTH = "webauthn_challenge_auth"
 
 
+def passkeys_enabled() -> bool:
+    """Passkeys require WEBAUTHN_RP_ID in production. In DEBUG (local/dev)
+    we fall back to the request host so the feature can be exercised locally.
+    """
+    return bool(getattr(settings, "WEBAUTHN_RP_ID", None)) or settings.DEBUG
+
+
+def passkeys_required(view_func):
+    @wraps(view_func)
+    def _wrapped(request, *args, **kwargs):
+        if not passkeys_enabled():
+            raise Http404
+        return view_func(request, *args, **kwargs)
+
+    return _wrapped
+
+
 def _get_rp_id(request):
     rp_id = getattr(settings, "WEBAUTHN_RP_ID", None)
     if rp_id:
@@ -90,6 +108,7 @@ def _clean_transports(raw) -> list[str]:
 MAX_PASSKEYS_PER_USER = 10
 
 
+@passkeys_required
 @login_required
 @require_POST
 @ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
@@ -127,6 +146,7 @@ def passkey_register_begin(request):
     return JsonResponse(json.loads(options_to_json(options)))
 
 
+@passkeys_required
 @login_required
 @require_POST
 @ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
@@ -195,6 +215,7 @@ def passkey_register_complete(request):
 # ---------------------------------------------------------------------------
 
 
+@passkeys_required
 @require_POST
 @ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
 def passkey_auth_begin(request):
@@ -206,6 +227,7 @@ def passkey_auth_begin(request):
     return JsonResponse(json.loads(options_to_json(options)))
 
 
+@passkeys_required
 @require_POST
 @ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
 def passkey_auth_complete(request):
@@ -315,6 +337,7 @@ def passkey_auth_complete(request):
 # ---------------------------------------------------------------------------
 
 
+@passkeys_required
 @login_required
 @require_GET
 def passkey_list(request):
@@ -322,6 +345,7 @@ def passkey_list(request):
     return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
 
 
+@passkeys_required
 @login_required
 @require_POST
 def passkey_delete(request, pk):
@@ -337,6 +361,7 @@ def passkey_delete(request, pk):
     return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
 
 
+@passkeys_required
 @login_required
 @require_POST
 def passkey_rename(request, pk):
diff --git a/hypha/apply/users/templates/users/account.html b/hypha/apply/users/templates/users/account.html
index cd7e1e18d6..2ab33536fe 100644
--- a/hypha/apply/users/templates/users/account.html
+++ b/hypha/apply/users/templates/users/account.html
@@ -93,18 +93,20 @@ <h3 class="mb-2 text-sm font-semibold">
                 {% endif %}
             </p>
 
-            <h3 class="mt-6 mb-2 text-sm font-semibold">{% trans "Passkeys" %}</h3>
-            <p class="mb-2 text-sm text-fg-muted">
-                {% trans "With passkeys you can use your fingerprint, face, or screen lock to login securely without a password." %}
-            </p>
+            {% if PASSKEYS_ENABLED %}
+                <h3 class="mt-6 mb-2 text-sm font-semibold">{% trans "Passkeys" %}</h3>
+                <p class="mb-2 text-sm text-fg-muted">
+                    {% trans "With passkeys you can use your fingerprint, face, or screen lock to login securely without a password." %}
+                </p>
 
-            <div
-                hx-get="{% url 'users:passkey_list' %}"
-                hx-trigger="load"
-                hx-swap="innerHTML"
-            >
-                <div class="w-full h-8 rounded animate-pulse bg-base-300"></div>
-            </div>
+                <div
+                    hx-get="{% url 'users:passkey_list' %}"
+                    hx-trigger="load"
+                    hx-swap="innerHTML"
+                >
+                    <div class="w-full h-8 rounded animate-pulse bg-base-300"></div>
+                </div>
+            {% endif %}
 
             {# Remove the comment block tags below when such need arises. e.g. adding new providers #}
             {% comment %}
@@ -123,5 +125,7 @@ <h3 class="mb-2 text-base">{% trans "Manage OAuth" %}</h3>
 {% endblock %}
 
 {% block extra_js %}
-    <script src="{% static 'js/passkeys.js' %}"></script>
+    {% if PASSKEYS_ENABLED %}
+        <script src="{% static 'js/passkeys.js' %}"></script>
+    {% endif %}
 {% endblock %}
diff --git a/hypha/apply/users/templates/users/login.html b/hypha/apply/users/templates/users/login.html
index 868e983ce6..50e38311cb 100644
--- a/hypha/apply/users/templates/users/login.html
+++ b/hypha/apply/users/templates/users/login.html
@@ -91,7 +91,9 @@ <h1 class="mb-4 text-h1">
 
