Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In WordPress Last updated: November 28, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Let’s explore passwordless login for WordPress, a whole new domain the future is heading into.

Passwords will go extinct in the near future. They were meant to bolster security but ended up creating more problems than solutions.

It started with strong passwords, followed by two-factor authentication, adding in extra clicks (read work) nobody wants to deal with.

There is another solution that popped up recently, known as magic links. This will have you enter your username and open the link from the email instead of entering a password.

While it’s safer since you only have to protect the email accounts and leverage that security everywhere else, it’s not the fastest method.

WordPress Passwordless Login

WordPress is simple to use for the average internet user, and all this simplicity comes with an increased security risk. And though you can mandate strong passwords with iThemes Security, the idea is to make it effortless while being secure.

In a nutshell, iThemes Security is a must-have freemium security guard for your WordPress project. It comes as a plugin to help strengthen WordPress security with ease.

While this is an independent guide, it will help if you go through our iThemes Security Pro review first.

In addition to countless features, iThemes Security Pro helps you deploy user-friendly biometric logins to your WordPress website. Ergo, you can use these features with Apple (Touch ID, Face ID), Android (fingerprint, pin, pattern), and Windows (Windows Hello).

If applied, users will have this prompt on the login URL:

passkey login

This gives you an alternate (and simple) way to log in to the WordPress website.

Understanding Passkeys

This method of logging in via passkeys uses the local authentication credentials we already use with the devices we physically own, like a smartphone or a Macbook.

In addition to being the easiest method to unlock WordPress, this is also the most secure.

For instance, there is a slight chance you can give the username and password to a lookalike (aka phishing) WordPress login page. But there are no such loopholes with passkeys.

Passkeys are supported by WebAuthn, a cryptographic authentication that uses a public and private keypair.

Public keys are stored in the cloud, while private keys reside on your local device. So when you fingerprint on the WordPress login page, it knows it’s really you and sends you into the dashboard.

In this case, all you have to protect is your biometrics compared to the username and password, which a cybercriminal could steal with phishing, etc.

And if it makes it any better, the development of WebAuthn has seen the participation of leading tech giants like Google, Microsoft, Mozilla, Yubico, etc.

In short, it’s safe and robust.

Configuring Biometric Login

Though this method deploys extremely sophisticated security, the application is painless.

First, you need the iThemes Pro subscription.

Subsequently, head over to Security > Settings in the WordPress dashboard side panel. Finally, turn on the toggles for Passwordless Login and Passkeys.

wordpress passwordless-login

Without the Passkeys, the login would allow for using magic links. But this will be replaced with the Passkeys if you turn this on, unless you turn both on (discussed later in this section).

Now the admin selects the users for this new login policy. This option lies in the User Groups section of the iThemes Security Pro dashboard.

You can either select from predefined user classes (admins, authors, editors, subscribers, etc.) or create a custom batch with the New Group option.

new-group ithemes security pro

Next, the administrator enforces passwordless login for selected user categories:

enable passwordless-login in ithemes security pro

Notably, you can use both (magic link & passkey) from the Configure > Login Security tab in the iThemes security.

enabling magic link and passwordless login

Now this will prompt the login URL with Email Magic Link or Use Your Passkey:


Clicking the magic link will send a login mail to the registered email address. However, the second method will show an unknown error unless you set the passkey first.

Using Passkeys

The first step for the biometric authentication setup is using the Login with your password, placed beneath the Use Your Passkey button.

As of this writing, I couldn’t find the option to use passwordless with WordPress logins exclusively. So, it’s important to enforce a strong password policy, because a user can still use a weak password otherwise. You can find these options in the User Groups > Features. Besides, the password age can be set at Configure > Login Security > Passwords Requirements.

Once logged in regularly, every user will be prompted to Setup Passkey Login. The Add Passkey will take you to the options based on the local device.

For instance, it sent me to Windows Hello on a Windows 10 PC.

wordpress passkey setup on windows 10

After entering the correct pin, I could log in with just the username and the Windows login pin.

Similarly, one can set up a passkey on Android (or iOS) as well:

wordpress passkey setup on android

Notably, this won’t prompt again if a user opts for the Skip Setup option. In that case, one can set up passkeys in the WordPress user profile section.


Click the Manage Passkeys at the bottom, followed by Add a Passkey to begin the setup.

The Future is Passwordless!

Undoubtedly, it’s the future. Going Passwordless (in WordPress) is the safest and the most hassle-free form of authentication available right now.

While you have to set up passkeys for each device you own, this one-time work is worth it for all future logins.

So this wraps up the biometric login with iThemes Security Pro. Although its free version is good, the features I illustrated are part of its premium plan, which you can subscribe to without any risk with its money-back guarantee.

PS: Backups are crucial for any website, and WordPress projects are no different. Check out how to do this with another iThemes product–Backupbuddy.

  • Hitesh Sant
    Hitesh works as a senior writer at Geekflare and dabbles in cybersecurity, productivity, games, and marketing. Besides, he holds master’s in transportation engineering. His free time is mostly about playing with his son, reading, or lying… read more
Thanks to our Sponsors
More great readings on WordPress
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder