feat: Passkey (WebAuthn) login (#1111)

* feat(auth): passkey (WebAuthn) login — server endpoints, schema + admin toggle Add @simplewebauthn/server registration and primary (discoverable) login ceremonies under /api/auth/passkey, a webauthn_credentials + single-use webauthn_challenges schema (migration), the instance-wide passkey_login toggle (default off) enforced before auth by a guard, and require_mfa satisfaction via a verified passkey. RP ID/origin come only from server config (webauthn_rp_id/origins -> APP_URL), never request headers. * feat(auth): passkey enrolment, login button + admin settings UI PasskeysSection in account settings (add/rename/remove with a current-password step-up), a 'Sign in with a passkey' button on the login page, the admin enable + RP-ID/origins controls, and a per-user admin reset action. * i18n(auth): passkey strings across all locales Add login/settings/admin passkey keys to en and all 19 translated locales.
2026-06-19 13:21:46 +00:00 · 2026-06-05 18:54:13 +02:00
parent 247433fb2a
commit a876fb2634
83 changed files with 2421 additions and 8 deletions
@@ -26,6 +26,7 @@
    "@fontsource/geist-sans": "^5.2.5",
    "@fontsource/poppins": "^5.2.7",
    "@react-pdf/renderer": "^4.5.1",
+    "@simplewebauthn/browser": "^13.1.2",
    "@trek/shared": "*",
    "axios": "^1.6.7",
    "dexie": "^4.4.2",
@@ -261,6 +261,24 @@ export const authApi = {
    create: (name: string) => apiClient.post('/auth/mcp-tokens', { name } satisfies McpTokenCreateRequest).then(r => r.data),
    delete: (id: number) => apiClient.delete(`/auth/mcp-tokens/${id}`).then(r => r.data),
  },
+  passkey: {
+    registerOptions: (password: string) => apiClient.post('/auth/passkey/register/options', { password }).then(r => r.data),
+    registerVerify: (attestationResponse: unknown, name?: string) => apiClient.post('/auth/passkey/register/verify', { attestationResponse, name }).then(r => r.data),
+    loginOptions: () => apiClient.post('/auth/passkey/login/options', {}).then(r => r.data),
+    loginVerify: (assertionResponse: unknown) => apiClient.post('/auth/passkey/login/verify', { assertionResponse }).then(r => r.data as { token: string; user: Record<string, unknown> }),
+    list: () => apiClient.get('/auth/passkey/credentials').then(r => r.data as { credentials: PasskeyCredential[] }),
+    rename: (id: number, name: string) => apiClient.patch(`/auth/passkey/credentials/${id}`, { name }).then(r => r.data),
+    delete: (id: number, password: string) => apiClient.delete(`/auth/passkey/credentials/${id}`, { data: { password } }).then(r => r.data),
+  },
+}
+
+export interface PasskeyCredential {
+  id: number
+  name: string | null
+  device_type: string | null
+  backed_up: boolean
+  created_at: string
+  last_used_at: string | null
 }

 export const oauthApi = {
@@ -414,6 +432,7 @@ export const adminApi = {
  createUser: (data: Record<string, unknown>) => apiClient.post('/admin/users', data).then(r => r.data),
  updateUser: (id: number, data: Record<string, unknown>) => apiClient.put(`/admin/users/${id}`, data).then(r => r.data),
  deleteUser: (id: number) => apiClient.delete(`/admin/users/${id}`).then(r => r.data),
+  resetUserPasskeys: (id: number) => apiClient.delete(`/admin/users/${id}/passkeys`).then(r => r.data),
  stats: () => apiClient.get('/admin/stats').then(r => r.data),
  saveDemoBaseline: () => apiClient.post('/admin/save-demo-baseline').then(r => r.data),
  getOidc: () => apiClient.get('/admin/oidc').then(r => r.data),
@@ -8,6 +8,7 @@ import { authApi, adminApi } from '../../api/client'
 import { getApiErrorMessage } from '../../types'
 import type { UserWithOidc } from '../../types'
 import Section from './Section'
+import PasskeysSection from './PasskeysSection'

 const MFA_BACKUP_SESSION_KEY = 'trek_mfa_backup_codes_pending'

@@ -395,6 +396,9 @@ export default function AccountTab(): React.ReactElement {
          </div>
        </div>

+        {/* Passkeys */}
+        <PasskeysSection demoMode={demoMode} />
+
        {/* Avatar */}
        <div className="flex items-center gap-4">
          <div style={{ position: 'relative', flexShrink: 0 }}>
@@ -0,0 +1,271 @@
+import React, { useEffect, useState } from 'react'
+import { Fingerprint, Plus, Trash2, Pencil, Check, X } from 'lucide-react'
+import { startRegistration } from '@simplewebauthn/browser'
+import { useTranslation } from '../../i18n'
+import { useToast } from '../shared/Toast'
+import { authApi, type PasskeyCredential } from '../../api/client'
+import { getApiErrorMessage } from '../../types'
+
+/** Parse a SQLite UTC timestamp ("YYYY-MM-DD HH:MM:SS") into a local date string. */
+function fmtDate(ts: string | null): string | null {
+  if (!ts) return null
+  const iso = ts.includes('T') ? ts : ts.replace(' ', 'T')
+  const d = new Date(iso.endsWith('Z') ? iso : iso + 'Z')
+  return Number.isNaN(d.getTime()) ? null : d.toLocaleDateString()
+}
+
+/** True when the browser cancellation / no-matching-credential DOMExceptions fire. */
+function isWebauthnAbort(err: unknown): boolean {
+  const name = (err as { name?: string })?.name
+  return name === 'NotAllowedError' || name === 'AbortError'
+}
+
+/**
+ * Passkey enrolment + management. Mirrors the MFA block: list / add (with a
+ * password step-up + the WebAuthn ceremony) / rename / delete (password step-up).
+ * The "Add a passkey" action only appears when the instance toggle is on AND a
+ * usable RP ID resolves; the existing-credential list stays reachable even when
+ * the feature is later disabled so users can always clean up.
+ */
+export default function PasskeysSection({ demoMode }: { demoMode?: boolean }): React.ReactElement | null {
+  const { t } = useTranslation()
+  const toast = useToast()
+
+  const [enabled, setEnabled] = useState(false)
+  const [configured, setConfigured] = useState(false)
+  const [creds, setCreds] = useState<PasskeyCredential[]>([])
+  const [loading, setLoading] = useState(true)
+  const [busy, setBusy] = useState(false)
+
+  const [addOpen, setAddOpen] = useState(false)
+  const [addPwd, setAddPwd] = useState('')
+  const [addName, setAddName] = useState('')
+
+  const [renamingId, setRenamingId] = useState<number | null>(null)
+  const [renameVal, setRenameVal] = useState('')
+
+  const [deletingId, setDeletingId] = useState<number | null>(null)
+  const [deletePwd, setDeletePwd] = useState('')
+
+  const refresh = () => {
+    authApi.passkey.list()
+      .then(r => setCreds(r.credentials))
+      .catch(() => {})
+      .finally(() => setLoading(false))
+  }
+
+  useEffect(() => {
+    authApi.getAppConfig?.()
+      .then(c => { setEnabled(!!c?.passkey_login); setConfigured(!!c?.passkey_configured) })
+      .catch(() => {})
+    refresh()
+  }, [])
+
+  const canAdd = enabled && configured
+
+  const handleAdd = async () => {
+    if (!addPwd) { toast.error(t('settings.passkey.passwordRequired')); return }
+    setBusy(true)
+    try {
+      const options = await authApi.passkey.registerOptions(addPwd)
+      const attResp = await startRegistration({ optionsJSON: options })
+      await authApi.passkey.registerVerify(attResp, addName.trim() || undefined)
+      toast.success(t('settings.passkey.addedToast'))
+      setAddOpen(false); setAddPwd(''); setAddName('')
+      refresh()
+    } catch (err: unknown) {
+      if (isWebauthnAbort(err)) toast.error(t('settings.passkey.cancelled'))
+      else toast.error(getApiErrorMessage(err, t('settings.passkey.addError')))
+    } finally {
+      setBusy(false)
+    }
+  }
+
+  const handleRename = async (id: number) => {
+    const name = renameVal.trim()
+    if (!name) { setRenamingId(null); return }
+    try {
+      await authApi.passkey.rename(id, name)
+      setRenamingId(null)
+      refresh()
+    } catch (err: unknown) {
+      toast.error(getApiErrorMessage(err, t('common.error')))
+    }
+  }
+
+  const handleDelete = async (id: number) => {
+    if (!deletePwd) { toast.error(t('settings.passkey.passwordRequired')); return }
+    setBusy(true)
+    try {
+      await authApi.passkey.delete(id, deletePwd)
+      toast.success(t('settings.passkey.deleted'))
+      setDeletingId(null); setDeletePwd('')
+      refresh()
+    } catch (err: unknown) {
+      toast.error(getApiErrorMessage(err, t('common.error')))
+    } finally {
+      setBusy(false)
+    }
+  }
+
+  if (demoMode) return null
+  // Nothing to show: feature off and the user has no credentials to manage.
+  if (!loading && !enabled && creds.length === 0) return null
+
+  return (
+    <div className="pt-4 mt-4 border-t border-edge-secondary">
+      <div className="flex items-center gap-2 mb-3">
+        <Fingerprint className="w-5 h-5 text-content-secondary" />
+        <h3 className="font-semibold text-base m-0 text-content">{t('settings.passkey.title')}</h3>
+      </div>
+      <div className="space-y-3">
+        <p className="text-sm m-0 text-content-muted" style={{ lineHeight: 1.5 }}>{t('settings.passkey.description')}</p>
+
+        {enabled && !configured && (
+          <p className="text-sm m-0 text-amber-700">{t('settings.passkey.notConfigured')}</p>
+        )}
+
+        {creds.length > 0 && (
+          <ul className="space-y-2 list-none p-0 m-0">
+            {creds.map(c => (
+              <li key={c.id} className="flex items-center gap-3 p-3 rounded-lg border border-edge bg-surface-card">
+                <Fingerprint className="w-4 h-4 flex-shrink-0 text-content-secondary" />
+                <div className="flex-1 min-w-0">
+                  {renamingId === c.id ? (
+                    <div className="flex items-center gap-2">
+                      <input
+                        autoFocus
+                        type="text"
+                        value={renameVal}
+                        onChange={e => setRenameVal(e.target.value)}
+                        onKeyDown={e => { if (e.key === 'Enter') handleRename(c.id); if (e.key === 'Escape') setRenamingId(null) }}
+                        className="flex-1 px-2 py-1 border border-slate-300 rounded text-sm"
+                      />
+                      <button type="button" onClick={() => handleRename(c.id)} className="p-1 text-emerald-600" aria-label={t('common.save')}><Check size={16} /></button>
+                      <button type="button" onClick={() => setRenamingId(null)} className="p-1 text-content-muted" aria-label={t('common.cancel')}><X size={16} /></button>
+                    </div>
+                  ) : (
+                    <>
+                      <div className="flex items-center gap-2">
+                        <span className="text-sm font-medium text-content truncate">{c.name || t('settings.passkey.defaultName')}</span>
+                        <span className="text-[10px] font-medium px-2 py-0.5 rounded-full bg-surface-hover text-content-secondary">
+                          {c.backed_up ? t('settings.passkey.synced') : t('settings.passkey.deviceBound')}
+                        </span>
+                      </div>
+                      <p className="text-xs m-0 mt-0.5 text-content-faint">
+                        {t('settings.passkey.added')}: {fmtDate(c.created_at) || '—'}
+                        {' · '}
+                        {c.last_used_at
+                          ? `${t('settings.passkey.lastUsed')}: ${fmtDate(c.last_used_at)}`
+                          : t('settings.passkey.neverUsed')}
+                      </p>
+                    </>
+                  )}
+                </div>
+                {renamingId !== c.id && (
+                  <div className="flex items-center gap-1 flex-shrink-0">
+                    <button
+                      type="button"
+                      onClick={() => { setRenamingId(c.id); setRenameVal(c.name || '') }}
+                      className="p-1.5 rounded text-content-muted hover:text-content"
+                      aria-label={t('settings.passkey.rename')}
+                    >
+                      <Pencil size={14} />
+                    </button>
+                    <button
+                      type="button"
+                      onClick={() => { setDeletingId(c.id); setDeletePwd('') }}
+                      className="p-1.5 rounded text-red-500 hover:bg-red-50"
+                      aria-label={t('common.delete')}
+                    >
+                      <Trash2 size={14} />
+                    </button>
+                  </div>
+                )}
+              </li>
+            ))}
+          </ul>
+        )}
+
+        {/* Delete confirmation (password step-up) */}
+        {deletingId !== null && (
+          <div className="space-y-2 p-3 rounded-lg border border-red-200 bg-red-50/40">
+            <p className="text-sm font-medium m-0 text-content">{t('settings.passkey.deleteConfirm')}</p>
+            <input
+              type="password"
+              value={deletePwd}
+              onChange={e => setDeletePwd(e.target.value)}
+              placeholder={t('settings.currentPassword')}
+              className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm"
+            />
+            <div className="flex gap-2">
+              <button
+                type="button"
+                disabled={busy || !deletePwd}
+                onClick={() => handleDelete(deletingId)}
+                className="px-4 py-2 rounded-lg text-sm font-medium text-red-600 border border-red-200 hover:bg-red-50 disabled:opacity-50"
+              >
+                {t('common.delete')}
+              </button>
+              <button
+                type="button"
+                onClick={() => { setDeletingId(null); setDeletePwd('') }}
+                className="px-4 py-2 rounded-lg text-sm border border-edge text-content-secondary"
+              >
+                {t('common.cancel')}
+              </button>
+            </div>
+          </div>
+        )}
+
+        {/* Add a passkey */}
+        {canAdd && (addOpen ? (
+          <div className="space-y-2 p-3 rounded-lg border border-edge bg-surface-hover">
+            <p className="text-sm font-medium m-0 text-content">{t('settings.passkey.addTitle')}</p>
+            <p className="text-xs m-0 text-content-muted">{t('settings.passkey.passwordPrompt')}</p>
+            <input
+              type="password"
+              value={addPwd}
+              onChange={e => setAddPwd(e.target.value)}
+              placeholder={t('settings.currentPassword')}
+              className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm"
+            />
+            <input
+              type="text"
+              value={addName}
+              onChange={e => setAddName(e.target.value)}
+              placeholder={t('settings.passkey.namePlaceholder')}
+              className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm"
+            />
+            <div className="flex gap-2">
+              <button
+                type="button"
+                disabled={busy || !addPwd}
+                onClick={handleAdd}
+                className="px-4 py-2 bg-slate-900 text-white rounded-lg text-sm hover:bg-slate-700 disabled:opacity-50"
+              >
+                {busy ? <div className="w-4 h-4 border-2 border-white/30 border-t-white rounded-full animate-spin" /> : t('settings.passkey.add')}
+              </button>
+              <button
+                type="button"
+                onClick={() => { setAddOpen(false); setAddPwd(''); setAddName('') }}
+                className="px-4 py-2 rounded-lg text-sm border border-edge text-content-secondary"
+              >
+                {t('common.cancel')}
+              </button>
+            </div>
+          </div>
+        ) : (
+          <button
+            type="button"
+            onClick={() => setAddOpen(true)}
+            className="flex items-center gap-2 px-4 py-2 rounded-lg text-sm font-medium transition-colors border border-edge bg-surface-card text-content"
+          >
+            <Plus size={14} />
+            {t('settings.passkey.add')}
+          </button>
+        ))}
+      </div>
+    </div>
+  )
+}
@@ -1,6 +1,6 @@
 import React from 'react'
 import { SUPPORTED_LANGUAGES, useTranslation } from '../i18n'
-import { Plane, Eye, EyeOff, Mail, Lock, MapPin, Calendar, Package, User, Globe, Zap, Users, Wallet, Map, CheckSquare, BookMarked, FolderOpen, Route, Shield, KeyRound, ChevronDown } from 'lucide-react'
+import { Plane, Eye, EyeOff, Mail, Lock, MapPin, Calendar, Package, User, Globe, Zap, Users, Wallet, Map, CheckSquare, BookMarked, FolderOpen, Route, Shield, KeyRound, ChevronDown, Fingerprint } from 'lucide-react'
 import { useLogin } from './login/useLogin'

 export default function LoginPage(): React.ReactElement {
@@ -15,9 +15,13 @@ export default function LoginPage(): React.ReactElement {
    showTakeoff, mfaStep, setMfaStep, mfaToken, setMfaToken, mfaCode, setMfaCode,
    passwordChangeStep, newPassword, setNewPassword, confirmPassword, setConfirmPassword,
    noRedirect, showRegisterOption, oidcOnly,
-    handleDemoLogin, handleSubmit,
+    handleDemoLogin, handleSubmit, handlePasskeyLogin,
  } = useLogin()

+  const oidcButtonShown = !!(appConfig?.oidc_configured && appConfig?.oidc_login && !oidcOnly)
+  const passkeyAvailable = !!(appConfig?.passkey_login && appConfig?.passkey_configured && !oidcOnly
+    && mode === 'login' && !mfaStep && !passwordChangeStep)
+
  const inputBase: React.CSSProperties = {
    width: '100%', padding: '11px 12px 11px 40px', border: '1px solid #e5e7eb',
    borderRadius: 12, fontSize: 14, fontFamily: 'inherit', outline: 'none',
@@ -636,6 +640,36 @@ export default function LoginPage(): React.ReactElement {
            </>
          )}

+          {/* Passkey login button (instance toggle on + a usable RP ID resolves) */}
+          {passkeyAvailable && (
+            <>
+              {!oidcButtonShown && (
+                <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginTop: 16 }}>
+                  <div style={{ flex: 1, height: 1, background: '#e5e7eb' }} />
+                  <span style={{ fontSize: 12, color: '#9ca3af' }}>{t('common.or')}</span>
+                  <div style={{ flex: 1, height: 1, background: '#e5e7eb' }} />
+                </div>
+              )}
+              <button type="button" onClick={handlePasskeyLogin} disabled={isLoading}
+                style={{
+                  marginTop: 12, width: '100%', padding: '12px',
+                  background: 'white', color: '#374151',
+                  border: '1px solid #d1d5db', borderRadius: 12,
+                  fontSize: 14, fontWeight: 600, cursor: isLoading ? 'default' : 'pointer',
+                  fontFamily: 'inherit', display: 'flex', alignItems: 'center', justifyContent: 'center', gap: 8,
+                  opacity: isLoading ? 0.7 : 1,
+                  transition: 'background 180ms cubic-bezier(0.23,1,0.32,1), border-color 180ms cubic-bezier(0.23,1,0.32,1)',
+                  boxSizing: 'border-box',
+                }}
+                onMouseEnter={(e: React.MouseEvent<HTMLButtonElement>) => { if (!isLoading) { e.currentTarget.style.background = '#f9fafb'; e.currentTarget.style.borderColor = '#9ca3af' } }}
+                onMouseLeave={(e: React.MouseEvent<HTMLButtonElement>) => { e.currentTarget.style.background = 'white'; e.currentTarget.style.borderColor = '#d1d5db' }}
+              >
+                <Fingerprint size={16} />
+                {t('login.passkey.signIn')}
+              </button>
+            </>
+          )}
+
          {/* Demo login button */}
          {appConfig?.demo_mode && (
            <button onClick={handleDemoLogin} disabled={isLoading}
@@ -23,6 +23,8 @@ export default function AdminSettingsTab({ admin, t }: AdminSettingsTabProps): R
    passwordLogin, setPasswordLogin, passwordRegistration, setPasswordRegistration,
    oidcLogin, setOidcLogin, oidcRegistration, setOidcRegistration,
    envOverrideOidcOnly, oidcConfigured, requireMfa,
+    passkeyLogin, setPasskeyLogin, passkeyConfigured,
+    webauthnRpId, setWebauthnRpId, webauthnOrigins, setWebauthnOrigins, savingWebauthn, handleSaveWebauthn,
    allowedFileTypes, setAllowedFileTypes, savingFileTypes, setSavingFileTypes,
    mapsKey, setMapsKey, showKeys, savingKeys, validating, validation,
    setShowRotateJwtModal,
@@ -119,6 +121,71 @@ export default function AdminSettingsTab({ admin, t }: AdminSettingsTabProps): R
        </div>
      </div>

+      {/* Passkey (WebAuthn) login */}
+      <div className="bg-white rounded-xl border border-slate-200 overflow-hidden">
+        <div className="px-6 py-4 border-b border-slate-100">
+          <h2 className="font-semibold text-slate-900">{t('admin.passkey.title')}</h2>
+          <p className="text-xs text-slate-400 mt-1">{t('admin.passkey.cardHint')}</p>
+        </div>
+        <div className="p-6 space-y-5">
+          <div className="flex items-center justify-between">
+            <div>
+              <p className="text-sm font-medium text-slate-700">{t('admin.passkey.login')}</p>
+              <p className="text-xs text-slate-400 mt-0.5">{t('admin.passkey.loginHint')}</p>
+            </div>
+            <button
+              type="button"
+              onClick={() => handleToggleAuthSetting('passkey_login', !passkeyLogin, setPasskeyLogin)}
+              className={`relative inline-flex h-6 w-11 flex-shrink-0 items-center rounded-full transition-colors ${passkeyLogin ? 'bg-content' : 'bg-edge'}`}
+            >
+              <span
+                className="absolute left-0.5 h-5 w-5 rounded-full bg-white transition-transform duration-200"
+                style={{ transform: passkeyLogin ? 'translateX(20px)' : 'translateX(0)' }}
+              />
+            </button>
+          </div>
+
+          {passkeyLogin && !passkeyConfigured && (
+            <p className="flex items-start gap-2 text-xs text-amber-600 bg-amber-50 border border-amber-200 rounded-lg px-3 py-2">
+              <AlertTriangle size={14} className="flex-shrink-0 mt-0.5" />
+              {t('admin.passkey.notConfigured')}
+            </p>
+          )}
+
+          <div>
+            <label className="block text-sm font-medium text-slate-700 mb-1">{t('admin.passkey.rpId')}</label>
+            <p className="text-xs text-slate-400 mb-1.5">{t('admin.passkey.rpIdHint')}</p>
+            <input
+              type="text"
+              value={webauthnRpId}
+              onChange={e => setWebauthnRpId(e.target.value)}
+              placeholder="trek.example.org"
+              className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm focus:ring-2 focus:ring-slate-400 focus:border-transparent"
+            />
+          </div>
+          <div>
+            <label className="block text-sm font-medium text-slate-700 mb-1">{t('admin.passkey.origins')}</label>
+            <p className="text-xs text-slate-400 mb-1.5">{t('admin.passkey.originsHint')}</p>
+            <input
+              type="text"
+              value={webauthnOrigins}
+              onChange={e => setWebauthnOrigins(e.target.value)}
+              placeholder="https://trek.example.org"
+              className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm focus:ring-2 focus:ring-slate-400 focus:border-transparent"
+            />
+          </div>
+          <button
+            type="button"
+            onClick={handleSaveWebauthn}
+            disabled={savingWebauthn}
+            className="flex items-center gap-2 px-4 py-2 bg-slate-900 text-white rounded-lg text-sm hover:bg-slate-700 disabled:opacity-50"
+          >
+            {savingWebauthn ? <Loader2 size={14} className="animate-spin" /> : <Save size={14} />}
+            {t('common.save')}
+          </button>
+        </div>
+      </div>
+
      {/* Require 2FA for all users */}
      <div className="bg-white rounded-xl border border-slate-200 overflow-hidden">
        <div className="px-6 py-4 border-b border-slate-100">
@@ -2,7 +2,7 @@ import React from 'react'
 import { adminApi } from '../../api/client'
 import Modal from '../../components/shared/Modal'
 import CustomSelect from '../../components/shared/CustomSelect'
-import { CheckCircle, ArrowUpCircle, ExternalLink, RefreshCw, AlertTriangle } from 'lucide-react'
+import { CheckCircle, ArrowUpCircle, ExternalLink, RefreshCw, AlertTriangle, Fingerprint } from 'lucide-react'
 import type { TranslationFn } from '../../types'
 import type { useAdmin } from './useAdmin'

@@ -157,6 +157,25 @@ export default function AdminUserModals({ admin, t }: AdminUserModalsProps): Rea
                ]}
              />
            </div>
+            <div className="pt-3 border-t border-slate-100">
+              <p className="text-xs text-slate-400 mb-2">{t('admin.passkey.resetHint')}</p>
+              <button
+                type="button"
+                onClick={async () => {
+                  if (!editingUser) return
+                  if (!confirm(t('admin.passkey.resetConfirm', { name: editingUser.username }))) return
+                  try {
+                    const r = await adminApi.resetUserPasskeys(editingUser.id)
+                    toast.success(t('admin.passkey.resetDone', { count: r.deleted ?? 0 }))
+                  } catch {
+                    toast.error(t('common.error'))
+                  }
+                }}
+                className="flex items-center gap-2 px-3 py-2 text-sm text-red-600 border border-red-200 rounded-lg hover:bg-red-50"
+              >
+                <Fingerprint size={14} /> {t('admin.passkey.reset')}
+              </button>
+            </div>
          </div>
        )}
      </Modal>
@@ -65,6 +65,13 @@ export function useAdmin() {
  const [oidcConfigured, setOidcConfigured] = useState<boolean>(false)
  const [requireMfa, setRequireMfa] = useState<boolean>(false)

+  // Passkey (WebAuthn) login
+  const [passkeyLogin, setPasskeyLogin] = useState<boolean>(false)
+  const [passkeyConfigured, setPasskeyConfigured] = useState<boolean>(false)
+  const [webauthnRpId, setWebauthnRpId] = useState<string>('')
+  const [webauthnOrigins, setWebauthnOrigins] = useState<string>('')
+  const [savingWebauthn, setSavingWebauthn] = useState<boolean>(false)
+
  // Invite links
  const [invites, setInvites] = useState<any[]>([])
  const [showCreateInvite, setShowCreateInvite] = useState<boolean>(false)
@@ -80,6 +87,8 @@ export function useAdmin() {
  useEffect(() => {
    apiClient.get('/auth/app-settings').then(r => {
      setSmtpValues(r.data || {})
+      if (r.data?.webauthn_rp_id) setWebauthnRpId(r.data.webauthn_rp_id)
+      if (r.data?.webauthn_origins) setWebauthnOrigins(r.data.webauthn_origins)
      setSmtpLoaded(true)
    }).catch(() => setSmtpLoaded(true))
  }, [])
@@ -141,6 +150,8 @@ export function useAdmin() {
      setEnvOverrideOidcOnly(config.env_override_oidc_only ?? false)
      setOidcConfigured(config.oidc_configured ?? false)
      if (config.require_mfa !== undefined) setRequireMfa(!!config.require_mfa)
+      setPasskeyLogin(!!config.passkey_login)
+      setPasskeyConfigured(!!config.passkey_configured)
      if (config.allowed_file_types) setAllowedFileTypes(config.allowed_file_types)
    } catch (err: unknown) {
      // ignore
@@ -179,6 +190,23 @@ export function useAdmin() {
    }
  }

+  const handleSaveWebauthn = async () => {
+    setSavingWebauthn(true)
+    try {
+      await authApi.updateAppSettings({
+        webauthn_rp_id: webauthnRpId.trim(),
+        webauthn_origins: webauthnOrigins.trim(),
+      })
+      // Re-read app-config so passkey_configured reflects the new RP ID.
+      await loadAppConfig()
+      toast.success(t('common.saved'))
+    } catch (err: unknown) {
+      toast.error(getApiErrorMessage(err, t('common.error')))
+    } finally {
+      setSavingWebauthn(false)
+    }
+  }
+
  const toggleKey = (key) => {
    setShowKeys(prev => ({ ...prev, [key]: !prev[key] }))
  }
@@ -341,6 +369,8 @@ export function useAdmin() {
    oidcLogin, setOidcLogin, oidcRegistration, setOidcRegistration,
    envOverrideOidcOnly, setEnvOverrideOidcOnly, oidcConfigured, setOidcConfigured,
    requireMfa, setRequireMfa,
+    passkeyLogin, setPasskeyLogin, passkeyConfigured,
+    webauthnRpId, setWebauthnRpId, webauthnOrigins, setWebauthnOrigins, savingWebauthn, handleSaveWebauthn,
    invites, setInvites, showCreateInvite, setShowCreateInvite, inviteForm, setInviteForm,
    allowedFileTypes, setAllowedFileTypes, savingFileTypes, setSavingFileTypes,
    smtpValues, setSmtpValues, smtpLoaded,
@@ -3,6 +3,7 @@ import { useNavigate, useLocation } from 'react-router-dom'
 import { useAuthStore } from '../../store/authStore'
 import { useSettingsStore, hasStoredLanguage } from '../../store/settingsStore'
 import { useTranslation, detectBrowserLanguage } from '../../i18n'
+import { startAuthentication } from '@simplewebauthn/browser'
 import { authApi, configApi } from '../../api/client'
 import { getApiErrorMessage } from '../../types'

@@ -18,6 +19,8 @@ interface AppConfig {
  password_registration: boolean
  oidc_login: boolean
  oidc_registration: boolean
+  passkey_login?: boolean
+  passkey_configured?: boolean
  env_override_oidc_only: boolean
 }

@@ -196,6 +199,28 @@ export function useLogin() {
    }
  }

+  const handlePasskeyLogin = async (): Promise<void> => {
+    setError('')
+    setIsLoading(true)
+    try {
+      const options = await authApi.passkey.loginOptions()
+      const assertion = await startAuthentication({ optionsJSON: options })
+      await authApi.passkey.loginVerify(assertion)
+      await loadUser({ silent: true })
+      setShowTakeoff(true)
+      setTimeout(() => navigate(redirectTarget), 2600)
+    } catch (err: unknown) {
+      // The user dismissing the native prompt isn't an error worth surfacing.
+      const name = (err as { name?: string })?.name
+      if (name === 'NotAllowedError' || name === 'AbortError') {
+        setIsLoading(false)
+        return
+      }
+      setError(getApiErrorMessage(err, t('login.passkey.failed')))
+      setIsLoading(false)
+    }
+  }
+
  const handleSubmit = async (e: React.FormEvent<HTMLFormElement>): Promise<void> => {
    e.preventDefault()
    setError('')
@@ -270,6 +295,6 @@ export function useLogin() {
    showTakeoff, mfaStep, setMfaStep, mfaToken, setMfaToken, mfaCode, setMfaCode,
    passwordChangeStep, newPassword, setNewPassword, confirmPassword, setConfirmPassword,
    noRedirect, showRegisterOption, oidcOnly,
-    handleDemoLogin, handleSubmit,
+    handleDemoLogin, handleSubmit, handlePasskeyLogin,
  }
 }
@@ -29,6 +29,7 @@
        "@fontsource/geist-sans": "^5.2.5",
        "@fontsource/poppins": "^5.2.7",
        "@react-pdf/renderer": "^4.5.1",
+        "@simplewebauthn/browser": "^13.1.2",
        "@trek/shared": "*",
        "axios": "^1.6.7",
        "dexie": "^4.4.2",
@@ -2525,6 +2526,12 @@
        "url": "https://github.com/sponsors/ayuhito"
      }
    },
+    "node_modules/@hexagon/base64": {
+      "version": "1.1.28",
+      "resolved": "https://registry.npmjs.org/@hexagon/base64/-/base64-1.1.28.tgz",
+      "integrity": "sha512-lhqDEAvWixy3bZ+UOYbPwUbBkwBq5C1LAJ/xPC8Oi+lL54oyakv/npbA0aU2hgCsx/1NUd4IBvV03+aUBWxerw==",
+      "license": "MIT"
+    },
    "node_modules/@hono/node-server": {
      "version": "1.19.14",
      "license": "MIT",
@@ -3656,6 +3663,12 @@
        "@jridgewell/sourcemap-codec": "^1.4.14"
      }
    },
+    "node_modules/@levischuck/tiny-cbor": {
+      "version": "0.2.11",
+      "resolved": "https://registry.npmjs.org/@levischuck/tiny-cbor/-/tiny-cbor-0.2.11.tgz",
+      "integrity": "sha512-llBRm4dT4Z89aRsm6u2oEZ8tfwL/2l6BwpZ7JcyieouniDECM5AqNgr/y08zalEIvW3RSK4upYyybDcmjXqAow==",
+      "license": "MIT"
+    },
    "node_modules/@lukeed/csprng": {
      "version": "1.1.0",
      "license": "MIT",
@@ -4490,6 +4503,174 @@
        "@noble/hashes": "^1.1.5"
      }
    },
+    "node_modules/@peculiar/asn1-android": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-android/-/asn1-android-2.7.0.tgz",
+      "integrity": "sha512-iD3VskhVQnM4nE3PN9cBdPTR7JrqZy3FYk+uD2CeG6DUqKoANqaEfx0f7izPmW+Qm5JBM35ek+viLCmjy18ByQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-schema": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-cms": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.7.0.tgz",
+      "integrity": "sha512-hew63shtzzvBcSHbhm+cyAmKe6AIfinT9hzEqSPjDC6opTTMKmTkQ0gHuN2KsWlvqiKw1S/fS94fhag/FJkioQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-schema": "^2.7.0",
+        "@peculiar/asn1-x509": "^2.7.0",
+        "@peculiar/asn1-x509-attr": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-csr": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-csr/-/asn1-csr-2.7.0.tgz",
+      "integrity": "sha512-VVsAyGqErT9D1SY4aEqozThXMVI+ssVRiv2DDeYuvpBKLIgZ3hYs3Ay3u/VSoKq6ESFi9cf6rf3IOOzfwh7oMA==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-schema": "^2.7.0",
+        "@peculiar/asn1-x509": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-ecc": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.7.0.tgz",
+      "integrity": "sha512-n7KEs/Q/wrB415cxy4fHOBhegp4NdJ15fkJPwcB/3/8iNBQC2L/N7SChJPKDJPZGYH0jD4Tg4/0vnHmwghnbKw==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-schema": "^2.7.0",
+        "@peculiar/asn1-x509": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-pfx": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-pfx/-/asn1-pfx-2.7.0.tgz",
+      "integrity": "sha512-V/nrlQVmhg7lYAsM7E13UDL5erAwFv6kCIVFqNaMIHSVi7dngcT839JkRTkQBqznMG98l2XjxYk74ZztAohZzA==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-cms": "^2.7.0",
+        "@peculiar/asn1-pkcs8": "^2.7.0",
+        "@peculiar/asn1-rsa": "^2.7.0",
+        "@peculiar/asn1-schema": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-pkcs8": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs8/-/asn1-pkcs8-2.7.0.tgz",
+      "integrity": "sha512-9GTl1nE8Mx1kTZ+7QyYatDyKsm34QcWRBFkY1iPvWC3X4Dona5s/tlLiQsx5WzVdZqiMBZNYT0buyw4/vbhnjw==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-schema": "^2.7.0",
+        "@peculiar/asn1-x509": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-pkcs9": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs9/-/asn1-pkcs9-2.7.0.tgz",
+      "integrity": "sha512-Bh7m+OuIaSEllPQcSd9OSp93F4ROWH7sbITWV8MI+8dwsjE5111/87VxiWVvYFKyww3vp39geLv9ENqhwWHcew==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-cms": "^2.7.0",
+        "@peculiar/asn1-pfx": "^2.7.0",
+        "@peculiar/asn1-pkcs8": "^2.7.0",
+        "@peculiar/asn1-schema": "^2.7.0",
+        "@peculiar/asn1-x509": "^2.7.0",
+        "@peculiar/asn1-x509-attr": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-rsa": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.7.0.tgz",
+      "integrity": "sha512-/qvENQrXyTZURjMqSeofHul0JJt2sNSzSwk36pl2olkHbaioMQgrASDZAlHXl0xUlnVbHj0uGgOrBMTb5x2aJQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-schema": "^2.7.0",
+        "@peculiar/asn1-x509": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-schema": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-schema/-/asn1-schema-2.7.0.tgz",
+      "integrity": "sha512-W8ZfWzLmQnrcky+eh3tni4IozMdqBDiHWU0N+vve/UGjMaUs8c0L7A2oEdkBXS8rTpWDpK/aoI3DG/L/hxmxPg==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/utils": "^2.0.2",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-x509": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.7.0.tgz",
+      "integrity": "sha512-mUn9RRrkGDnG4ALfunDmzyRW5dg+sWCj/pfnCCqEHYbkGxEpvUt6iVJv8Yw1cyp6SWZ26ZE5oSmI5SqEaen15g==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-schema": "^2.7.0",
+        "@peculiar/utils": "^2.0.2",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/asn1-x509-attr": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509-attr/-/asn1-x509-attr-2.7.0.tgz",
+      "integrity": "sha512-NS8e7SOgXipkzUPLF/sce7ukpMpWjhxYsH0n6Y+bHYo4TTxOb95Zv7hqwSuL212mj5YxovjdOKQOgH1As3E94w==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-schema": "^2.7.0",
+        "@peculiar/asn1-x509": "^2.7.0",
+        "asn1js": "^3.0.6",
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/utils": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@peculiar/utils/-/utils-2.0.3.tgz",
+      "integrity": "sha512-+oL3HPFRIZ1St2K50lWCXiioIgSoxzz7R1J3uF6neO2yl1sgmpgY6XXJH4BdpoDkMWznQTeYF6oWNDZLCdQ4eQ==",
+      "license": "MIT",
+      "dependencies": {
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/@peculiar/x509": {
+      "version": "1.14.3",
+      "resolved": "https://registry.npmjs.org/@peculiar/x509/-/x509-1.14.3.tgz",
+      "integrity": "sha512-C2Xj8FZ0uHWeCXXqX5B4/gVFQmtSkiuOolzAgutjTfseNOHT3pUjljDZsTSxXFGgio54bCzVFqmEOUrIVk8RDA==",
+      "license": "MIT",
+      "dependencies": {
+        "@peculiar/asn1-cms": "^2.6.0",
+        "@peculiar/asn1-csr": "^2.6.0",
+        "@peculiar/asn1-ecc": "^2.6.0",
+        "@peculiar/asn1-pkcs9": "^2.6.0",
+        "@peculiar/asn1-rsa": "^2.6.0",
+        "@peculiar/asn1-schema": "^2.6.0",
+        "@peculiar/asn1-x509": "^2.6.0",
+        "pvtsutils": "^1.3.6",
+        "reflect-metadata": "^0.2.2",
+        "tslib": "^2.8.1",
+        "tsyringe": "^4.10.0"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
    "node_modules/@pkgjs/parseargs": {
      "version": "0.11.0",
      "dev": true,
@@ -5179,6 +5360,31 @@
        "win32"
      ]
    },
+    "node_modules/@simplewebauthn/browser": {
+      "version": "13.3.0",
+      "resolved": "https://registry.npmjs.org/@simplewebauthn/browser/-/browser-13.3.0.tgz",
+      "integrity": "sha512-BE/UWv6FOToAdVk0EokzkqQQDOWtNydYlY6+OrmiZ5SCNmb41VehttboTetUM3T/fr6EAFYVXjz4My2wg230rQ==",
+      "license": "MIT"
+    },
+    "node_modules/@simplewebauthn/server": {
+      "version": "13.3.1",
+      "resolved": "https://registry.npmjs.org/@simplewebauthn/server/-/server-13.3.1.tgz",
+      "integrity": "sha512-GV/oM/qeycWn8p42JZIMJBsXWQcNFg+nJFzeQTnMA4gN8mXg0+HZFWJerHg8ZN/zlveMS3iV1wzuFpOVWS/46w==",
+      "license": "MIT",
+      "dependencies": {
+        "@hexagon/base64": "^1.1.27",
+        "@levischuck/tiny-cbor": "^0.2.2",
+        "@peculiar/asn1-android": "^2.6.0",
+        "@peculiar/asn1-ecc": "^2.6.1",
+        "@peculiar/asn1-rsa": "^2.6.1",
+        "@peculiar/asn1-schema": "^2.6.0",
+        "@peculiar/asn1-x509": "^2.6.1",
+        "@peculiar/x509": "^1.14.3"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
    "node_modules/@swc/core": {
      "version": "1.15.40",
      "dev": true,
@@ -6442,6 +6648,20 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/asn1js": {
+      "version": "3.0.10",
+      "resolved": "https://registry.npmjs.org/asn1js/-/asn1js-3.0.10.tgz",
+      "integrity": "sha512-S2s3aOytiKdFRdulw2qPE51MzjzVOisppcVv7jVFR+Kw0kxwvFrDcYA0h7Ndqbmj0HkMIXYWaoj7fli8kgx1eg==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "pvtsutils": "^1.3.6",
+        "pvutils": "^1.1.5",
+        "tslib": "^2.8.1"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
    "node_modules/assertion-error": {
      "version": "2.0.1",
      "dev": true,
@@ -12765,6 +12985,24 @@
        "node": ">=6"
      }
    },
+    "node_modules/pvtsutils": {
+      "version": "1.3.6",
+      "resolved": "https://registry.npmjs.org/pvtsutils/-/pvtsutils-1.3.6.tgz",
+      "integrity": "sha512-PLgQXQ6H2FWCaeRak8vvk1GW462lMxB5s3Jm673N82zI4vqtVUPuZdffdZbPDFRoU8kAhItWFtPCWiPpp4/EDg==",
+      "license": "MIT",
+      "dependencies": {
+        "tslib": "^2.8.1"
+      }
+    },
+    "node_modules/pvutils": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/pvutils/-/pvutils-1.1.5.tgz",
+      "integrity": "sha512-KTqnxsgGiQ6ZAzZCVlJH5eOjSnvlyEgx1m8bkRJfOhmGRqfo5KLvmAlACQkrjEtOQ4B7wF9TdSLIs9O90MX9xA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
    "node_modules/qrcode": {
      "version": "1.5.4",
      "license": "MIT",
@@ -15445,6 +15683,24 @@
        "@esbuild/win32-x64": "0.28.0"
      }
    },
+    "node_modules/tsyringe": {
+      "version": "4.10.0",
+      "resolved": "https://registry.npmjs.org/tsyringe/-/tsyringe-4.10.0.tgz",
+      "integrity": "sha512-axr3IdNuVIxnaK5XGEUFTu3YmAQ6lllgrvqfEoR16g/HGnYY/6We4oWENtAnzK6/LpJ2ur9PAb80RBt7/U4ugw==",
+      "license": "MIT",
+      "dependencies": {
+        "tslib": "^1.9.3"
+      },
+      "engines": {
+        "node": ">= 6.0.0"
+      }
+    },
+    "node_modules/tsyringe/node_modules/tslib": {
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
+      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==",
+      "license": "0BSD"
+    },
    "node_modules/tunnel-agent": {
      "version": "0.6.0",
      "license": "Apache-2.0",
@@ -17346,6 +17602,7 @@
        "@nestjs/common": "^11.1.24",
        "@nestjs/core": "^11.1.24",
        "@nestjs/platform-express": "^11.1.24",
+        "@simplewebauthn/server": "^13.1.2",
        "@trek/shared": "*",
        "archiver": "^6.0.1",
        "bcryptjs": "^2.4.3",
@@ -27,6 +27,7 @@
    "@nestjs/common": "^11.1.24",
    "@nestjs/core": "^11.1.24",
    "@nestjs/platform-express": "^11.1.24",
+    "@simplewebauthn/server": "^13.1.2",
    "archiver": "^6.0.1",
    "bcryptjs": "^2.4.3",
    "better-sqlite3": "^12.8.0",
@@ -2340,6 +2340,35 @@ function runMigrations(db: Database.Database): void {
        "UPDATE addons SET name = 'Costs', description = 'Track and split trip expenses' WHERE id = 'budget' AND name = 'Budget Planner'",
      ).run();
    },
+    // WebAuthn / passkey support: per-user credentials + single-use login
+    // challenges. Additive (CREATE TABLE IF NOT EXISTS) so existing installs are
+    // untouched; both tables also live in schema.ts for fresh installs.
+    () => db.exec(`
+      CREATE TABLE IF NOT EXISTS webauthn_credentials (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+        credential_id TEXT NOT NULL UNIQUE,
+        public_key BLOB NOT NULL,
+        counter INTEGER NOT NULL DEFAULT 0,
+        transports TEXT,
+        device_type TEXT,
+        backed_up INTEGER NOT NULL DEFAULT 0,
+        name TEXT,
+        aaguid TEXT,
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        last_used_at DATETIME
+      );
+      CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user ON webauthn_credentials(user_id);
+      CREATE TABLE IF NOT EXISTS webauthn_challenges (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        challenge TEXT NOT NULL UNIQUE,
+        user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
+        type TEXT NOT NULL,
+        expires_at INTEGER NOT NULL,
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+      );
+      CREATE INDEX IF NOT EXISTS idx_webauthn_challenges_expires ON webauthn_challenges(expires_at);
+    `),
  ];

