Add Passkey / FIDO2 Support as means of MFA

[dmuensterer]

Scope & Context

We are enabling users to register and use passkeys (FIDO2/WebAuthn) for passwordless sign-in and as a second factor in TwentyCRM. The scope covers the login screen, user Security settings (add/list/remove passkeys), and workspace security policies to optionally enforce passkeys, behind a feature flag for staged rollout. Out of scope for this ticket are desktop-native app packaging and non-WebAuthn hardware integrations beyond standard FIDO2 authenticators.

Current behavior

Users cannot register or use passkeys in TwentyCRM. Authentication relies on existing methods (for example, email/password or SSO), and there are no passkey-related options in the UI.

Login screen has no “Sign in with a passkey” option.

Settings → Security has no “Passkeys” section to add or manage credentials.

Workspace → Security/Policies has no passkey enable/require toggles.

Mobile web/PWA flows do not expose any WebAuthn prompts or passkey actions.

[FelixMalfait]

We considered implementing Passkeys but what I wasn't clear is if we should use it as a primary login/signup method, as an alternative to 2FA, or as a replacement for both. I've seen various implementations. I think the recommended path is to replace login only (no reason to prevent user to add a 2FA on top, even though it makes less sense), but no strong conviction at this point

[dmuensterer]

Here’s what the FIDO alliance suggests for those scenarios:

Adopt a passkey‑first (passwordless) primary login, retain optional step‑up 2FA, and support both synced passkeys and device‑bound WebAuthn security