Are you confused by the “Web Authentication” option on the Joomla 4.x login screen? I saw this question posted on The Joomla Forum™:

I want to hide the button for “web authentication” on the front end on the login page. [If I login normally and go to the user profile page I see] “W3C Web Authentication (WebAuthn) Login-W3C Web Authentication (WebAuthn) Login. No WebAuthn authenticator has been set up yet” I think it is confusing for a novice who tries to log in. How do I hide it?forum user, Joomla Forum, 25-Nov-2021

The following points need to be kept in mind:

  1. People will not see the “web authentication” option on the login page unless the website uses HTTPS with a valid security certificate.  If you have just created a J! 4.x website using Wampserver for example, you may not see the option at all.
  2. The feature is not supported by all web browsers.
  3. The feature was not present in J! 4.0; the feature was added in J! 4.1.
  4. The feature is always present (even if you or your website users do not require it).
  5. In order to use the feature, you need to set up a “WebAuthn authenticator”.  What’s that, you may ask?  You can read all about it at WebAuthn Passwordless Login.

Does all of this sound complicated?  Do I need it?  Relax.

A few words about passwordless login

When you read the discussions on the internet about secure logins, there’s little disagreement among the experts that it has become increasingly difficult for people to use long, complicated passwords.  Every time you sign up to a new web-based service you’re asked to enter your details consisting of your name, your email address and password (as a minimum); these services often ask you to use a password consisting of mixed-case letters, number and symbols.  Some of these services will generate a password “suggestion” for you.  For example, one of the websitesIt does not matter if the website is a Joomla one. I used has a password generator that created 4x72&C3Tt$nf … try remembering that!  Anyway, my point is that it becomes increasingly more difficult to remember all these different passwords—even if you write them down in a book or used some other technique to store them—and if you lose those things … well, that could be a bigger problem, couldn’t it?

Some high security systems may require biometric checking (e.g. a fingerprint, voice-recognition, retina scan or a combination of them).  Certainly there may be additional security requirements involved depending on the level of sensitivity of the data stored on those systems.  Regardless of these matters, that's when passwordless logins play a part.  If your J! website does not contain highly sensitive information that requires additional authentication—over and above having to enter a complicated 12-character password comprising letters and numbers—then any further discussion about passwordless logins may not be for youYou can learn more about passwordless logins at The Truth about Passwordless Authentication: what it is and how it works..

As far as J! is concerned, a new feature was added to J! 4.1 that installs a plugin and enables the plugin by default.  If you don’t know about how to set up passwordless login authentication, this article is for you.

How to disable the “Web Authentication” (passwordless) login

The ability to use passwordless logins is not for every websiteThis website doesn’t use the feature..  As we observed at the beginning of this article, the option to use this feature exists only in a limited range of situations:  HTTPS with a valid security certificate and browser support for it; data sensistivity.  Even though the feature is enabled by default on J! 4.xWhere x ≥ 1. websites it takes a few seconds to disable it.

To disable the “Web Authentication” feature, go to Home Dashboard » Plugins in the backend, search for the System - WebAuthn Passwordless Login plugin and disable it.

No comments

Comments are closed

The comments for this content have been closed automatically; it's been a while since it was published.