  if (currentVersion < migrations.length) {
@@ -42,6 +42,32 @@ function createTables(db: Database.Database): void {
    CREATE INDEX IF NOT EXISTS idx_prt_user ON password_reset_tokens(user_id);
    CREATE INDEX IF NOT EXISTS idx_prt_hash ON password_reset_tokens(token_hash);

+    CREATE TABLE IF NOT EXISTS webauthn_credentials (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      credential_id TEXT NOT NULL UNIQUE,
+      public_key BLOB NOT NULL,
+      counter INTEGER NOT NULL DEFAULT 0,
+      transports TEXT,
+      device_type TEXT,
+      backed_up INTEGER NOT NULL DEFAULT 0,
+      name TEXT,
+      aaguid TEXT,
+      created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+      last_used_at DATETIME
+    );
+    CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user ON webauthn_credentials(user_id);
+
+    CREATE TABLE IF NOT EXISTS webauthn_challenges (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      challenge TEXT NOT NULL UNIQUE,
+      user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
+      type TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+    );
+    CREATE INDEX IF NOT EXISTS idx_webauthn_challenges_expires ON webauthn_challenges(expires_at);
+
    CREATE TABLE IF NOT EXISTS settings (
      id INTEGER PRIMARY KEY AUTOINCREMENT,
      user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
@@ -12,6 +12,9 @@ export function isPublicApiPath(method: string, pathNoQuery: string): boolean {
  if (method === 'POST' && pathNoQuery === '/api/auth/demo-login') return true;
  if (method === 'GET' && pathNoQuery.startsWith('/api/auth/invite/')) return true;
  if (method === 'POST' && pathNoQuery === '/api/auth/mfa/verify-login') return true;
+  // Unauthenticated passkey (primary) login ceremony.
+  if (method === 'POST' && pathNoQuery === '/api/auth/passkey/login/options') return true;
+  if (method === 'POST' && pathNoQuery === '/api/auth/passkey/login/verify') return true;
  if (pathNoQuery.startsWith('/api/auth/oidc/')) return true;
  return false;
 }
@@ -21,6 +24,11 @@ export function isMfaSetupExemptPath(method: string, pathNoQuery: string): boole
  if (method === 'GET' && pathNoQuery === '/api/auth/me') return true;
  if (method === 'POST' && pathNoQuery === '/api/auth/mfa/setup') return true;
  if (method === 'POST' && pathNoQuery === '/api/auth/mfa/enable') return true;
+  // Allow enrolling a passkey as the second factor (a user-verified passkey
+  // satisfies require_mfa), so a fresh user under the policy isn't stuck.
+  if (method === 'POST' && pathNoQuery === '/api/auth/passkey/register/options') return true;
+  if (method === 'POST' && pathNoQuery === '/api/auth/passkey/register/verify') return true;
+  if (method === 'GET' && pathNoQuery === '/api/auth/passkey/credentials') return true;
  if ((method === 'GET' || method === 'PUT') && pathNoQuery === '/api/auth/app-settings') return true;
  return false;
 }
@@ -81,8 +89,12 @@ export function enforceGlobalMfaPolicy(req: Request, res: Response, next: NextFu
    return;
  }

+  // A user-verified passkey is phishing-resistant and inherently two-factor, so
+  // owning at least one satisfies the require_mfa policy exactly like TOTP does.
+  // (All stored passkeys were registered with userVerification required.)
  const mfaOk = row.mfa_enabled === 1 || row.mfa_enabled === true;
-  if (mfaOk) {
+  const passkeyOk = !!db.prepare('SELECT 1 FROM webauthn_credentials WHERE user_id = ? LIMIT 1').get(userId);
+  if (mfaOk || passkeyOk) {
    next();
    return;
  }
@@ -60,6 +60,13 @@ export class AdminController {
    return { success: true };
  }

+  @Delete('users/:id/passkeys')
+  resetUserPasskeys(@CurrentUser() user: User, @Param('id') id: string, @Req() req: Request) {
+    const result = ok(this.admin.resetUserPasskeys(id));
+    writeAudit({ userId: user.id, action: 'admin.user_passkeys_reset', resource: String(id), ip: getClientIp(req), details: { targetUser: result.email, deleted: result.deleted } });
+    return { success: true, deleted: result.deleted };
+  }
+
  // ── Stats / permissions / audit ──
  @Get('stats')
  stats() { return this.admin.getStats(); }
@@ -3,6 +3,7 @@ import * as svc from '../../services/adminService';
 import { getAdminUserDefaults, setAdminUserDefaults } from '../../services/settingsService';
 import { invalidateMcpSessions } from '../../mcp';
 import { getPreferencesMatrix, setAdminPreferences } from '../../services/notificationPreferencesService';
+import { adminResetPasskeys } from '../../services/passkeyService';

 /**
 * Thin Nest wrapper around the existing admin service (+ the settings,
@@ -17,6 +18,7 @@ export class AdminService {
  createUser(body: unknown) { return svc.createUser(body as Parameters<typeof svc.createUser>[0]); }
  updateUser(id: string, body: unknown) { return svc.updateUser(id, body as Parameters<typeof svc.updateUser>[1]); }
  deleteUser(id: string, actingUserId: number) { return svc.deleteUser(id, actingUserId); }
+  resetUserPasskeys(id: string) { return adminResetPasskeys(Number(id)); }

  getStats() { return svc.getStats(); }
  getPermissions() { return svc.getPermissions(); }
@@ -1,6 +1,7 @@
 import { Module } from '@nestjs/common';
 import { AuthPublicController } from './auth-public.controller';
 import { AuthController } from './auth.controller';
+import { PasskeyController } from './passkey.controller';
 import { AuthService } from './auth.service';
 import { RateLimitService } from './rate-limit.service';

@@ -11,7 +12,7 @@ import { RateLimitService } from './rate-limit.service';
 * sub-paths explicitly rather than claiming all of /api/auth.
 */
@Module({
-  controllers: [AuthPublicController, AuthController],
+  controllers: [AuthPublicController, AuthController, PasskeyController],
  providers: [AuthService, RateLimitService],
 })
 export class AuthModule {}
@@ -0,0 +1,22 @@
+import { CanActivate, HttpException, Injectable } from '@nestjs/common';
+import { resolveAuthToggles } from '../../services/authService';
+
+/**
+ * Server-side enforcement of the instance-wide `passkey_login` toggle. Placed
+ * BEFORE the auth guard on every passkey ceremony route so a disabled feature
+ * returns 404 (not "auth required") and cannot be driven by direct API calls —
+ * hiding the button in the UI is not enough. Mirrors JourneyAddonGuard.
+ *
+ * The credential-management routes (list/rename/delete) are deliberately NOT
+ * gated by this guard so users can still clean up their passkeys after an admin
+ * turns the feature off.
+ */
+@Injectable()
+export class PasskeyEnabledGuard implements CanActivate {
+  canActivate(): boolean {
+    if (!resolveAuthToggles().passkey_login) {
+      throw new HttpException({ error: 'Passkey login is not enabled' }, 404);
+    }
+    return true;
+  }
+}
@@ -0,0 +1,114 @@
+import { Body, Controller, Delete, Get, HttpCode, HttpException, Param, Patch, Post, Req, Res, UseGuards } from '@nestjs/common';
+import type { Request, Response } from 'express';
+import { RateLimitService } from './rate-limit.service';
+import { JwtAuthGuard } from './jwt-auth.guard';
+import { PasskeyEnabledGuard } from './passkey-enabled.guard';
+import { CurrentUser } from './current-user.decorator';
+import { setAuthCookie } from '../../services/cookie';
+import { writeAudit, getClientIp } from '../../services/auditLog';
+import * as passkey from '../../services/passkeyService';
+import type { User } from '../../types';
+
+const WINDOW = 15 * 60 * 1000;
+const LOGIN_MIN_LATENCY_MS = 350;
+const delay = (ms: number) => new Promise((r) => setTimeout(r, ms));
+
+/**
+ * /api/auth/passkey — WebAuthn (passkey) registration, primary login and
+ * credential management.
+ *
+ * - register/*  : authenticated, gated by the admin toggle + password re-auth.
+ * - login/*     : UNauthenticated discoverable-credential login, gated by the
+ *                 admin toggle; mints the SAME session cookie as password login.
+ * - credentials : owner-scoped management — intentionally NOT toggle-gated so a
+ *                 user can always view/remove their passkeys.
+ *
+ * PasskeyEnabledGuard is listed first so a disabled feature 404s before auth.
+ */
+@Controller('api/auth/passkey')
+export class PasskeyController {
+  constructor(private readonly rl: RateLimitService) {}
+
+  private limit(bucket: string, req: Request, max: number): void {
+    if (!this.rl.check(bucket, req.ip || 'unknown', max, WINDOW, Date.now())) {
+      throw new HttpException({ error: 'Too many attempts. Please try again later.' }, 429);
+    }
+  }
+
+  // ── Registration (authenticated) ──
+  @Post('register/options')
+  @HttpCode(200)
+  @UseGuards(PasskeyEnabledGuard, JwtAuthGuard)
+  async registerOptions(@CurrentUser() user: User, @Body() body: { password?: string }, @Req() req: Request) {
+    this.limit('mfa', req, 5);
+    const result = await passkey.passkeyRegisterOptions(user.id, body?.password);
+    if (result.error) throw new HttpException({ error: result.error }, result.status!);
+    return result.options;
+  }
+
+  @Post('register/verify')
+  @HttpCode(200)
+  @UseGuards(PasskeyEnabledGuard, JwtAuthGuard)
+  async registerVerify(@CurrentUser() user: User, @Body() body: unknown, @Req() req: Request) {
+    const result = await passkey.passkeyRegisterVerify(user.id, body as Parameters<typeof passkey.passkeyRegisterVerify>[1]);
+    if (result.error) throw new HttpException({ error: result.error }, result.status!);
+    writeAudit({ userId: user.id, action: 'user.passkey_register', ip: getClientIp(req) });
+    return { success: true, credential: result.credential };
+  }
+
+  // ── Authentication (public — primary login) ──
+  @Post('login/options')
+  @HttpCode(200)
+  @UseGuards(PasskeyEnabledGuard)
+  async loginOptions(@Req() req: Request) {
+    this.limit('login', req, 10);
+    const result = await passkey.passkeyLoginOptions();
+    if (result.error) throw new HttpException({ error: result.error }, result.status!);
+    return result.options;
+  }
+
+  @Post('login/verify')
+  @HttpCode(200)
+  @UseGuards(PasskeyEnabledGuard)
+  async loginVerify(@Body() body: unknown, @Req() req: Request, @Res({ passthrough: true }) res: Response) {
+    this.limit('login', req, 10);
+    const started = Date.now();
+    const result = await passkey.passkeyLoginVerify(body as Parameters<typeof passkey.passkeyLoginVerify>[0]);
+    if (result.auditAction) {
+      writeAudit({ userId: result.auditUserId ?? null, action: result.auditAction, ip: getClientIp(req) });
+    }
+    // Pad to the same floor as password login so timing can't distinguish a
+    // known credential from an unknown one.
+    const elapsed = Date.now() - started;
+    if (elapsed < LOGIN_MIN_LATENCY_MS) await delay(LOGIN_MIN_LATENCY_MS - elapsed);
+    if (result.error) throw new HttpException({ error: result.error }, result.status!);
+    writeAudit({ userId: result.auditUserId!, action: 'user.login', ip: getClientIp(req), details: { method: 'passkey' } });
+    setAuthCookie(res, result.token!, req);
+    return { token: result.token, user: result.user };
+  }
+
+  // ── Management (authenticated, owner-scoped — NOT toggle-gated) ──
+  @Get('credentials')
+  @UseGuards(JwtAuthGuard)
+  list(@CurrentUser() user: User) {
+    return { credentials: passkey.listPasskeys(user.id) };
+  }
+
+  @Patch('credentials/:id')
+  @UseGuards(JwtAuthGuard)
+  rename(@CurrentUser() user: User, @Param('id') id: string, @Body() body: { name?: unknown }) {
+    const result = passkey.renamePasskey(user.id, id, body?.name);
+    if (result.error) throw new HttpException({ error: result.error }, result.status!);
+    return { success: true };
+  }
+
+  @Delete('credentials/:id')
+  @UseGuards(JwtAuthGuard)
+  remove(@CurrentUser() user: User, @Param('id') id: string, @Body() body: { password?: string }, @Req() req: Request) {
+    this.limit('login', req, 5);
+    const result = passkey.deletePasskey(user.id, id, body?.password);
+    if (result.error) throw new HttpException({ error: result.error }, result.status!);
+    writeAudit({ userId: user.id, action: 'user.passkey_delete', resource: String(id), ip: getClientIp(req) });
+    return { success: true };
+  }
+}
@@ -21,6 +21,7 @@ import { verifyJwtAndLoadUser } from '../middleware/auth';
 import { User } from '../types';
 import { DEMO_EMAIL_PRIMARY, isDemoEmail } from './demo';
 import { avatarUrl } from './avatarUrl';
+import { isPasskeyConfigured } from './webauthnConfig';

 export { avatarUrl };

