HCS.Passwordless.WebAuthn 2.0.2

.NET 10.0

dotnet add package HCS.Passwordless.WebAuthn --version 2.0.2

NuGet\Install-Package HCS.Passwordless.WebAuthn -Version 2.0.2

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="HCS.Passwordless.WebAuthn" Version="2.0.2" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

<PackageVersion Include="HCS.Passwordless.WebAuthn" Version="2.0.2" />
                    

                            Directory.Packages.props

<PackageReference Include="HCS.Passwordless.WebAuthn" />
                    

                            Project file

For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.

paket add HCS.Passwordless.WebAuthn --version 2.0.2

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: HCS.Passwordless.WebAuthn, 2.0.2"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

#:package HCS.Passwordless.WebAuthn@2.0.2

#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.

#addin nuget:?package=HCS.Passwordless.WebAuthn&version=2.0.2
                    

                            Install as a Cake Addin

#tool nuget:?package=HCS.Passwordless.WebAuthn&version=2.0.2
                    

                            Install as a Cake Tool

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

HCS.Passwordless.WebAuthn

WebAuthn / FIDO2 passkey add-on for HCS.Passwordless. Enables hardware-backed biometric or security-key authentication for Umbraco members using the browser's Credential Management API.

Requirements

Umbraco 17.3.5 or later ([17.3.5, 18.0.0))
A browser that supports WebAuthn (all modern browsers)
HCS.Passwordless.Core is pulled in automatically as a transitive dependency

Installation

dotnet add package HCS.Passwordless.WebAuthn

Setup

1. Register (`Program.cs`)

builder.CreateUmbracoBuilder()
    .AddBackOffice()
    .AddWebsite()
    .AddPasswordlessWebAuthn()
    .Build();

2. Configure (`appsettings.json`)

{
  "HCS": {
    "Authentication": {
      "WebAuthn": {
        "Enabled": true,
        "RpName": "My Site",
        "Origins": [ "https://example.com" ]
      }
    }
  }
}

Important: Origins must exactly match the origin of the site as seen by the browser, including scheme and port.

3. Add passkey UI partials

@* Sign-in *@
@await Html.PartialAsync("Passwordless/PasskeySignInButton")

@* On a member profile/settings page: *@
@await Html.PartialAsync("Passwordless/PasskeyRegisterButton")
@await Html.PartialAsync("Passwordless/PasskeyCredentialList")

Configuration Options

`HCS:Authentication:WebAuthn`

Key	Type	Default	Description
`Enabled`	bool	`false`	Enable/disable WebAuthn flow
`RpName`	string	`Umbraco Site`	Relying party display name shown to the user
`Origins`	string[]	`[]`	Allowed origins (must match browser origin exactly)

Endpoints

Method	Path	Description
`POST`	`/auth/webauthn/register/options`	Get registration challenge
`POST`	`/auth/webauthn/register/complete`	Complete credential registration
`POST`	`/auth/webauthn/signin/options`	Get authentication challenge
`POST`	`/auth/webauthn/signin/complete`	Complete authentication and sign in
`GET`	`/auth/webauthn/credentials`	List member's registered credentials
`PATCH`	`/auth/webauthn/credentials/{id}`	Rename a credential
`DELETE`	`/auth/webauthn/credentials/{id}`	Remove a credential

Database Migration

The package adds a MemberCredential table to the Umbraco database via Umbraco's migration system. This runs automatically on startup.

Security Notes

Challenge state is stored in distributed cache and is single-use.
Counter regression (a credential reporting a lower sign-count than previously recorded) triggers a PasskeyCounterRegressionNotification so the site can alert the member of a potential cloned authenticator.
WebAuthn requires HTTPS in production. localhost is allowed for development.

Replacing Services

Interface	Default	Purpose
`IWebAuthnChallengeStore`	Distributed cache implementation	Store WebAuthn challenges
`IMemberCredentialStore`	`UmbracoDbMemberCredentialStore`	Persist credentials in Umbraco DB

Product	Compatible and additional computed target framework versions.
.NET	net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net10.0
- Fido2.AspNet (>= 4.0.1)
- HCS.Passwordless.Core (>= 2.0.2)
- MailKit (>= 4.16.0)
- System.Security.Cryptography.Xml (>= 10.0.7)
- Umbraco.Cms.Core (>= 17.3.5 && < 18.0.0)
- Umbraco.Cms.Infrastructure (>= 17.3.5 && < 18.0.0)
- Umbraco.Cms.Web.Common (>= 17.3.5 && < 18.0.0)
- Umbraco.Cms.Web.Website (>= 17.3.5 && < 18.0.0)

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last Updated
2.0.2	77	5/18/2026
2.0.1	92	5/18/2026
2.0.0	79	5/18/2026
2.0.0-beta002	82	5/18/2026
2.0.0-beta001	71	5/18/2026
1.0.1	78	5/18/2026
1.0.0	77	5/18/2026
1.0.0-beta002	73	5/18/2026
1.0.0-beta001	72	5/18/2026