Traditional logins with usernames and passwords are often targeted by brute-force attacks, phishing, and credential stuffing. That’s where Passkeys come in: a modern, phishing-resistant authentication method that has been gaining traction for its usability and strength.
Really Simple Security Pro includes Passkey support to allow site administrators to enable (or enforce) passkey-based logins on WordPress, replacing the need for traditional passwords. This can be enforced per user role: for instance, you can require Passkeys for Administrator and Editor roles only.
But Really Simple Security also comes with a Limit Login Attempts (LLA) feature to block repeated failed username/password guesses; is this applicable to passkey-based login attempts as well? The short answer is No. We’ve intentionally designed the plugin so that LLA is not enforced for Passkey logins. But why?
Passkeys leverage hardware authenticators (like security keys, biometrics on devices, or built-in platform authenticators) that are inherently secure against brute-force attacks. These devices come with built-in limits on PIN attempts, typically locking out after a few wrong tries; and each authentication uses a unique cryptographic challenge-response mechanism.
This means that an attacker without physical access to the device or the correct PIN has zero chance of success through guessing or automated assaults. The protocol itself, based on standards like WebAuthn, ensures that every login attempt is cryptographically unique and resistant to replay attacks.
Adding server-side LLA on top of this would be redundant, and doesn’t enhance security beyond what the hardware and protocol already provide.Â
By excluding Passkey logins from LLA, Really Simple Security prioritises both security and usability. Administrators can focus on enforcing passkeys where it matters most, confident that the underlying technology handles the heavy lifting. To get started with modernising your WordPress site’s authentication, check out our setup guide here: https://really-simple-ssl.com/instructions/two-factor-authentication/#enabling-login-authentication