@@ -51,6 +52,7 @@ const ADMIN_SETTINGS_KEYS = [
  'notification_channels', 'admin_webhook_url', 'admin_ntfy_server', 'admin_ntfy_topic', 'admin_ntfy_token',
  'notify_trip_reminder',
  'password_login', 'password_registration', 'oidc_login', 'oidc_registration',
+  'passkey_login', 'webauthn_rp_id', 'webauthn_origins',
 ];

 const avatarDir = path.join(__dirname, '../../uploads/avatars');
@@ -128,10 +130,17 @@ export function resolveAuthToggles(): {
  password_registration: boolean;
  oidc_login: boolean;
  oidc_registration: boolean;
+  passkey_login: boolean;
 } {
  const get = (key: string) =>
    (db.prepare("SELECT value FROM app_settings WHERE key = ?").get(key) as { value: string } | undefined)?.value ?? null;

+  // Passkey login is independent of the password/OIDC "new keys" probe, so it
+  // must be resolved OUTSIDE the branch below — otherwise on a fresh install
+  // that never touched the password/OIDC toggles it would silently read false
+  // even after an admin enabled it. Default OFF (opt-in).
+  const passkey_login = get('passkey_login') === 'true';
+
  const hasNewKeys = ['password_login', 'password_registration', 'oidc_login', 'oidc_registration']
    .some(k => get(k) !== null);

@@ -141,6 +150,7 @@ export function resolveAuthToggles(): {
      password_registration: get('password_registration') !== 'false',
      oidc_login: get('oidc_login') !== 'false',
      oidc_registration: get('oidc_registration') !== 'false',
+      passkey_login,
    };
    if (process.env.OIDC_ONLY?.toLowerCase() === 'true') {
      result.password_login = false;
@@ -163,6 +173,7 @@ export function resolveAuthToggles(): {
    password_registration: !oidcOnly && allowReg,
    oidc_login: true,
    oidc_registration: allowReg,
+    passkey_login,
  };
 }

@@ -299,6 +310,12 @@ export function getAppConfig(authenticatedUser: { id: number } | null) {
    password_registration: isDemo ? false : toggles.password_registration,
    oidc_login: toggles.oidc_login,
    oidc_registration: isDemo ? false : toggles.oidc_registration,
+    // Passkey login: the instance toggle + whether a usable RP ID resolves for
+    // this deployment. The login page shows the passkey button only when both
+    // are true. `passkey_configured` stays a pure boolean — it never leaks the
+    // resolved RP ID / origin / APP_URL on this unauthenticated endpoint.
+    passkey_login: toggles.passkey_login,
+    passkey_configured: isPasskeyConfigured(),
    env_override_oidc_only: process.env.OIDC_ONLY === 'true',
    has_users: userCount > 0,
    setup_complete: setupComplete,
@@ -812,9 +829,12 @@ export function updateAppSettings(
  const { require_mfa } = body;
  if (require_mfa === true || require_mfa === 'true') {
    const adminMfa = db.prepare('SELECT mfa_enabled FROM users WHERE id = ?').get(userId) as { mfa_enabled: number } | undefined;
-    if (!(adminMfa?.mfa_enabled === 1)) {
+    // A user-verified passkey satisfies the MFA policy, so an admin who secured
+    // their own account with a passkey may enable it too (not only TOTP).
+    const adminHasPasskey = !!db.prepare('SELECT 1 FROM webauthn_credentials WHERE user_id = ? LIMIT 1').get(userId);
+    if (!(adminMfa?.mfa_enabled === 1) && !adminHasPasskey) {
      return {
-        error: 'Enable two-factor authentication on your own account before requiring it for all users.',
+        error: 'Secure your own account with two-factor authentication or a passkey before requiring it for all users.',
        status: 400,
      };
    }
@@ -0,0 +1,364 @@
+import bcrypt from 'bcryptjs';
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+  generateAuthenticationOptions,
+  verifyAuthenticationResponse,
+  type AuthenticatorTransportFuture,
+} from '@simplewebauthn/server';
+import { db } from '../db/database';
+import { resolveWebauthnConfig } from './webauthnConfig';
+import { generateToken, stripUserForClient, avatarUrl } from './authService';
+import type { User } from '../types';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+// Short single-use challenge lifetime — a ceremony is a few seconds of user
+// interaction. Kept tight so a stray row can't be replayed and the table can't
+// accumulate. Mirrors the spirit of the OIDC state TTL.
+const CHALLENGE_TTL_MS = 5 * 60 * 1000;
+
+// Pinned COSE algorithms: EdDSA (-8), ES256 (-7), RS256 (-257). We never want a
+// future library default to silently widen what we accept.
+const SUPPORTED_ALGORITHM_IDS = [-8, -7, -257];
+
+const NOT_CONFIGURED = { error: 'Passkey login is not configured for this server.', status: 400 } as const;
+// One generic message for every authentication failure so the endpoint can't be
+// used to tell "no such credential" apart from "bad signature" (CWE-203).
+const AUTH_FAILED = { error: 'Authentication failed', status: 401 } as const;
+
+interface CredentialRow {
+  id: number;
+  user_id: number;
+  credential_id: string;
+  public_key: Buffer;
+  counter: number;
+  transports: string | null;
+  device_type: string | null;
+  backed_up: number;
+  name: string | null;
+  aaguid: string | null;
+  created_at: string;
+  last_used_at: string | null;
+}
+
+// ---------------------------------------------------------------------------
+// Challenge store (DB-backed, single-use, TTL'd)
+// ---------------------------------------------------------------------------
+
+function purgeExpiredChallenges(now: number): void {
+  db.prepare('DELETE FROM webauthn_challenges WHERE expires_at < ?').run(now);
+}
+
+function storeChallenge(challenge: string, userId: number | null, type: 'registration' | 'authentication', now: number): void {
+  db.prepare('INSERT INTO webauthn_challenges (challenge, user_id, type, expires_at) VALUES (?, ?, ?, ?)')
+    .run(challenge, userId, type, now + CHALLENGE_TTL_MS);
+}
+
+/**
+ * Atomically claim a challenge by its EXACT bytes + type. This is a single
+ * DELETE ... RETURNING statement that runs BEFORE any async verification, so a
+ * concurrent double-submit of the same assertion can never spend one challenge
+ * twice (the replay window a SELECT→await→DELETE ordering would open).
+ */
+function claimChallenge(challenge: string, type: 'registration' | 'authentication', now: number): { user_id: number | null } | null {
+  const row = db.prepare(
+    'DELETE FROM webauthn_challenges WHERE challenge = ? AND type = ? AND expires_at > ? RETURNING user_id',
+  ).get(challenge, type, now) as { user_id: number | null } | undefined;
+  return row ?? null;
+}
+
+/** Decode the challenge the authenticator echoed back inside clientDataJSON. */
+function challengeFromResponse(resp: unknown): string | null {
+  try {
+    const cdj = (resp as { response?: { clientDataJSON?: unknown } })?.response?.clientDataJSON;
+    if (typeof cdj !== 'string') return null;
+    const parsed = JSON.parse(Buffer.from(cdj, 'base64url').toString('utf8')) as { challenge?: unknown };
+    return typeof parsed.challenge === 'string' ? parsed.challenge : null;
+  } catch {
+    return null;
+  }
+}
+
+function parseTransports(raw: string | null): AuthenticatorTransportFuture[] | undefined {
+  if (!raw) return undefined;
+  try {
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed) ? (parsed as AuthenticatorTransportFuture[]) : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+function sanitizeName(raw: unknown): string | null {
+  if (typeof raw !== 'string') return null;
+  const trimmed = raw.trim().slice(0, 60);
+  return trimmed || null;
+}
+
+function defaultCredentialName(deviceType: string | undefined): string {
+  return deviceType === 'multiDevice' ? 'Passkey (synced)' : 'Passkey';
+}
+
+// ---------------------------------------------------------------------------
+// Registration (authenticated — from Settings, password re-auth required)
+// ---------------------------------------------------------------------------
+
+export async function passkeyRegisterOptions(
+  userId: number,
+  password: string | undefined,
+): Promise<{ error?: string; status?: number; options?: Awaited<ReturnType<typeof generateRegistrationOptions>> }> {
+  const cfg = resolveWebauthnConfig();
+  if (!cfg) return { ...NOT_CONFIGURED };
+
+  const user = db.prepare('SELECT * FROM users WHERE id = ?').get(userId) as User | undefined;
+  if (!user) return { error: 'User not found', status: 404 };
+
+  // Re-authentication: a hijacked session must not be able to silently plant an
+  // attacker-controlled passkey. Require the current password (parity with the
+  // change-password / disable-MFA step-up).
+  if (!password || !user.password_hash || !bcrypt.compareSync(password, user.password_hash)) {
+    return { error: 'Incorrect password', status: 401 };
+  }
+
+  const existing = db.prepare('SELECT credential_id, transports FROM webauthn_credentials WHERE user_id = ?')
+    .all(userId) as { credential_id: string; transports: string | null }[];
+
+  const now = Date.now();
+  purgeExpiredChallenges(now);
+
+  const options = await generateRegistrationOptions({
+    rpName: cfg.rpName,
+    rpID: cfg.rpID,
+    userName: user.email,
+    userDisplayName: user.username,
+    userID: new TextEncoder().encode(String(user.id)),
+    attestationType: 'none',
+    // Stop the same authenticator from enrolling twice on this account.
+    excludeCredentials: existing.map((c) => ({ id: c.credential_id, transports: parseTransports(c.transports) })),
+    authenticatorSelection: { residentKey: 'preferred', userVerification: 'required' },
+    supportedAlgorithmIDs: SUPPORTED_ALGORITHM_IDS,
+  });
+
+  storeChallenge(options.challenge, userId, 'registration', now);
+  return { options };
+}
+
+export async function passkeyRegisterVerify(
+  userId: number,
+  body: { attestationResponse?: unknown; name?: unknown },
+): Promise<{ error?: string; status?: number; success?: boolean; credential?: unknown }> {
+  const cfg = resolveWebauthnConfig();
+  if (!cfg) return { ...NOT_CONFIGURED };
+
+  const resp = body?.attestationResponse;
+  if (!resp) return { error: 'Invalid registration response', status: 400 };
+
+  const challenge = challengeFromResponse(resp);
+  if (!challenge) return { error: 'Invalid registration response', status: 400 };
+
+  const now = Date.now();
+  const claimed = claimChallenge(challenge, 'registration', now);
+  if (!claimed || claimed.user_id !== userId) {
+    return { error: 'Registration challenge expired. Please try again.', status: 400 };
+  }
+
+  let verification;
+  try {
+    verification = await verifyRegistrationResponse({
+      response: resp as Parameters<typeof verifyRegistrationResponse>[0]['response'],
+      expectedChallenge: challenge,
+      expectedOrigin: cfg.origins,
+      expectedRPID: cfg.rpID,
+      requireUserVerification: true,
+    });
+  } catch {
+    return { error: 'Could not register this passkey.', status: 400 };
+  }
+
+  if (!verification.verified || !verification.registrationInfo) {
+    return { error: 'Could not register this passkey.', status: 400 };
+  }
+
+  // Persist ONLY the values the verifier vouches for — never anything parsed
+  // from the raw client payload.
+  const { credential, credentialDeviceType, credentialBackedUp, aaguid } = verification.registrationInfo;
+
+  if (db.prepare('SELECT id FROM webauthn_credentials WHERE credential_id = ?').get(credential.id)) {
+    return { error: 'This passkey is already registered.', status: 409 };
+  }
+
+  const name = sanitizeName(body?.name) || defaultCredentialName(credentialDeviceType);
+  try {
+    db.prepare(
+      `INSERT INTO webauthn_credentials
+         (user_id, credential_id, public_key, counter, transports, device_type, backed_up, name, aaguid, last_used_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL)`,
+    ).run(
+      userId,
+      credential.id,
+      Buffer.from(credential.publicKey),
+      credential.counter ?? 0,
+      credential.transports ? JSON.stringify(credential.transports) : null,
+      credentialDeviceType ?? null,
+      credentialBackedUp ? 1 : 0,
+      name,
+      aaguid ?? null,
+    );
+  } catch {
+    return { error: 'Could not register this passkey.', status: 400 };
+  }
+
+  const created = db.prepare(
+    'SELECT id, name, device_type, backed_up, created_at, last_used_at FROM webauthn_credentials WHERE credential_id = ?',
+  ).get(credential.id) as { backed_up: number } & Record<string, unknown>;
+  return { success: true, credential: { ...created, backed_up: created.backed_up === 1 } };
+}
+
+// ---------------------------------------------------------------------------
+// Authentication (public — primary, discoverable-credential login)
+// ---------------------------------------------------------------------------
+
+export async function passkeyLoginOptions(): Promise<{
+  error?: string;
+  status?: number;
+  options?: Awaited<ReturnType<typeof generateAuthenticationOptions>>;
+}> {
+  const cfg = resolveWebauthnConfig();
+  if (!cfg) return { ...NOT_CONFIGURED };
+
+  const now = Date.now();
+  purgeExpiredChallenges(now);
+
+  const options = await generateAuthenticationOptions({
+    rpID: cfg.rpID,
+    userVerification: 'required',
+    // Empty allowCredentials → discoverable flow. The server never echoes which
+    // accounts have passkeys, so the endpoint can't be used to enumerate users.
+  });
+
+  storeChallenge(options.challenge, null, 'authentication', now);
+  return { options };
+}
+
+export async function passkeyLoginVerify(body: { assertionResponse?: unknown }): Promise<{
+  error?: string;
+  status?: number;
+  token?: string;
+  user?: Record<string, unknown>;
+  auditUserId?: number | null;
+  auditAction?: string;
+}> {
+  const cfg = resolveWebauthnConfig();
+  if (!cfg) return { ...NOT_CONFIGURED };
+
+  const resp = body?.assertionResponse;
+  if (!resp) return { ...AUTH_FAILED };
+
+  const challenge = challengeFromResponse(resp);
+  if (!challenge) return { ...AUTH_FAILED };
+
+  // Claim the challenge (single-use) BEFORE looking anything up or verifying.
+  const now = Date.now();
+  if (!claimChallenge(challenge, 'authentication', now)) return { ...AUTH_FAILED };
+
+  const credId = (resp as { id?: unknown; rawId?: unknown }).id ?? (resp as { rawId?: unknown }).rawId;
+  if (typeof credId !== 'string') return { ...AUTH_FAILED };
+
+  const cred = db.prepare('SELECT * FROM webauthn_credentials WHERE credential_id = ?').get(credId) as CredentialRow | undefined;
+  if (!cred) return { ...AUTH_FAILED };
+
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response: resp as Parameters<typeof verifyAuthenticationResponse>[0]['response'],
+      expectedChallenge: challenge,
+      expectedOrigin: cfg.origins,
+      expectedRPID: cfg.rpID,
+      requireUserVerification: true,
+      credential: {
+        id: cred.credential_id,
+        publicKey: new Uint8Array(cred.public_key),
+        counter: cred.counter,
+        transports: parseTransports(cred.transports),
+      },
+    });
+  } catch {
+    return { ...AUTH_FAILED };
+  }
+
+  if (!verification.verified) return { ...AUTH_FAILED };
+
+  const { newCounter } = verification.authenticationInfo;
+  // Clone detection only makes sense for authenticators that actually increment.
+  // Synced passkeys legitimately report a counter that stays 0 — never treat
+  // that as a clone. A regression from a previously NON-ZERO counter rejects
+  // THIS assertion (and is audited) but does not disable the credential.
+  if (cred.counter > 0 && newCounter <= cred.counter) {
+    return { ...AUTH_FAILED, auditUserId: cred.user_id, auditAction: 'user.passkey_clone_suspected' };
+  }
+
+  const user = db.prepare('SELECT * FROM users WHERE id = ?').get(cred.user_id) as User | undefined;
+  if (!user) return { ...AUTH_FAILED };
+
+  // Persist the new counter + last-used and bump login bookkeeping atomically.
+  db.transaction(() => {
+    db.prepare('UPDATE webauthn_credentials SET counter = ?, last_used_at = CURRENT_TIMESTAMP WHERE id = ?').run(newCounter, cred.id);
+    db.prepare('UPDATE users SET last_login = CURRENT_TIMESTAMP, login_count = login_count + 1 WHERE id = ?').run(user.id);
+  })();
+
+  // A user-verified passkey is phishing-resistant and inherently two-factor
+  // (device possession + biometric/PIN), so it mints the real session directly
+  // — the SAME path as password and OIDC login (no new token shape).
+  const token = generateToken(user);
+  const userSafe = stripUserForClient(user) as Record<string, unknown>;
+  return { token, user: { ...userSafe, avatar_url: avatarUrl(user) }, auditUserId: Number(user.id) };
+}
+
+// ---------------------------------------------------------------------------
+// Management (authenticated, owner-scoped)
+// ---------------------------------------------------------------------------
+
+export function listPasskeys(userId: number): Array<Record<string, unknown>> {
+  const rows = db.prepare(
+    'SELECT id, name, device_type, backed_up, created_at, last_used_at FROM webauthn_credentials WHERE user_id = ? ORDER BY created_at DESC',
+  ).all(userId) as Array<{ backed_up: number } & Record<string, unknown>>;
+  return rows.map((r) => ({ ...r, backed_up: r.backed_up === 1 }));
+}
+
+export function renamePasskey(userId: number, id: string, name: unknown): { error?: string; status?: number; success?: boolean } {
+  const cleanName = sanitizeName(name);
+  if (!cleanName) return { error: 'Name is required', status: 400 };
+  // Ownership enforced in SQL (404 on miss, never a 403 that leaks existence).
+  const result = db.prepare('UPDATE webauthn_credentials SET name = ? WHERE id = ? AND user_id = ?').run(cleanName, Number(id), userId);
+  if (result.changes === 0) return { error: 'Passkey not found', status: 404 };
+  return { success: true };
+}
+
+export function deletePasskey(
+  userId: number,
+  id: string,
+  password: string | undefined,
+): { error?: string; status?: number; success?: boolean } {
+  // Re-auth before removing a credential (a hijacked session must not be able to
+  // strip the victim's passkeys). Deleting is always allowed because every
+  // account keeps a usable password as recovery fallback — losing all passkeys
+  // can never lock anyone out.
+  const user = db.prepare('SELECT password_hash FROM users WHERE id = ?').get(userId) as { password_hash: string } | undefined;
+  if (!user || !user.password_hash || !password || !bcrypt.compareSync(password, user.password_hash)) {
+    return { error: 'Incorrect password', status: 401 };
+  }
+  const result = db.prepare('DELETE FROM webauthn_credentials WHERE id = ? AND user_id = ?').run(Number(id), userId);
+  if (result.changes === 0) return { error: 'Passkey not found', status: 404 };
+  return { success: true };
+}
+
+/** Admin: clear all of a user's passkeys (e.g. on suspected compromise). */
+export function adminResetPasskeys(targetUserId: number): { error?: string; status?: number; success?: boolean; deleted?: number; email?: string } {
+  const target = db.prepare('SELECT id, email FROM users WHERE id = ?').get(targetUserId) as { id: number; email: string } | undefined;
+  if (!target) return { error: 'User not found', status: 404 };
+  const result = db.prepare('DELETE FROM webauthn_credentials WHERE user_id = ?').run(targetUserId);
+  return { success: true, deleted: result.changes, email: target.email };
+}
@@ -0,0 +1,85 @@
+import { db } from '../db/database';
+import { getAppUrl } from './notifications';
+
+/**
+ * Resolves the WebAuthn Relying Party ID + allowed origins for this deployment.
+ *
+ * SECURITY: the RP ID and the allowed origins are derived ONLY from server-side
+ * configuration — the `webauthn_rp_id` / `webauthn_origins` admin settings (or
+ * the matching env vars), falling back to APP_URL. They are NEVER taken from the
+ * request `Host` / `X-Forwarded-Host` header: a forged forwarded host would
+ * otherwise let an attacker bind credentials to a domain they control, or brick
+ * every enrolled user. This mirrors how OIDC derives its redirect URI from
+ * APP_URL (oidc.controller.ts) rather than from request input.
+ *
+ * Returns null when no usable RP ID can be resolved (bare IP host, or nothing
+ * configured) — the feature then reports itself as "not configured" and stays
+ * disabled so nobody can enrol a credential bound to the wrong origin.
+ */
+
+function getSetting(key: string): string | null {
+  const raw = (db.prepare('SELECT value FROM app_settings WHERE key = ?').get(key) as { value: string } | undefined)?.value;
+  const trimmed = raw?.trim();
+  return trimmed ? trimmed : null;
+}
+
+function hostOf(url: string): string | null {
+  try {
+    return new URL(url).hostname || null;
+  } catch {
+    return null;
+  }
+}
+
+/** WebAuthn RP IDs must be registrable domains — never bare IP literals. */
+function isIpHost(host: string): boolean {
+  if (/^\d{1,3}(\.\d{1,3}){3}$/.test(host)) return true; // IPv4
+  if (host.includes(':')) return true; // IPv6 (hostname keeps the colons)
+  return false;
+}
+
+export interface WebauthnConfig {
+  rpID: string;
+  rpName: string;
+  /** Exact allowed origins (scheme + host + port). One in prod; localhost dev adds the Vite/API ports. */
+  origins: string[];
+}
+
+export function resolveWebauthnConfig(): WebauthnConfig | null {
+  // 1. Explicit operator config always wins.
+  const explicitRpId = (process.env.WEBAUTHN_RP_ID || getSetting('webauthn_rp_id'))?.trim() || null;
+  const explicitOrigins = (process.env.WEBAUTHN_ORIGINS || getSetting('webauthn_origins') || '')
+    .split(',')
+    .map((o) => o.trim().replace(/\/+$/, ''))
+    .filter(Boolean);
+
+  const appUrl = getAppUrl();
+  const appHost = hostOf(appUrl);
+
+  // 2. Derive the RP ID from APP_URL when not explicitly set.
+  let rpID = explicitRpId;
+  if (!rpID && appHost && !isIpHost(appHost)) {
+    rpID = appHost; // a real domain, or "localhost"
+  }
+  if (!rpID) return null; // bare IP / unresolved → WebAuthn cannot be used here
+
+  // 3. Resolve the allowed origins. Explicit list wins verbatim (operator's
+  //    responsibility). Otherwise derive a SINGLE origin from APP_URL — we never
+  //    silently union dev localhost origins into a production allow-list.
+  let origins = explicitOrigins;
+  if (origins.length === 0) {
+    if (appHost) origins = [appUrl.replace(/\/+$/, '')];
+    if (rpID === 'localhost') {
+      // Dev: the browser origin is the Vite dev server (:5173), not the API port.
+      origins = Array.from(new Set([...origins, 'http://localhost:5173', 'http://localhost:3001']));
+    }
+  }
+  if (origins.length === 0) return null;
+
+  return { rpID, rpName: 'TREK', origins };
+}
+
+/** True when a usable RP ID resolves for this deployment (exposed as a pure boolean on app-config). */
+export function isPasskeyConfigured(): boolean {
+  return resolveWebauthnConfig() !== null;
+}
@@ -0,0 +1,103 @@
+/**
+ * webauthnConfig.test.ts
+ *
+ * The RP-ID / allowed-origin resolver is the single highest-risk piece of the
+ * passkey feature: a wrong RP ID permanently bricks every enrolled credential.
+ * These tests pin the security-relevant rules — config wins over APP_URL, bare
+ * IPs are rejected, localhost dev uses the browser (Vite) origin, and the
+ * resolver NEVER reads request headers.
+ */
+
+const { settingsStore, appUrlRef } = vi.hoisted(() => ({
+  settingsStore: new Map<string, string>(),
+  appUrlRef: { value: '' },
+}));
+
+vi.mock('../../../src/db/database', () => ({
+  db: {
+    prepare: (_sql: string) => ({
+      get: (key: string) => {
+        const v = settingsStore.get(key);
+        return v === undefined ? undefined : { value: v };
+      },
+    }),
+  },
+}));
+
+vi.mock('../../../src/services/notifications', () => ({
+  getAppUrl: () => appUrlRef.value,
+}));
+
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { resolveWebauthnConfig, isPasskeyConfigured } from '../../../src/services/webauthnConfig';
+
+beforeEach(() => {
+  settingsStore.clear();
+  appUrlRef.value = '';
+});
+
+afterEach(() => {
+  vi.unstubAllEnvs();
+});
+
+describe('resolveWebauthnConfig', () => {
+  it('WAC-001: derives the RP ID and single origin from a real APP_URL domain', () => {
+    appUrlRef.value = 'https://trek.example.org';
+    const cfg = resolveWebauthnConfig();
+    expect(cfg).not.toBeNull();
+    expect(cfg!.rpID).toBe('trek.example.org');
+    expect(cfg!.origins).toEqual(['https://trek.example.org']);
+    expect(isPasskeyConfigured()).toBe(true);
+  });
+
+  it('WAC-002: returns null for a bare-IP host (IPs are not valid RP IDs)', () => {
+    appUrlRef.value = 'http://192.168.1.50:3001';
+    expect(resolveWebauthnConfig()).toBeNull();
+    expect(isPasskeyConfigured()).toBe(false);
+  });
+
+  it('WAC-003: returns null when nothing is configured', () => {
+    expect(resolveWebauthnConfig()).toBeNull();
+    expect(isPasskeyConfigured()).toBe(false);
+  });
+
+  it('WAC-004: localhost dev uses the browser (Vite :5173) origin, not just the API port', () => {
+    appUrlRef.value = 'http://localhost:3001';
+    const cfg = resolveWebauthnConfig();
+    expect(cfg!.rpID).toBe('localhost');
+    expect(cfg!.origins).toContain('http://localhost:5173');
+    expect(cfg!.origins).toContain('http://localhost:3001');
+  });
+
+  it('WAC-005: an explicit webauthn_rp_id app-setting overrides APP_URL', () => {
+    appUrlRef.value = 'https://internal.example.org';
+    settingsStore.set('webauthn_rp_id', 'public.example.org');
+    settingsStore.set('webauthn_origins', 'https://public.example.org');
+    const cfg = resolveWebauthnConfig();
+    expect(cfg!.rpID).toBe('public.example.org');
+    expect(cfg!.origins).toEqual(['https://public.example.org']);
+  });
+
+  it('WAC-006: webauthn_origins is parsed as a comma-separated, trimmed list', () => {
+    settingsStore.set('webauthn_rp_id', 'example.org');
+    settingsStore.set('webauthn_origins', 'https://a.example.org , https://b.example.org/');
+    const cfg = resolveWebauthnConfig();
+    expect(cfg!.origins).toEqual(['https://a.example.org', 'https://b.example.org']);
+  });
+
+  it('WAC-007: the WEBAUTHN_RP_ID env var takes priority', () => {
+    vi.stubEnv('WEBAUTHN_RP_ID', 'env.example.org');
+    vi.stubEnv('WEBAUTHN_ORIGINS', 'https://env.example.org');
+    appUrlRef.value = 'https://ignored.example.org';
+    const cfg = resolveWebauthnConfig();
+    expect(cfg!.rpID).toBe('env.example.org');
+    expect(cfg!.origins).toEqual(['https://env.example.org']);
+  });
+
+  it('WAC-008: a configured RP ID with no origins falls back to the APP_URL origin', () => {
+    appUrlRef.value = 'https://trek.example.org';
+    settingsStore.set('webauthn_rp_id', 'trek.example.org');
+    const cfg = resolveWebauthnConfig();
+    expect(cfg!.origins).toEqual(['https://trek.example.org']);
+  });
+});
@@ -341,5 +341,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Journey', // en-fallback
  'admin.addons.catalog.journey.description':
    'Trip tracking & travel journal with check-ins, photos, and daily stories', // en-fallback
+  'admin.passkey.title': 'تسجيل الدخول بمفتاح المرور',
+  'admin.passkey.cardHint':
+    'اسمح للمستخدمين بتسجيل الدخول باستخدام مفاتيح المرور (WebAuthn). معطّل افتراضيًا.',
+  'admin.passkey.login': 'تفعيل تسجيل الدخول بمفتاح المرور',
+  'admin.passkey.loginHint':
+    'إظهار خيار "تسجيل الدخول باستخدام مفتاح المرور" والسماح للمستخدمين بتسجيل مفاتيح المرور في إعداداتهم.',
+  'admin.passkey.notConfigured':
+    'لا يوجد نطاق WebAuthn صالح لهذا التثبيت بعد. عيّن APP_URL أو Relying Party ID أدناه — تبقى مفاتيح المرور مخفية حتى ذلك الحين.',
+  'admin.passkey.rpId': 'Relying Party ID (النطاق)',
+  'admin.passkey.rpIdHint':
+    'النطاق المجرّد الذي تُربط به مفاتيح المرور، مثل trek.example.org. اتركه فارغًا لاشتقاقه من APP_URL. تغييره لاحقًا يُبطل مفاتيح المرور الموجودة.',
+  'admin.passkey.origins': 'الأصول المسموح بها',
+  'admin.passkey.originsHint':
+    'أصول كاملة مفصولة بفواصل، مثل https://trek.example.org. اتركه فارغًا لاستخدام APP_URL.',
+  'admin.passkey.reset': 'إعادة تعيين مفاتيح المرور',
+  'admin.passkey.resetHint':
+    'إزالة جميع مفاتيح المرور لهذا المستخدم (مثلًا عند فقدان جهاز). سيظل بإمكانه تسجيل الدخول بكلمة المرور.',
+  'admin.passkey.resetConfirm': 'إزالة جميع مفاتيح المرور لـ {name}؟',
+  'admin.passkey.resetDone': 'تمت إزالة {count} من مفاتيح المرور',
 };
 export default admin;
@@ -88,5 +88,7 @@ const login: TranslationStrings = {
    'هذا الرابط مفقود أو تالف. اطلب رابطًا جديدًا للمتابعة.',
  'login.resetPasswordFailed': 'فشلت إعادة التعيين. ربما انتهت صلاحية الرابط.',
  'login.emailPlaceholder': 'your@email.com', // en-fallback
+  'login.passkey.signIn': 'تسجيل الدخول باستخدام مفتاح المرور',
+  'login.passkey.failed': 'فشل تسجيل الدخول بمفتاح المرور. يرجى المحاولة مرة أخرى.',
 };
 export default login;
@@ -290,6 +290,30 @@ const settings: TranslationStrings = {
  'settings.about.supporter.tier.hostelBunkmate': 'Hostel Bunkmate', // en-fallback
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'مفاتيح المرور',
+  'settings.passkey.description':
+    'سجّل الدخول بشكل أسرع وأكثر مقاومة للتصيّد باستخدام مفتاح مرور — ببصمة إصبعك أو وجهك أو رمز PIN أو مفتاح أمان مادي. تبقى كلمة المرور كنسخة احتياطية.',
+  'settings.passkey.notConfigured':
+    'مفاتيح المرور مفعّلة لكنها لم تُهيّأ بالكامل على هذا الخادم بعد. اطلب من المسؤول تعيين نطاق WebAuthn.',
+  'settings.passkey.add': 'إضافة مفتاح مرور',
+  'settings.passkey.addTitle': 'إضافة مفتاح مرور',
+  'settings.passkey.passwordPrompt':
+    'أكّد كلمة المرور الحالية، ثم اتبع التعليمات على جهازك.',
+  'settings.passkey.passwordRequired': 'كلمة المرور الحالية مطلوبة.',
+  'settings.passkey.namePlaceholder': 'الاسم (اختياري، مثل "iPhone")',
+  'settings.passkey.addedToast': 'تمت إضافة مفتاح المرور',
+  'settings.passkey.added': 'تمت الإضافة',
+  'settings.passkey.addError': 'تعذّرت إضافة مفتاح المرور',
+  'settings.passkey.cancelled': 'تم إلغاء إعداد مفتاح المرور',
+  'settings.passkey.deleted': 'تمت إزالة مفتاح المرور',
+  'settings.passkey.deleteConfirm':
+    'إزالة مفتاح المرور هذا؟ أكّد بكلمة المرور الخاصة بك.',
+  'settings.passkey.rename': 'إعادة التسمية',
+  'settings.passkey.defaultName': 'مفتاح المرور',
+  'settings.passkey.synced': 'متزامن',
+  'settings.passkey.deviceBound': 'هذا الجهاز',
+  'settings.passkey.lastUsed': 'آخر استخدام',
+  'settings.passkey.neverUsed': 'لم يُستخدم قط',
 };

