Feature Request: Support for Passkeys / FIDO2 YubiKeys / WebAuthn Authentication

Hi Netlify Team,

I’d like to request support for Passkeys (FIDO2 / WebAuthn), including hardware security keys (e.g., YubiKeys), built-in authenticators (Windows Hello, Touch ID), and the ability to register multiple passkeys per account.

Why this matters:

• Growing phishing/vishing risks: AI-driven phishing and voice cloning attacks are making password + TOTP increasingly vulnerable. Passkeys eliminate password reuse and protect against man-in-the-middle attacks.

• I have been targeted personally: My developer accounts have been subject to targeted attacks, and I now rely on hardware keys wherever possible. Netlify is currently one of the few major developer platforms I use that does not support passkeys or hardware keys.

• Competitive landscape:

  • GitHub: supports passkeys and hardware security keys.

  • GitLab: supports WebAuthn.

  • Cloudflare: supports FIDO2-based authentication.
    If Netlify doesn’t add this, it becomes a weaker link in the security chain compared to other dev platforms.

• Enterprise compliance: Teams building regulated or security-sensitive apps often require phishing-resistant MFA (hardware keys or passkeys) to meet compliance frameworks like NIST 800-63B, FedRAMP, SOC2, and ISO27001.

Benefits for Netlify:

• Protects users from account takeovers (reducing breach costs and incident response).

• Positions Netlify as a forward-looking platform keeping pace with industry security standards.

• Provides a marketing edge: “Netlify supports passkeys for developer accounts.”

I strongly recommend prioritizing passkey/YubiKey support to protect users, teams, and Netlify’s own platform.

Thanks for considering this — happy to provide more details about workflows or threat models where this is critical.

Competitors / Peers Supporting Passkeys & Hardware Keys (WebAuthn / FIDO2)

• GitHub → Supports passkeys and FIDO2 hardware keys (YubiKey, SoloKey, etc.) for login.

• GitLab → Supports WebAuthn-based security keys (including YubiKeys) as second factors.

• Cloudflare → Enforces FIDO2 security keys for team accounts; part of Cloudflare Zero Trust.

• Vercel → Supports WebAuthn passkeys and security keys for developer logins.

• Heroku (Salesforce) → Allows WebAuthn-based MFA with hardware security keys.

• Google Cloud Platform (GCP) → Full passkey and security key support for all accounts.

• AWS (IAM & Root) → Supports hardware MFA (including WebAuthn keys) for login.

• Microsoft Azure → Supports passwordless login with passkeys and FIDO2 keys.

• Okta → Provides passkey + hardware key support for enterprise SSO.

• 1Password → Has rolled out passkey support internally and for vault access.

This is not on our immediate roadmap due to competiting priorities, but we’d also like to have this sooner than later.

This is not on our immediate roadmap due to competiting priorities, but we’d also like to have this sooner than later.

Thank you for prioritizing the security of your service.