                     <section class="flex-wrap card-actions">
                         {% include "users/includes/passwordless_login_button.html" %}
-                        {% include "users/includes/passkey_login_button.html" %}
+                        {% if PASSKEYS_ENABLED %}
+                            {% include "users/includes/passkey_login_button.html" %}
+                        {% endif %}
                         {% if GOOGLE_OAUTH2 %}
                             {% include "users/includes/org_login_button.html" %}
                         {% endif %}
@@ -143,12 +145,14 @@ <h1 class="mb-4 text-h1">
 
 {% block extra_js %}
     {{ block.super }}
-    <script src="{% static 'js/passkeys.js' %}"></script>
-    <script>
-        document.addEventListener("DOMContentLoaded", function () {
-            hypha.passkeys.initUI();
-        });
-    </script>
+    {% if PASSKEYS_ENABLED %}
+        <script src="{% static 'js/passkeys.js' %}"></script>
+        <script>
+            document.addEventListener("DOMContentLoaded", function () {
+                hypha.passkeys.initUI();
+            });
+        </script>
+    {% endif %}
     {# Fix copy of dynamic fields label #}
     <script>
         var labelOtpToken = document.querySelector("label[for=id_token-otp_token]");
diff --git a/hypha/apply/users/templates/users/passwordless_login_signup.html b/hypha/apply/users/templates/users/passwordless_login_signup.html
index 6ab1d88846..bb719da7ae 100644
--- a/hypha/apply/users/templates/users/passwordless_login_signup.html
+++ b/hypha/apply/users/templates/users/passwordless_login_signup.html
@@ -51,7 +51,9 @@ <h1 class="mb-4 text-h1">
 
                 <section class="flex-wrap card-actions">
                     {% include "users/includes/password_login_button.html" %}
-                    {% include "users/includes/passkey_login_button.html" %}
+                    {% if PASSKEYS_ENABLED %}
+                        {% include "users/includes/passkey_login_button.html" %}
+                    {% endif %}
                     {% if GOOGLE_OAUTH2 %}
                         {% include "users/includes/org_login_button.html" %}
                     {% endif %}
@@ -62,10 +64,12 @@ <h1 class="mb-4 text-h1">
 {% endblock %}
 
 {% block extra_js %}
-    <script src="{% static 'js/passkeys.js' %}"></script>
-    <script>
-        document.addEventListener("DOMContentLoaded", function () {
-            hypha.passkeys.initUI();
-        });
-    </script>
+    {% if PASSKEYS_ENABLED %}
+        <script src="{% static 'js/passkeys.js' %}"></script>
+        <script>
+            document.addEventListener("DOMContentLoaded", function () {
+                hypha.passkeys.initUI();
+            });
+        </script>
+    {% endif %}
 {% endblock %}
diff --git a/hypha/apply/users/tests/test_passkey_views.py b/hypha/apply/users/tests/test_passkey_views.py
index b710c11098..e54aa2bccf 100644
--- a/hypha/apply/users/tests/test_passkey_views.py
+++ b/hypha/apply/users/tests/test_passkey_views.py
@@ -661,3 +661,83 @@ def test_without_passkey_flag_unverified_user_is_blocked(self):
 