 export default settings;
@@ -363,5 +363,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Jornada',
  'admin.addons.catalog.journey.description':
    'Rastreamento de viagens e diário de viajante com check-ins, fotos e histórias diárias',
+  'admin.passkey.title': 'Login com passkey',
+  'admin.passkey.cardHint':
+    'Permite que os usuários entrem com passkeys (WebAuthn). Desativado por padrão.',
+  'admin.passkey.login': 'Ativar login com passkey',
+  'admin.passkey.loginHint':
+    'Mostra a opção "Entrar com uma passkey" e permite que os usuários cadastrem passkeys nas configurações.',
+  'admin.passkey.notConfigured':
+    'Nenhum domínio WebAuthn é resolvido para esta instalação ainda. Defina APP_URL ou o Relying Party ID abaixo — as passkeys ficam ocultas até lá.',
+  'admin.passkey.rpId': 'Relying Party ID (domínio)',
+  'admin.passkey.rpIdHint':
+    'O domínio puro ao qual as passkeys ficam vinculadas, ex.: trek.example.org. Deixe vazio para derivá-lo de APP_URL. Alterá-lo depois invalida as passkeys existentes.',
+  'admin.passkey.origins': 'Origens permitidas',
+  'admin.passkey.originsHint':
+    'Origens completas separadas por vírgula, ex.: https://trek.example.org. Deixe vazio para usar APP_URL.',
+  'admin.passkey.reset': 'Redefinir passkeys',
+  'admin.passkey.resetHint':
+    'Remove todas as passkeys deste usuário (ex.: em caso de perda do dispositivo). Ele ainda poderá entrar com a senha.',
+  'admin.passkey.resetConfirm': 'Remover todas as passkeys de {name}?',
+  'admin.passkey.resetDone': 'Removida(s) {count} passkey(s)',
 };
 export default admin;
@@ -91,5 +91,8 @@ const login: TranslationStrings = {
    'Este link está ausente ou corrompido. Solicite um novo para continuar.',
  'login.resetPasswordFailed':
    'Falha na redefinição. O link pode ter expirado.',
+  'login.passkey.signIn': 'Entrar com uma passkey',
+  'login.passkey.failed':
+    'Falha ao entrar com passkey. Tente novamente.',
 };
 export default login;
@@ -296,6 +296,30 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    'Entre mais rápido e com proteção contra phishing usando uma passkey — sua impressão digital, rosto, PIN ou uma chave de segurança física. Sua senha continua disponível como reserva.',
+  'settings.passkey.notConfigured':
+    'As passkeys estão ativadas, mas ainda não foram totalmente configuradas neste servidor. Peça ao administrador para definir o domínio WebAuthn.',
+  'settings.passkey.add': 'Adicionar uma passkey',
+  'settings.passkey.addTitle': 'Adicionar uma passkey',
+  'settings.passkey.passwordPrompt':
+    'Confirme sua senha atual e depois siga as instruções do seu dispositivo.',
+  'settings.passkey.passwordRequired': 'A senha atual é obrigatória.',
+  'settings.passkey.namePlaceholder': 'Nome (opcional, ex.: "iPhone")',
+  'settings.passkey.addedToast': 'Passkey adicionada',
+  'settings.passkey.added': 'Adicionada',
+  'settings.passkey.addError': 'Não foi possível adicionar a passkey',
+  'settings.passkey.cancelled': 'Configuração da passkey cancelada',
+  'settings.passkey.deleted': 'Passkey removida',
+  'settings.passkey.deleteConfirm':
+    'Remover esta passkey? Confirme com sua senha.',
+  'settings.passkey.rename': 'Renomear',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Sincronizada',
+  'settings.passkey.deviceBound': 'Este dispositivo',
+  'settings.passkey.lastUsed': 'Último uso',
+  'settings.passkey.neverUsed': 'Nunca usada',
 };

 export default settings;
@@ -358,5 +358,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Cestovní deník',
  'admin.addons.catalog.journey.description':
    'Sledování cest a cestovní deník s odbaveními, fotkami a denními příběhy',
+  'admin.passkey.title': 'Přihlášení přístupovým klíčem',
+  'admin.passkey.cardHint':
+    'Umožněte uživatelům přihlašovat se pomocí přístupových klíčů (WebAuthn). Ve výchozím nastavení vypnuto.',
+  'admin.passkey.login': 'Povolit přihlášení přístupovým klíčem',
+  'admin.passkey.loginHint':
+    'Zobrazí možnost „Přihlásit se pomocí přístupového klíče“ a umožní uživatelům zaregistrovat přístupové klíče v nastavení.',
+  'admin.passkey.notConfigured':
+    'Pro toto nasazení zatím nelze určit žádnou doménu WebAuthn. Nastavte níže APP_URL nebo Relying Party ID — do té doby zůstanou přístupové klíče skryté.',
+  'admin.passkey.rpId': 'Relying Party ID (doména)',
+  'admin.passkey.rpIdHint':
+    'Holá doména, ke které jsou přístupové klíče vázány, např. trek.example.org. Ponechte prázdné, aby se odvodila z APP_URL. Pozdější změna zneplatní stávající přístupové klíče.',
+  'admin.passkey.origins': 'Povolené origins',
+  'admin.passkey.originsHint':
+    'Úplné origins oddělené čárkou, např. https://trek.example.org. Ponechte prázdné pro použití APP_URL.',
+  'admin.passkey.reset': 'Resetovat přístupové klíče',
+  'admin.passkey.resetHint':
+    'Odebere všechny přístupové klíče tohoto uživatele (např. při ztrátě zařízení). Stále se může přihlásit svým heslem.',
+  'admin.passkey.resetConfirm': 'Odebrat všechny přístupové klíče uživatele {name}?',
+  'admin.passkey.resetDone': 'Odebráno {count} přístupových klíčů',
 };
 export default admin;
@@ -91,5 +91,8 @@ const login: TranslationStrings = {
  'login.resetPasswordInvalidLinkBody':
    'Odkaz chybí nebo je poškozený. Pro pokračování si vyžádej nový.',
  'login.resetPasswordFailed': 'Obnovení se nezdařilo. Odkaz mohl vypršet.',
+  'login.passkey.signIn': 'Přihlásit se pomocí přístupového klíče',
+  'login.passkey.failed':
+    'Přihlášení přístupovým klíčem se nezdařilo. Zkuste to prosím znovu.',
 };
 export default login;
@@ -297,6 +297,30 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Přístupové klíče',
+  'settings.passkey.description':
+    'Přihlašujte se rychleji a s ochranou proti phishingu pomocí přístupového klíče — otiskem prstu, obličejem, PINem nebo hardwarovým klíčem. Vaše heslo zůstává jako záloha.',
+  'settings.passkey.notConfigured':
+    'Přístupové klíče jsou povoleny, ale na tomto serveru zatím nejsou plně nastaveny. Požádejte správce o nastavení domény WebAuthn.',
+  'settings.passkey.add': 'Přidat přístupový klíč',
+  'settings.passkey.addTitle': 'Přidat přístupový klíč',
+  'settings.passkey.passwordPrompt':
+    'Potvrďte své současné heslo a poté postupujte podle pokynů svého zařízení.',
+  'settings.passkey.passwordRequired': 'Vaše současné heslo je vyžadováno.',
+  'settings.passkey.namePlaceholder': 'Název (volitelné, např. „iPhone“)',
+  'settings.passkey.addedToast': 'Přístupový klíč přidán',
+  'settings.passkey.added': 'Přidáno',
+  'settings.passkey.addError': 'Přístupový klíč se nepodařilo přidat',
+  'settings.passkey.cancelled': 'Nastavení přístupového klíče zrušeno',
+  'settings.passkey.deleted': 'Přístupový klíč odebrán',
+  'settings.passkey.deleteConfirm':
+    'Odebrat tento přístupový klíč? Potvrďte svým heslem.',
+  'settings.passkey.rename': 'Přejmenovat',
+  'settings.passkey.defaultName': 'Přístupový klíč',
+  'settings.passkey.synced': 'Synchronizováno',
+  'settings.passkey.deviceBound': 'Toto zařízení',
+  'settings.passkey.lastUsed': 'Naposledy použito',
+  'settings.passkey.neverUsed': 'Nikdy nepoužito',
 };

 export default settings;
@@ -361,5 +361,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Journey',
  'admin.addons.catalog.journey.description':
    'Reise-Tracking & Tagebuch mit Check-ins, Fotos und Tagesberichten',
+  'admin.passkey.title': 'Passkey-Anmeldung',
+  'admin.passkey.cardHint':
+    'Erlaube Benutzern die Anmeldung mit Passkeys (WebAuthn). Standardmäßig deaktiviert.',
+  'admin.passkey.login': 'Passkey-Anmeldung aktivieren',
+  'admin.passkey.loginHint':
+    'Zeigt die Option "Mit Passkey anmelden" und erlaubt Benutzern, in ihren Einstellungen Passkeys zu registrieren.',
+  'admin.passkey.notConfigured':
+    'Für diese Installation ist noch keine WebAuthn-Domain auflösbar. Lege unten APP_URL oder die Relying Party ID fest — bis dahin bleiben Passkeys ausgeblendet.',
+  'admin.passkey.rpId': 'Relying Party ID (Domain)',
+  'admin.passkey.rpIdHint':
+    'Die reine Domain, an die Passkeys gebunden sind, z. B. trek.example.org. Leer lassen, um sie aus APP_URL abzuleiten. Eine spätere Änderung macht bestehende Passkeys ungültig.',
+  'admin.passkey.origins': 'Erlaubte Origins',
+  'admin.passkey.originsHint':
+    'Vollständige Origins, durch Komma getrennt, z. B. https://trek.example.org. Leer lassen, um APP_URL zu verwenden.',
+  'admin.passkey.reset': 'Passkeys zurücksetzen',
+  'admin.passkey.resetHint':
+    'Entfernt alle Passkeys dieses Benutzers (z. B. bei einem verlorenen Gerät). Die Anmeldung mit Passwort bleibt weiterhin möglich.',
+  'admin.passkey.resetConfirm': 'Alle Passkeys von {name} entfernen?',
+  'admin.passkey.resetDone': '{count} Passkey(s) entfernt',
 };
 export default admin;
@@ -94,5 +94,8 @@ const login: TranslationStrings = {
    'Dieser Link fehlt oder ist beschädigt. Fordere einen neuen an, um fortzufahren.',
  'login.resetPasswordFailed':
    'Zurücksetzen fehlgeschlagen. Der Link ist möglicherweise abgelaufen.',
+  'login.passkey.signIn': 'Mit Passkey anmelden',
+  'login.passkey.failed':
+    'Anmeldung mit Passkey fehlgeschlagen. Bitte erneut versuchen.',
 };
 export default login;
@@ -300,6 +300,30 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Währung",
  "settings.currencyHint": "Alle Beträge in Costs werden in diese Währung umgerechnet und angezeigt.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    'Melde dich schneller und phishing-resistent mit einem Passkey an — per Fingerabdruck, Gesicht, PIN oder Hardware-Schlüssel. Dein Passwort bleibt als Backup erhalten.',
+  'settings.passkey.notConfigured':
+    'Passkeys sind aktiviert, aber auf diesem Server noch nicht vollständig eingerichtet. Bitte deinen Administrator, die WebAuthn-Domain festzulegen.',
+  'settings.passkey.add': 'Passkey hinzufügen',
+  'settings.passkey.addTitle': 'Passkey hinzufügen',
+  'settings.passkey.passwordPrompt':
+    'Bestätige dein aktuelles Passwort und folge dann der Aufforderung deines Geräts.',
+  'settings.passkey.passwordRequired': 'Dein aktuelles Passwort wird benötigt.',
+  'settings.passkey.namePlaceholder': 'Name (optional, z. B. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey hinzugefügt',
+  'settings.passkey.added': 'Hinzugefügt',
+  'settings.passkey.addError': 'Passkey konnte nicht hinzugefügt werden',
+  'settings.passkey.cancelled': 'Passkey-Einrichtung abgebrochen',
+  'settings.passkey.deleted': 'Passkey entfernt',
+  'settings.passkey.deleteConfirm':
+    'Diesen Passkey entfernen? Bestätige mit deinem Passwort.',
+  'settings.passkey.rename': 'Umbenennen',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Synchronisiert',
+  'settings.passkey.deviceBound': 'Dieses Gerät',
+  'settings.passkey.lastUsed': 'Zuletzt verwendet',
+  'settings.passkey.neverUsed': 'Noch nie verwendet',
 };

 export default settings;
@@ -354,5 +354,23 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Journey',
  'admin.addons.catalog.journey.description':
    'Trip tracking & travel journal with check-ins, photos, and daily stories',
+  'admin.passkey.title': 'Passkey login',
+  'admin.passkey.cardHint': 'Let users sign in with passkeys (WebAuthn). Off by default.',
+  'admin.passkey.login': 'Enable passkey login',
+  'admin.passkey.loginHint':
+    'Show a "Sign in with a passkey" option and let users enrol passkeys in their settings.',
+  'admin.passkey.notConfigured':
+    'No WebAuthn domain resolves for this deployment yet. Set APP_URL or the Relying Party ID below — passkeys stay hidden until then.',
+  'admin.passkey.rpId': 'Relying Party ID (domain)',
+  'admin.passkey.rpIdHint':
+    'The bare domain passkeys are bound to, e.g. trek.example.org. Leave empty to derive it from APP_URL. Changing it later invalidates existing passkeys.',
+  'admin.passkey.origins': 'Allowed origins',
+  'admin.passkey.originsHint':
+    'Comma-separated full origins, e.g. https://trek.example.org. Leave empty to use APP_URL.',
+  'admin.passkey.reset': 'Reset passkeys',
+  'admin.passkey.resetHint':
+    "Remove all of this user's passkeys (e.g. on a lost device). They can still sign in with their password.",
+  'admin.passkey.resetConfirm': 'Remove all passkeys for {name}?',
+  'admin.passkey.resetDone': 'Removed {count} passkey(s)',
 };
 export default admin;
@@ -91,5 +91,7 @@ const login: TranslationStrings = {
  'login.resetPasswordInvalidLinkBody':
    'This link is missing or broken. Request a new one to continue.',
  'login.resetPasswordFailed': 'Reset failed. The link may have expired.',
+  'login.passkey.signIn': 'Sign in with a passkey',
+  'login.passkey.failed': 'Passkey sign-in failed. Please try again.',
 };
 export default login;
@@ -290,6 +290,28 @@ const settings: TranslationStrings = {
  'settings.mfa.demoBlocked': 'Not available in demo mode',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    'Sign in faster and phishing-resistant with a passkey — your fingerprint, face, PIN, or a hardware key. Your password stays as a backup.',
+  'settings.passkey.notConfigured':
+    'Passkeys are enabled but not fully configured on this server yet. Ask your administrator to set the WebAuthn domain.',
+  'settings.passkey.add': 'Add a passkey',
+  'settings.passkey.addTitle': 'Add a passkey',
+  'settings.passkey.passwordPrompt': 'Confirm your current password, then follow your device prompt.',
+  'settings.passkey.passwordRequired': 'Your current password is required.',
+  'settings.passkey.namePlaceholder': 'Name (optional, e.g. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey added',
+  'settings.passkey.added': 'Added',
+  'settings.passkey.addError': 'Could not add passkey',
+  'settings.passkey.cancelled': 'Passkey setup cancelled',
+  'settings.passkey.deleted': 'Passkey removed',
+  'settings.passkey.deleteConfirm': 'Remove this passkey? Confirm with your password.',
+  'settings.passkey.rename': 'Rename',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Synced',
+  'settings.passkey.deviceBound': 'This device',
+  'settings.passkey.lastUsed': 'Last used',
+  'settings.passkey.neverUsed': 'Never used',
 };

 export default settings;
@@ -369,5 +369,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Travesía',
  'admin.addons.catalog.journey.description':
    'Seguimiento de viajes y diario de viajero con registros de ubicación, fotos e historias diarias',
+  'admin.passkey.title': 'Inicio de sesión con passkey',
+  'admin.passkey.cardHint':
+    'Permite que los usuarios inicien sesión con passkeys (WebAuthn). Desactivado de forma predeterminada.',
+  'admin.passkey.login': 'Activar inicio de sesión con passkey',
+  'admin.passkey.loginHint':
+    'Muestra una opción "Iniciar sesión con una passkey" y permite a los usuarios registrar passkeys en sus ajustes.',
+  'admin.passkey.notConfigured':
+    'Aún no se resuelve ningún dominio de WebAuthn para esta instalación. Define APP_URL o el Relying Party ID a continuación: las passkeys permanecerán ocultas hasta entonces.',
+  'admin.passkey.rpId': 'Relying Party ID (dominio)',
+  'admin.passkey.rpIdHint':
+    'El dominio puro al que se vinculan las passkeys, p. ej. trek.example.org. Déjalo vacío para derivarlo de APP_URL. Cambiarlo más adelante invalida las passkeys existentes.',
+  'admin.passkey.origins': 'Orígenes permitidos',
+  'admin.passkey.originsHint':
+    'Orígenes completos separados por comas, p. ej. https://trek.example.org. Déjalo vacío para usar APP_URL.',
+  'admin.passkey.reset': 'Restablecer passkeys',
+  'admin.passkey.resetHint':
+    'Elimina todas las passkeys de este usuario (p. ej. tras perder un dispositivo). Aún podrá iniciar sesión con su contraseña.',
+  'admin.passkey.resetConfirm': '¿Eliminar todas las passkeys de {name}?',
+  'admin.passkey.resetDone': 'Se eliminaron {count} passkey(s)',
 };
 export default admin;
@@ -95,5 +95,8 @@ const login: TranslationStrings = {
    'La autenticación por contraseña está desactivada. Por favor, inicia sesión con tu proveedor SSO.',
  'login.oidcLoggedOut':
    'Has cerrado sesión. Vuelve a iniciar sesión con tu proveedor SSO.',
+  'login.passkey.signIn': 'Iniciar sesión con una passkey',
+  'login.passkey.failed':
+    'Error al iniciar sesión con la passkey. Inténtalo de nuevo.',
 };
 export default login;
@@ -297,6 +297,30 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    'Inicia sesión más rápido y con protección frente al phishing usando una passkey: tu huella, tu cara, tu PIN o una llave de seguridad física. Tu contraseña sigue disponible como respaldo.',
+  'settings.passkey.notConfigured':
+    'Las passkeys están habilitadas, pero aún no están del todo configuradas en este servidor. Pide a tu administrador que defina el dominio de WebAuthn.',
+  'settings.passkey.add': 'Añadir una passkey',
+  'settings.passkey.addTitle': 'Añadir una passkey',
+  'settings.passkey.passwordPrompt':
+    'Confirma tu contraseña actual y luego sigue las indicaciones de tu dispositivo.',
+  'settings.passkey.passwordRequired': 'Se requiere tu contraseña actual.',
+  'settings.passkey.namePlaceholder': 'Nombre (opcional, p. ej. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey añadida',
+  'settings.passkey.added': 'Añadida',
+  'settings.passkey.addError': 'No se pudo añadir la passkey',
+  'settings.passkey.cancelled': 'Configuración de la passkey cancelada',
+  'settings.passkey.deleted': 'Passkey eliminada',
+  'settings.passkey.deleteConfirm':
+    '¿Eliminar esta passkey? Confírmalo con tu contraseña.',
+  'settings.passkey.rename': 'Renombrar',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Sincronizada',
+  'settings.passkey.deviceBound': 'Este dispositivo',
+  'settings.passkey.lastUsed': 'Último uso',
+  'settings.passkey.neverUsed': 'Nunca usada',
 };

 export default settings;
@@ -369,5 +369,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Journal de voyage',
  'admin.addons.catalog.journey.description':
    'Suivi de voyages et journal avec check-ins, photos et récits quotidiens',
+  'admin.passkey.title': 'Connexion par passkey',
+  'admin.passkey.cardHint':
+    'Permettez aux utilisateurs de se connecter avec des passkeys (WebAuthn). Désactivé par défaut.',
+  'admin.passkey.login': 'Activer la connexion par passkey',
+  'admin.passkey.loginHint':
+    'Affiche une option « Se connecter avec une passkey » et permet aux utilisateurs d\'enregistrer des passkeys dans leurs paramètres.',
+  'admin.passkey.notConfigured':
+    "Aucun domaine WebAuthn ne peut encore être résolu pour ce déploiement. Définissez APP_URL ou le Relying Party ID ci-dessous — les passkeys restent masquées jusque-là.",
+  'admin.passkey.rpId': 'Relying Party ID (domaine)',
+  'admin.passkey.rpIdHint':
+    "Le domaine nu auquel les passkeys sont liées, ex. trek.example.org. Laissez vide pour le déduire d'APP_URL. Le modifier ultérieurement invalide les passkeys existantes.",
+  'admin.passkey.origins': 'Origines autorisées',
+  'admin.passkey.originsHint':
+    "Origines complètes séparées par des virgules, ex. https://trek.example.org. Laissez vide pour utiliser APP_URL.",
+  'admin.passkey.reset': 'Réinitialiser les passkeys',
+  'admin.passkey.resetHint':
+    "Supprime toutes les passkeys de cet utilisateur (ex. en cas d'appareil perdu). Il pourra toujours se connecter avec son mot de passe.",
+  'admin.passkey.resetConfirm': 'Supprimer toutes les passkeys de {name} ?',
+  'admin.passkey.resetDone': '{count} passkey(s) supprimée(s)',
 };
 export default admin;
@@ -98,5 +98,8 @@ const login: TranslationStrings = {
  'login.oidcLoggedOut':
    'Vous avez été déconnecté. Reconnectez-vous via votre fournisseur SSO.',
  'login.demoHint': 'Essayez la démo — aucune inscription nécessaire',
+  'login.passkey.signIn': 'Se connecter avec une passkey',
+  'login.passkey.failed':
+    'Échec de la connexion par passkey. Veuillez réessayer.',
 };
 export default login;
@@ -301,6 +301,30 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    "Connectez-vous plus rapidement et de façon résistante au phishing avec une passkey — votre empreinte digitale, votre visage, votre code PIN ou une clé matérielle. Votre mot de passe reste disponible en secours.",
+  'settings.passkey.notConfigured':
+    "Les passkeys sont activées mais ne sont pas encore entièrement configurées sur ce serveur. Demandez à votre administrateur de définir le domaine WebAuthn.",
+  'settings.passkey.add': 'Ajouter une passkey',
+  'settings.passkey.addTitle': 'Ajouter une passkey',
+  'settings.passkey.passwordPrompt':
+    "Confirmez votre mot de passe actuel, puis suivez les instructions de votre appareil.",
+  'settings.passkey.passwordRequired': 'Votre mot de passe actuel est requis.',
+  'settings.passkey.namePlaceholder': 'Nom (facultatif, ex. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey ajoutée',
+  'settings.passkey.added': 'Ajoutée',
+  'settings.passkey.addError': "Impossible d'ajouter la passkey",
+  'settings.passkey.cancelled': 'Configuration de la passkey annulée',
+  'settings.passkey.deleted': 'Passkey supprimée',
+  'settings.passkey.deleteConfirm':
+    'Supprimer cette passkey ? Confirmez avec votre mot de passe.',
+  'settings.passkey.rename': 'Renommer',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Synchronisée',
+  'settings.passkey.deviceBound': 'Cet appareil',
+  'settings.passkey.lastUsed': 'Dernière utilisation',
+  'settings.passkey.neverUsed': 'Jamais utilisée',
 };