         response = self.client.get(settings.LOGIN_REDIRECT_URL, follow=True)
         self.assertContains(response, "Permission Denied")
+
+
+# ---------------------------------------------------------------------------
+# Production gate — passkeys disabled unless WEBAUTHN_RP_ID is set
+# ---------------------------------------------------------------------------
+
+
+@override_settings(DEBUG=False, WEBAUTHN_RP_ID=None, RATELIMIT_ENABLE=False)
+class TestPasskeysDisabledInProduction(TestCase):
+    """Without WEBAUTHN_RP_ID and DEBUG=False, all passkey views must 404."""
+
+    def setUp(self):
+        self.user = UserFactory()
+
+    def test_auth_begin_returns_404(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 404)
+
+    def test_auth_complete_returns_404(self):
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps({}),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 404)
+
+    def test_register_begin_returns_404(self):
+        self.client.force_login(self.user)
+        response = self.client.post(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 404)
+
+    def test_register_complete_returns_404(self):
+        self.client.force_login(self.user)
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps({}),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 404)
+
+    def test_passkey_list_returns_404(self):
+        self.client.force_login(self.user)
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertEqual(response.status_code, 404)
+
+    def test_passkey_delete_returns_404(self):
+        passkey = make_passkey(self.user)
+        self.client.force_login(self.user)
+        response = self.client.post(reverse("users:passkey_delete", args=[passkey.pk]))
+        self.assertEqual(response.status_code, 404)
+        self.assertTrue(Passkey.objects.filter(pk=passkey.pk).exists())
+
+    def test_passkey_rename_returns_404(self):
+        passkey = make_passkey(self.user, name="Original")
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse("users:passkey_rename", args=[passkey.pk]),
+            {"name": "New Name"},
+        )
+        self.assertEqual(response.status_code, 404)
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "Original")
+
+
+@override_settings(DEBUG=True, WEBAUTHN_RP_ID=None, RATELIMIT_ENABLE=False)
+class TestPasskeysEnabledInDev(TestCase):
+    """DEBUG=True falls back to the request host even without WEBAUTHN_RP_ID."""
+
+    def test_auth_begin_works_in_debug_without_rp_id(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
+
+
+@override_settings(DEBUG=False, WEBAUTHN_RP_ID="example.com", RATELIMIT_ENABLE=False)
+class TestPasskeysEnabledWhenRpIdSet(TestCase):
+    """DEBUG=False with WEBAUTHN_RP_ID set enables passkeys in production."""
+
+    def test_auth_begin_works_in_production_with_rp_id(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
diff --git a/hypha/core/context_processors.py b/hypha/core/context_processors.py
index e40ebb664c..ac836c4708 100644
--- a/hypha/core/context_processors.py
+++ b/hypha/core/context_processors.py
@@ -1,5 +1,6 @@
 from django.conf import settings
 
+from hypha.apply.users.passkey_views import passkeys_enabled
 from hypha.home.models import ApplyHomePage
 
 
@@ -15,6 +16,7 @@ def global_vars(request):
         "HIDE_IDENTITY_FROM_REVIEWERS": settings.HIDE_IDENTITY_FROM_REVIEWERS,
         "GOOGLE_OAUTH2": settings.SOCIAL_AUTH_GOOGLE_OAUTH2_KEY,
         "ENABLE_PUBLIC_SIGNUP": settings.ENABLE_PUBLIC_SIGNUP,
+        "PASSKEYS_ENABLED": passkeys_enabled(),
         "SENTRY_TRACES_SAMPLE_RATE": settings.SENTRY_TRACES_SAMPLE_RATE,
         "SENTRY_ENVIRONMENT": settings.SENTRY_ENVIRONMENT,
         "SENTRY_DENY_URLS": settings.SENTRY_DENY_URLS,
diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index d29b6a302c..150b28eadc 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -35,15 +35,18 @@
 ENFORCE_TWO_FACTOR = env.bool("ENFORCE_TWO_FACTOR", False)
 
 # WebAuthn / Passkey settings.
+# Passkeys are disabled in production unless WEBAUTHN_RP_ID is set. In local
+# development (DEBUG=True) they fall back to the request host so the feature
+# can be tried without extra configuration.
+#
 # WEBAUTHN_RP_ID: the relying party domain, e.g. "example.com" (no port, no scheme).
-#   Defaults to the request host if not set. OBS! Do not use default in production!
 # WEBAUTHN_ORIGIN: the full origin, e.g. "https://example.com".
 #   Defaults to the request origin if not set.
 # WEBAUTHN_RP_NAME: display name shown in the browser passkey UI.
 #   Defaults to ORG_LONG_NAME.
 WEBAUTHN_RP_ID = env.str("WEBAUTHN_RP_ID", None)
-WEBAUTHN_RP_NAME = env.str("WEBAUTHN_RP_NAME", None)
 WEBAUTHN_ORIGIN = env.str("WEBAUTHN_ORIGIN", None)
+WEBAUTHN_RP_NAME = env.str("WEBAUTHN_RP_NAME", None)
 
 # Set the allowed file extension for all uploads fields.
 FILE_ALLOWED_EXTENSIONS = [
diff --git a/hypha/settings/test.py b/hypha/settings/test.py
index 5ef5b5e01b..177686e237 100644
--- a/hypha/settings/test.py
+++ b/hypha/settings/test.py
@@ -35,6 +35,9 @@
 
 ENFORCE_TWO_FACTOR = False
 
+# Enable passkeys in tests so feature views are exercisable without DEBUG.
+WEBAUTHN_RP_ID = "testserver"
+
 SECURE_SSL_REDIRECT = False
 
 # No async celery workers