 export default settings;
@@ -370,5 +370,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Ταξίδι',
  'admin.addons.catalog.journey.description':
    'Παρακολούθηση ταξιδιών & ημερολόγιο ταξιδιών με αφίξεις, φωτογραφίες και καθημερινές ιστορίες',
+  'admin.passkey.title': 'Σύνδεση με passkey',
+  'admin.passkey.cardHint':
+    'Επιτρέψτε στους χρήστες να συνδέονται με passkeys (WebAuthn). Απενεργοποιημένο από προεπιλογή.',
+  'admin.passkey.login': 'Ενεργοποίηση σύνδεσης με passkey',
+  'admin.passkey.loginHint':
+    'Εμφανίστε μια επιλογή "Σύνδεση με passkey" και επιτρέψτε στους χρήστες να καταχωρούν passkeys στις ρυθμίσεις τους.',
+  'admin.passkey.notConfigured':
+    'Δεν αναλύεται ακόμη κανένας τομέας WebAuthn για αυτή την εγκατάσταση. Ορίστε το APP_URL ή το Relying Party ID παρακάτω — τα passkeys παραμένουν κρυφά μέχρι τότε.',
+  'admin.passkey.rpId': 'Relying Party ID (τομέας)',
+  'admin.passkey.rpIdHint':
+    'Ο σκέτος τομέας στον οποίο δεσμεύονται τα passkeys, π.χ. trek.example.org. Αφήστε το κενό για να παραχθεί από το APP_URL. Η μεταγενέστερη αλλαγή του ακυρώνει τα υπάρχοντα passkeys.',
+  'admin.passkey.origins': 'Επιτρεπόμενες προελεύσεις',
+  'admin.passkey.originsHint':
+    'Πλήρεις προελεύσεις χωρισμένες με κόμμα, π.χ. https://trek.example.org. Αφήστε το κενό για χρήση του APP_URL.',
+  'admin.passkey.reset': 'Επαναφορά passkeys',
+  'admin.passkey.resetHint':
+    'Αφαιρέστε όλα τα passkeys αυτού του χρήστη (π.χ. σε περίπτωση χαμένης συσκευής). Μπορούν ακόμη να συνδεθούν με τον κωδικό τους.',
+  'admin.passkey.resetConfirm': 'Αφαίρεση όλων των passkeys για τον/την {name};',
+  'admin.passkey.resetDone': 'Αφαιρέθηκαν {count} passkey(s)',
 };
 export default admin;
@@ -99,5 +99,8 @@ const login: TranslationStrings = {
    'Αυτός ο σύνδεσμος λείπει ή έχει χαλάσει. Ζητήστε έναν νέο για να συνεχίσετε.',
  'login.resetPasswordFailed':
    'Η επαναφορά απέτυχε. Ο σύνδεσμος μπορεί να έχει λήξει.',
+  'login.passkey.signIn': 'Σύνδεση με passkey',
+  'login.passkey.failed':
+    'Η σύνδεση με passkey απέτυχε. Παρακαλώ δοκιμάστε ξανά.',
 };
 export default login;
@@ -303,6 +303,30 @@ const settings: TranslationStrings = {
  'settings.mfa.demoBlocked': 'Δεν είναι διαθέσιμο σε λειτουργία demo',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    'Συνδεθείτε πιο γρήγορα και με προστασία από phishing χρησιμοποιώντας ένα passkey — το δαχτυλικό σας αποτύπωμα, το πρόσωπό σας, ένα PIN ή ένα κλειδί υλικού. Ο κωδικός σας παραμένει ως εφεδρεία.',
+  'settings.passkey.notConfigured':
+    'Τα passkeys είναι ενεργοποιημένα αλλά δεν έχουν διαμορφωθεί πλήρως σε αυτόν τον server ακόμη. Ζητήστε από τον διαχειριστή σας να ορίσει τον τομέα WebAuthn.',
+  'settings.passkey.add': 'Προσθήκη passkey',
+  'settings.passkey.addTitle': 'Προσθήκη passkey',
+  'settings.passkey.passwordPrompt':
+    'Επιβεβαιώστε τον τρέχοντα κωδικό σας και έπειτα ακολουθήστε τις οδηγίες της συσκευής σας.',
+  'settings.passkey.passwordRequired': 'Ο τρέχων κωδικός σας είναι υποχρεωτικός.',
+  'settings.passkey.namePlaceholder': 'Όνομα (προαιρετικό, π.χ. "iPhone")',
+  'settings.passkey.addedToast': 'Το passkey προστέθηκε',
+  'settings.passkey.added': 'Προστέθηκε',
+  'settings.passkey.addError': 'Δεν ήταν δυνατή η προσθήκη του passkey',
+  'settings.passkey.cancelled': 'Η ρύθμιση του passkey ακυρώθηκε',
+  'settings.passkey.deleted': 'Το passkey αφαιρέθηκε',
+  'settings.passkey.deleteConfirm':
+    'Αφαίρεση αυτού του passkey; Επιβεβαιώστε με τον κωδικό σας.',
+  'settings.passkey.rename': 'Μετονομασία',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Συγχρονισμένο',
+  'settings.passkey.deviceBound': 'Αυτή η συσκευή',
+  'settings.passkey.lastUsed': 'Τελευταία χρήση',
+  'settings.passkey.neverUsed': 'Δεν χρησιμοποιήθηκε ποτέ',
 };

 export default settings;
@@ -362,5 +362,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Útinaplók',
  'admin.addons.catalog.journey.description':
    'Utazáskövetés és útinapló bejelentkezésekkel, fotókkal és napi történetekkel',
+  'admin.passkey.title': 'Passkey-bejelentkezés',
+  'admin.passkey.cardHint':
+    'Engedélyezd a felhasználóknak a bejelentkezést passkey-vel (WebAuthn). Alapból kikapcsolva.',
+  'admin.passkey.login': 'Passkey-bejelentkezés engedélyezése',
+  'admin.passkey.loginHint':
+    'Jeleníts meg egy „Bejelentkezés passkey-jel" lehetőséget, és engedd, hogy a felhasználók passkey-ket regisztráljanak a beállításaikban.',
+  'admin.passkey.notConfigured':
+    'Ehhez a telepítéshez még nem oldódik fel WebAuthn-domain. Állítsd be az APP_URL-t vagy a lenti Relying Party ID-t — addig a passkey-k rejtve maradnak.',
+  'admin.passkey.rpId': 'Relying Party ID (domain)',
+  'admin.passkey.rpIdHint':
+    'A csupasz domain, amelyhez a passkey-k kötődnek, pl. trek.example.org. Hagyd üresen, hogy az APP_URL-ből legyen levezetve. Későbbi módosítása érvényteleníti a meglévő passkey-ket.',
+  'admin.passkey.origins': 'Engedélyezett origók',
+  'admin.passkey.originsHint':
+    'Vesszővel elválasztott teljes origók, pl. https://trek.example.org. Hagyd üresen az APP_URL használatához.',
+  'admin.passkey.reset': 'Passkey-k visszaállítása',
+  'admin.passkey.resetHint':
+    'Eltávolítja a felhasználó összes passkey-jét (pl. elveszett eszköz esetén). A jelszavukkal továbbra is be tudnak jelentkezni.',
+  'admin.passkey.resetConfirm': 'Eltávolítod {name} összes passkey-jét?',
+  'admin.passkey.resetDone': '{count} passkey eltávolítva',
 };
 export default admin;
@@ -98,5 +98,8 @@ const login: TranslationStrings = {
    'A link hiányzik vagy sérült. A folytatáshoz kérj egy újat.',
  'login.resetPasswordFailed':
    'A visszaállítás nem sikerült. A link lehet, hogy lejárt.',
+  'login.passkey.signIn': 'Bejelentkezés passkey-jel',
+  'login.passkey.failed':
+    'A passkey-bejelentkezés sikertelen. Kérjük, próbáld újra.',
 };
 export default login;
@@ -299,6 +299,30 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkey-k',
+  'settings.passkey.description':
+    'Jelentkezz be gyorsabban és adathalászat-állóan egy passkey-jel — ujjlenyomattal, arccal, PIN-kóddal vagy hardveres kulccsal. A jelszavad tartalékként megmarad.',
+  'settings.passkey.notConfigured':
+    'A passkey-k engedélyezve vannak, de ezen a szerveren még nincsenek teljesen beállítva. Kérd meg a rendszergazdát, hogy állítsa be a WebAuthn-domaint.',
+  'settings.passkey.add': 'Passkey hozzáadása',
+  'settings.passkey.addTitle': 'Passkey hozzáadása',
+  'settings.passkey.passwordPrompt':
+    'Erősítsd meg a jelenlegi jelszavad, majd kövesd az eszközöd útmutatását.',
+  'settings.passkey.passwordRequired': 'A jelenlegi jelszó megadása kötelező.',
+  'settings.passkey.namePlaceholder': 'Név (opcionális, pl. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey hozzáadva',
+  'settings.passkey.added': 'Hozzáadva',
+  'settings.passkey.addError': 'Nem sikerült hozzáadni a passkey-t',
+  'settings.passkey.cancelled': 'Passkey beállítása megszakítva',
+  'settings.passkey.deleted': 'Passkey eltávolítva',
+  'settings.passkey.deleteConfirm':
+    'Eltávolítod ezt a passkey-t? Erősítsd meg a jelszavaddal.',
+  'settings.passkey.rename': 'Átnevezés',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Szinkronizálva',
+  'settings.passkey.deviceBound': 'Ez az eszköz',
+  'settings.passkey.lastUsed': 'Utoljára használva',
+  'settings.passkey.neverUsed': 'Még nem használt',
 };

 export default settings;
@@ -357,5 +357,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Journey',
  'admin.addons.catalog.journey.description':
    'Pelacakan perjalanan & jurnal dengan check-in, foto, dan cerita harian',
+  'admin.passkey.title': 'Login dengan passkey',
+  'admin.passkey.cardHint':
+    'Izinkan pengguna masuk dengan passkey (WebAuthn). Nonaktif secara default.',
+  'admin.passkey.login': 'Aktifkan login dengan passkey',
+  'admin.passkey.loginHint':
+    'Tampilkan opsi "Masuk dengan passkey" dan izinkan pengguna mendaftarkan passkey di pengaturan mereka.',
+  'admin.passkey.notConfigured':
+    'Belum ada domain WebAuthn yang terdeteksi untuk deployment ini. Atur APP_URL atau Relying Party ID di bawah — passkey tetap tersembunyi sampai itu dilakukan.',
+  'admin.passkey.rpId': 'Relying Party ID (domain)',
+  'admin.passkey.rpIdHint':
+    'Domain murni tempat passkey diikat, mis. trek.example.org. Kosongkan untuk mengambilnya dari APP_URL. Mengubahnya nanti akan membatalkan passkey yang sudah ada.',
+  'admin.passkey.origins': 'Origin yang diizinkan',
+  'admin.passkey.originsHint':
+    'Origin lengkap dipisahkan koma, mis. https://trek.example.org. Kosongkan untuk menggunakan APP_URL.',
+  'admin.passkey.reset': 'Reset passkey',
+  'admin.passkey.resetHint':
+    'Hapus semua passkey pengguna ini (mis. saat perangkat hilang). Mereka tetap bisa masuk dengan kata sandi mereka.',
+  'admin.passkey.resetConfirm': 'Hapus semua passkey untuk {name}?',
+  'admin.passkey.resetDone': 'Menghapus {count} passkey',
 };
 export default admin;
@@ -93,5 +93,7 @@ const login: TranslationStrings = {
  'login.resetPasswordInvalidLinkBody':
    'Tautan hilang atau rusak. Minta tautan baru untuk melanjutkan.',
  'login.resetPasswordFailed': 'Reset gagal. Tautan mungkin sudah kedaluwarsa.',
+  'login.passkey.signIn': 'Masuk dengan passkey',
+  'login.passkey.failed': 'Masuk dengan passkey gagal. Silakan coba lagi.',
 };
 export default login;
@@ -297,6 +297,30 @@ const settings: TranslationStrings = {
    'Menampilkan nama stasiun / bandara di peta. Jika mati, hanya ikon ditampilkan.',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkey',
+  'settings.passkey.description':
+    'Masuk lebih cepat dan tahan terhadap phishing dengan passkey — sidik jari, wajah, PIN, atau kunci keamanan fisik kamu. Kata sandimu tetap tersedia sebagai cadangan.',
+  'settings.passkey.notConfigured':
+    'Passkey diaktifkan tetapi belum sepenuhnya dikonfigurasi di server ini. Minta administratormu untuk mengatur domain WebAuthn.',
+  'settings.passkey.add': 'Tambah passkey',
+  'settings.passkey.addTitle': 'Tambah passkey',
+  'settings.passkey.passwordPrompt':
+    'Konfirmasi kata sandimu saat ini, lalu ikuti petunjuk di perangkatmu.',
+  'settings.passkey.passwordRequired': 'Kata sandimu saat ini wajib diisi.',
+  'settings.passkey.namePlaceholder': 'Nama (opsional, mis. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey ditambahkan',
+  'settings.passkey.added': 'Ditambahkan',
+  'settings.passkey.addError': 'Gagal menambahkan passkey',
+  'settings.passkey.cancelled': 'Penyiapan passkey dibatalkan',
+  'settings.passkey.deleted': 'Passkey dihapus',
+  'settings.passkey.deleteConfirm':
+    'Hapus passkey ini? Konfirmasi dengan kata sandimu.',
+  'settings.passkey.rename': 'Ganti nama',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Tersinkron',
+  'settings.passkey.deviceBound': 'Perangkat ini',
+  'settings.passkey.lastUsed': 'Terakhir digunakan',
+  'settings.passkey.neverUsed': 'Belum pernah digunakan',
 };

 export default settings;
@@ -365,5 +365,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Diario di viaggio',
  'admin.addons.catalog.journey.description':
    'Tracciamento viaggi e diario con check-in, foto e storie quotidiane',
+  'admin.passkey.title': 'Accesso con passkey',
+  'admin.passkey.cardHint':
+    'Consenti agli utenti di accedere con le passkey (WebAuthn). Disattivato per impostazione predefinita.',
+  'admin.passkey.login': 'Abilita accesso con passkey',
+  'admin.passkey.loginHint':
+    'Mostra un\'opzione "Accedi con una passkey" e consenti agli utenti di registrare le passkey nelle loro impostazioni.',
+  'admin.passkey.notConfigured':
+    'Nessun dominio WebAuthn è ancora risolto per questa installazione. Imposta APP_URL o il Relying Party ID qui sotto — le passkey restano nascoste fino ad allora.',
+  'admin.passkey.rpId': 'Relying Party ID (dominio)',
+  'admin.passkey.rpIdHint':
+    'Il dominio puro a cui le passkey sono associate, es. trek.example.org. Lascia vuoto per derivarlo da APP_URL. Modificarlo in seguito invalida le passkey esistenti.',
+  'admin.passkey.origins': 'Origini consentite',
+  'admin.passkey.originsHint':
+    'Origini complete separate da virgola, es. https://trek.example.org. Lascia vuoto per usare APP_URL.',
+  'admin.passkey.reset': 'Reimposta passkey',
+  'admin.passkey.resetHint':
+    "Rimuovi tutte le passkey di questo utente (es. in caso di dispositivo smarrito). Potrà comunque accedere con la sua password.",
+  'admin.passkey.resetConfirm': 'Rimuovere tutte le passkey di {name}?',
+  'admin.passkey.resetDone': 'Rimosse {count} passkey',
 };
 export default admin;
@@ -92,5 +92,7 @@ const login: TranslationStrings = {
    'Il link è mancante o danneggiato. Richiedine uno nuovo per continuare.',
  'login.resetPasswordFailed':
    'Reset non riuscito. Il link potrebbe essere scaduto.',
+  'login.passkey.signIn': 'Accedi con una passkey',
+  'login.passkey.failed': 'Accesso con passkey non riuscito. Riprova.',
 };
 export default login;
@@ -296,6 +296,30 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkey',
+  'settings.passkey.description':
+    'Accedi più velocemente e in modo resistente al phishing con una passkey — la tua impronta digitale, il volto, il PIN o una chiave hardware. La tua password resta come riserva.',
+  'settings.passkey.notConfigured':
+    'Le passkey sono abilitate ma non ancora completamente configurate su questo server. Chiedi al tuo amministratore di impostare il dominio WebAuthn.',
+  'settings.passkey.add': 'Aggiungi una passkey',
+  'settings.passkey.addTitle': 'Aggiungi una passkey',
+  'settings.passkey.passwordPrompt':
+    'Conferma la tua password attuale, poi segui le istruzioni del tuo dispositivo.',
+  'settings.passkey.passwordRequired': 'La tua password attuale è obbligatoria.',
+  'settings.passkey.namePlaceholder': 'Nome (facoltativo, es. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey aggiunta',
+  'settings.passkey.added': 'Aggiunta',
+  'settings.passkey.addError': 'Impossibile aggiungere la passkey',
+  'settings.passkey.cancelled': 'Configurazione della passkey annullata',
+  'settings.passkey.deleted': 'Passkey rimossa',
+  'settings.passkey.deleteConfirm':
+    'Rimuovere questa passkey? Conferma con la tua password.',
+  'settings.passkey.rename': 'Rinomina',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Sincronizzata',
+  'settings.passkey.deviceBound': 'Questo dispositivo',
+  'settings.passkey.lastUsed': 'Ultimo utilizzo',
+  'settings.passkey.neverUsed': 'Mai usata',
 };

 export default settings;
@@ -336,5 +336,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': '日記',
  'admin.addons.catalog.journey.description':
    'チェックイン、写真、日ごとのストーリーで旅を記録',
+  'admin.passkey.title': 'パスキーログイン',
+  'admin.passkey.cardHint':
+    'ユーザーがパスキー（WebAuthn）でサインインできるようにします。既定では無効です。',
+  'admin.passkey.login': 'パスキーログインを有効化',
+  'admin.passkey.loginHint':
+    '「パスキーでサインイン」オプションを表示し、ユーザーが設定でパスキーを登録できるようにします。',
+  'admin.passkey.notConfigured':
+    'このデプロイにはまだ有効な WebAuthn ドメインがありません。下の APP_URL または Relying Party ID を設定してください。それまでパスキーは表示されません。',
+  'admin.passkey.rpId': 'Relying Party ID（ドメイン）',
+  'admin.passkey.rpIdHint':
+    'パスキーが紐づくドメイン名のみ（例：trek.example.org）。空欄の場合は APP_URL から導出されます。後で変更すると既存のパスキーは無効になります。',
+  'admin.passkey.origins': '許可するオリジン',
+  'admin.passkey.originsHint':
+    'カンマ区切りの完全なオリジン（例：https://trek.example.org）。空欄の場合は APP_URL を使用します。',
+  'admin.passkey.reset': 'パスキーをリセット',
+  'admin.passkey.resetHint':
+    'このユーザーのパスキーをすべて削除します（例：デバイスを紛失した場合）。パスワードでのサインインは引き続き可能です。',
+  'admin.passkey.resetConfirm': '{name} のパスキーをすべて削除しますか？',
+  'admin.passkey.resetDone': '{count} 件のパスキーを削除しました',
 };
 export default admin;
@@ -91,5 +91,8 @@ const login: TranslationStrings = {
    'リンクが無効または破損しています。新しいリンクをリクエストしてください。',
  'login.resetPasswordFailed':
    'リセットに失敗しました。リンクの有効期限が切れている可能性があります。',
+  'login.passkey.signIn': 'パスキーでサインイン',
+  'login.passkey.failed':
+    'パスキーでのサインインに失敗しました。もう一度お試しください。',
 };
 export default login;
@@ -276,6 +276,30 @@ const settings: TranslationStrings = {
  'settings.oauth.badge.machine': 'マシン',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'パスキー',
+  'settings.passkey.description':
+    '指紋、顔認証、PIN、またはハードウェアキーを使うパスキーで、より速く、フィッシングに強いサインインができます。パスワードはバックアップとして残ります。',
+  'settings.passkey.notConfigured':
+    'パスキーは有効ですが、このサーバーではまだ完全には設定されていません。管理者に WebAuthn ドメインの設定を依頼してください。',
+  'settings.passkey.add': 'パスキーを追加',
+  'settings.passkey.addTitle': 'パスキーを追加',
+  'settings.passkey.passwordPrompt':
+    '現在のパスワードを確認し、デバイスの指示に従ってください。',
+  'settings.passkey.passwordRequired': '現在のパスワードが必要です。',
+  'settings.passkey.namePlaceholder': '名前（任意、例："iPhone"）',
+  'settings.passkey.addedToast': 'パスキーを追加しました',
+  'settings.passkey.added': '追加済み',
+  'settings.passkey.addError': 'パスキーを追加できませんでした',
+  'settings.passkey.cancelled': 'パスキーの設定をキャンセルしました',
+  'settings.passkey.deleted': 'パスキーを削除しました',
+  'settings.passkey.deleteConfirm':
+    'このパスキーを削除しますか？パスワードで確認してください。',
+  'settings.passkey.rename': '名前を変更',
+  'settings.passkey.defaultName': 'パスキー',
+  'settings.passkey.synced': '同期済み',
+  'settings.passkey.deviceBound': 'このデバイス',
+  'settings.passkey.lastUsed': '最終使用',
+  'settings.passkey.neverUsed': '未使用',
 };

 export default settings;
@@ -349,5 +349,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Journey',
  'admin.addons.catalog.journey.description':
    '체크인, 사진, 일별 이야기가 있는 여행 기록 및 여행 일지',
+  'admin.passkey.title': '패스키 로그인',
+  'admin.passkey.cardHint':
+    '사용자가 패스키(WebAuthn)로 로그인할 수 있게 합니다. 기본값은 꺼짐입니다.',
+  'admin.passkey.login': '패스키 로그인 활성화',
+  'admin.passkey.loginHint':
+    '"패스키로 로그인" 옵션을 표시하고 사용자가 설정에서 패스키를 등록할 수 있게 합니다.',
+  'admin.passkey.notConfigured':
+    '이 배포에 아직 WebAuthn 도메인이 확인되지 않습니다. 아래에서 APP_URL 또는 Relying Party ID를 설정하세요 — 그 전까지 패스키는 숨겨진 상태로 유지됩니다.',
+  'admin.passkey.rpId': 'Relying Party ID (도메인)',
+  'admin.passkey.rpIdHint':
+    '패스키가 바인딩되는 순수 도메인입니다. 예: trek.example.org. 비워두면 APP_URL에서 자동으로 가져옵니다. 나중에 변경하면 기존 패스키가 무효화됩니다.',
+  'admin.passkey.origins': '허용된 오리진',
+  'admin.passkey.originsHint':
+    '쉼표로 구분된 전체 오리진입니다. 예: https://trek.example.org. 비워두면 APP_URL을 사용합니다.',
+  'admin.passkey.reset': '패스키 초기화',
+  'admin.passkey.resetHint':
+    '이 사용자의 모든 패스키를 삭제합니다 (예: 기기 분실 시). 사용자는 비밀번호로 계속 로그인할 수 있습니다.',
+  'admin.passkey.resetConfirm': '{name}의 모든 패스키를 삭제할까요?',
+  'admin.passkey.resetDone': '패스키 {count}개를 삭제했습니다',
 };
 export default admin;
@@ -89,5 +89,7 @@ const login: TranslationStrings = {
  'login.resetPasswordInvalidLinkBody':
    '이 링크가 없거나 손상되었습니다. 새 링크를 요청하세요.',
  'login.resetPasswordFailed': '재설정 실패. 링크가 만료되었을 수 있습니다.',
+  'login.passkey.signIn': '패스키로 로그인',
+  'login.passkey.failed': '패스키 로그인에 실패했습니다. 다시 시도하세요.',
 };
 export default login;
@@ -293,6 +293,30 @@ const settings: TranslationStrings = {
  'settings.oauth.badge.machine': '머신',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': '패스키',
+  'settings.passkey.description':
+    '지문, 얼굴, PIN 또는 하드웨어 키 같은 패스키로 더 빠르고 피싱에 강하게 로그인하세요. 비밀번호는 백업으로 그대로 유지됩니다.',
+  'settings.passkey.notConfigured':
+    '패스키가 활성화되어 있지만 이 서버에 아직 완전히 설정되지 않았습니다. 관리자에게 WebAuthn 도메인 설정을 요청하세요.',
+  'settings.passkey.add': '패스키 추가',
+  'settings.passkey.addTitle': '패스키 추가',
+  'settings.passkey.passwordPrompt':
+    '현재 비밀번호를 확인한 뒤 기기 안내에 따라 진행하세요.',
+  'settings.passkey.passwordRequired': '현재 비밀번호가 필요합니다.',
+  'settings.passkey.namePlaceholder': '이름 (선택, 예: "iPhone")',
+  'settings.passkey.addedToast': '패스키가 추가되었습니다',
+  'settings.passkey.added': '추가됨',
+  'settings.passkey.addError': '패스키를 추가할 수 없습니다',
+  'settings.passkey.cancelled': '패스키 설정이 취소되었습니다',
+  'settings.passkey.deleted': '패스키가 삭제되었습니다',
+  'settings.passkey.deleteConfirm':
+    '이 패스키를 삭제할까요? 비밀번호로 확인하세요.',
+  'settings.passkey.rename': '이름 변경',
+  'settings.passkey.defaultName': '패스키',
+  'settings.passkey.synced': '동기화됨',
+  'settings.passkey.deviceBound': '이 기기',
+  'settings.passkey.lastUsed': '마지막 사용',
+  'settings.passkey.neverUsed': '사용한 적 없음',
 };

 export default settings;
@@ -360,5 +360,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Reisverslag',
  'admin.addons.catalog.journey.description':
    "Reistracking & reisdagboek met check-ins, foto's en dagelijkse verhalen",
+  'admin.passkey.title': 'Inloggen met passkey',
+  'admin.passkey.cardHint':
+    'Laat gebruikers inloggen met passkeys (WebAuthn). Standaard uit.',
+  'admin.passkey.login': 'Inloggen met passkey inschakelen',
+  'admin.passkey.loginHint':
+    'Toon een optie "Inloggen met een passkey" en laat gebruikers passkeys registreren in hun instellingen.',
+  'admin.passkey.notConfigured':
+    'Voor deze installatie wordt nog geen WebAuthn-domein herleid. Stel APP_URL of de Relying Party ID hieronder in — tot dan blijven passkeys verborgen.',
+  'admin.passkey.rpId': 'Relying Party ID (domein)',
+  'admin.passkey.rpIdHint':
+    'Het kale domein waaraan passkeys zijn gebonden, bijv. trek.example.org. Laat leeg om het af te leiden uit APP_URL. Als je dit later wijzigt, worden bestaande passkeys ongeldig.',
+  'admin.passkey.origins': 'Toegestane origins',
+  'admin.passkey.originsHint':
+    'Volledige origins, gescheiden door komma\'s, bijv. https://trek.example.org. Laat leeg om APP_URL te gebruiken.',
+  'admin.passkey.reset': 'Passkeys resetten',
+  'admin.passkey.resetHint':
+    'Verwijder alle passkeys van deze gebruiker (bijv. bij een verloren apparaat). Ze kunnen nog steeds inloggen met hun wachtwoord.',
+  'admin.passkey.resetConfirm': 'Alle passkeys voor {name} verwijderen?',
+  'admin.passkey.resetDone': '{count} passkey(s) verwijderd',
 };
 export default admin;
@@ -94,5 +94,7 @@ const login: TranslationStrings = {
  'login.oidcLoggedOut':
    'Je bent uitgelogd. Log opnieuw in via je SSO-provider.',
  'login.demoHint': 'Probeer de demo — geen registratie nodig',
+  'login.passkey.signIn': 'Inloggen met een passkey',
+  'login.passkey.failed': 'Inloggen met passkey mislukt. Probeer het opnieuw.',
 };
 export default login;
@@ -296,6 +296,30 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    'Log sneller en phishingbestendig in met een passkey — je vingerafdruk, gezicht, pincode of een hardwaresleutel. Je wachtwoord blijft als back-up bestaan.',
+  'settings.passkey.notConfigured':
+    'Passkeys zijn ingeschakeld maar nog niet volledig geconfigureerd op deze server. Vraag je beheerder om het WebAuthn-domein in te stellen.',
+  'settings.passkey.add': 'Een passkey toevoegen',
+  'settings.passkey.addTitle': 'Een passkey toevoegen',
+  'settings.passkey.passwordPrompt':
+    'Bevestig je huidige wachtwoord en volg daarna de aanwijzingen van je apparaat.',
+  'settings.passkey.passwordRequired': 'Je huidige wachtwoord is vereist.',
+  'settings.passkey.namePlaceholder': 'Naam (optioneel, bijv. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey toegevoegd',
+  'settings.passkey.added': 'Toegevoegd',
+  'settings.passkey.addError': 'Passkey kon niet worden toegevoegd',
+  'settings.passkey.cancelled': 'Passkey instellen geannuleerd',
+  'settings.passkey.deleted': 'Passkey verwijderd',
+  'settings.passkey.deleteConfirm':
+    'Deze passkey verwijderen? Bevestig met je wachtwoord.',
+  'settings.passkey.rename': 'Naam wijzigen',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Gesynchroniseerd',
+  'settings.passkey.deviceBound': 'Dit apparaat',
+  'settings.passkey.lastUsed': 'Laatst gebruikt',
+  'settings.passkey.neverUsed': 'Nooit gebruikt',
 };

 export default settings;
@@ -362,5 +362,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Dziennik podróży',
  'admin.addons.catalog.journey.description':
    'Śledzenie podróży i dziennik z zameldowaniami, zdjęciami i codziennymi historiami',
+  'admin.passkey.title': 'Logowanie kluczem dostępu',
+  'admin.passkey.cardHint':
+    'Pozwól użytkownikom logować się kluczami dostępu (WebAuthn). Domyślnie wyłączone.',
+  'admin.passkey.login': 'Włącz logowanie kluczem dostępu',
+  'admin.passkey.loginHint':
+    'Pokaż opcję „Zaloguj się kluczem dostępu” i pozwól użytkownikom rejestrować klucze dostępu w swoich ustawieniach.',
+  'admin.passkey.notConfigured':
+    'Dla tego wdrożenia nie ustalono jeszcze żadnej domeny WebAuthn. Ustaw APP_URL lub Relying Party ID poniżej — do tego czasu klucze dostępu pozostaną ukryte.',
+  'admin.passkey.rpId': 'Relying Party ID (domena)',
+  'admin.passkey.rpIdHint':
+    'Sama domena, do której przypisane są klucze dostępu, np. trek.example.org. Pozostaw puste, aby wyprowadzić ją z APP_URL. Późniejsza zmiana unieważnia istniejące klucze dostępu.',
+  'admin.passkey.origins': 'Dozwolone origins',
+  'admin.passkey.originsHint':
+    'Pełne origins oddzielone przecinkami, np. https://trek.example.org. Pozostaw puste, aby użyć APP_URL.',
+  'admin.passkey.reset': 'Zresetuj klucze dostępu',
+  'admin.passkey.resetHint':
+    'Usuń wszystkie klucze dostępu tego użytkownika (np. po utracie urządzenia). Nadal będzie mógł logować się hasłem.',
+  'admin.passkey.resetConfirm': 'Usunąć wszystkie klucze dostępu dla {name}?',
+  'admin.passkey.resetDone': 'Usunięto {count} kluczy dostępu',
 };
 export default admin;
@@ -94,5 +94,8 @@ const login: TranslationStrings = {
  'login.resetPasswordFailed': 'Reset nie powiódł się. Link mógł wygasnąć.',
  'login.setNewPassword': 'Ustaw nowe hasło',
  'login.setNewPasswordHint': 'Musisz zmienić hasło.',
+  'login.passkey.signIn': 'Zaloguj się kluczem dostępu',
+  'login.passkey.failed':
+    'Logowanie kluczem dostępu nie powiodło się. Spróbuj ponownie.',
 };
 export default login;
@@ -298,6 +298,30 @@ const settings: TranslationStrings = {
  'settings.mustChangePassword': 'Musisz zmienić hasło przed kontynuowaniem.',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Klucze dostępu',
+  'settings.passkey.description':
+    'Loguj się szybciej i z odpornością na phishing za pomocą klucza dostępu — odcisku palca, twarzy, kodu PIN lub klucza sprzętowego. Twoje hasło pozostaje jako zapasowa opcja.',
+  'settings.passkey.notConfigured':
+    'Klucze dostępu są włączone, ale nie zostały jeszcze w pełni skonfigurowane na tym serwerze. Poproś administratora o ustawienie domeny WebAuthn.',
+  'settings.passkey.add': 'Dodaj klucz dostępu',
+  'settings.passkey.addTitle': 'Dodaj klucz dostępu',
+  'settings.passkey.passwordPrompt':
+    'Potwierdź swoje aktualne hasło, a następnie postępuj zgodnie z komunikatem na urządzeniu.',
+  'settings.passkey.passwordRequired': 'Twoje aktualne hasło jest wymagane.',
+  'settings.passkey.namePlaceholder': 'Nazwa (opcjonalnie, np. "iPhone")',
+  'settings.passkey.addedToast': 'Klucz dostępu został dodany',
+  'settings.passkey.added': 'Dodano',
+  'settings.passkey.addError': 'Nie udało się dodać klucza dostępu',
+  'settings.passkey.cancelled': 'Konfiguracja klucza dostępu anulowana',
+  'settings.passkey.deleted': 'Klucz dostępu został usunięty',
+  'settings.passkey.deleteConfirm':
+    'Usunąć ten klucz dostępu? Potwierdź swoim hasłem.',
+  'settings.passkey.rename': 'Zmień nazwę',
+  'settings.passkey.defaultName': 'Klucz dostępu',
+  'settings.passkey.synced': 'Zsynchronizowany',
+  'settings.passkey.deviceBound': 'To urządzenie',
+  'settings.passkey.lastUsed': 'Ostatnio użyty',
+  'settings.passkey.neverUsed': 'Nigdy nieużywany',
 };

 export default settings;
@@ -366,5 +366,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Путешествие',
  'admin.addons.catalog.journey.description':
    'Отслеживание поездок и дневник путешествий с отметками, фото и ежедневными историями',
+  'admin.passkey.title': 'Вход по passkey',
+  'admin.passkey.cardHint':
+    'Разрешите пользователям входить с помощью passkeys (WebAuthn). По умолчанию выключено.',
+  'admin.passkey.login': 'Включить вход по passkey',
+  'admin.passkey.loginHint':
+    'Показывать вариант «Войти с помощью passkey» и разрешить пользователям регистрировать passkeys в своих настройках.',
+  'admin.passkey.notConfigured':
+    'Для этого развёртывания пока не определён домен WebAuthn. Задайте APP_URL или Relying Party ID ниже — до этого passkeys остаются скрытыми.',
+  'admin.passkey.rpId': 'Relying Party ID (домен)',
+  'admin.passkey.rpIdHint':
+    'Голый домен, к которому привязаны passkeys, напр. trek.example.org. Оставьте пустым, чтобы определить его из APP_URL. Последующее изменение делает существующие passkeys недействительными.',
+  'admin.passkey.origins': 'Разрешённые источники',
+  'admin.passkey.originsHint':
+    'Полные источники через запятую, напр. https://trek.example.org. Оставьте пустым, чтобы использовать APP_URL.',
+  'admin.passkey.reset': 'Сбросить passkeys',
+  'admin.passkey.resetHint':
+    'Удалить все passkeys этого пользователя (напр. при потере устройства). Он по-прежнему сможет войти по паролю.',
+  'admin.passkey.resetConfirm': 'Удалить все passkeys пользователя {name}?',
+  'admin.passkey.resetDone': 'Удалено passkeys: {count}',
 };
 export default admin;
@@ -93,5 +93,7 @@ const login: TranslationStrings = {
  'login.oidcLoggedOut':
    'Вы вышли из системы. Войдите снова через вашего провайдера SSO.',
  'login.demoHint': 'Попробуйте демо — регистрация не требуется',
+  'login.passkey.signIn': 'Войти с помощью passkey',
+  'login.passkey.failed': 'Не удалось войти с помощью passkey. Попробуйте ещё раз.',
 };
 export default login;
@@ -297,6 +297,29 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    'Входите быстрее и с защитой от фишинга с помощью passkey — отпечатка пальца, лица, PIN-кода или аппаратного ключа. Ваш пароль остаётся как резервный способ.',
+  'settings.passkey.notConfigured':
+    'Passkeys включены, но ещё не полностью настроены на этом сервере. Попросите администратора задать домен WebAuthn.',
+  'settings.passkey.add': 'Добавить passkey',
+  'settings.passkey.addTitle': 'Добавить passkey',
+  'settings.passkey.passwordPrompt':
+    'Подтвердите текущий пароль, затем следуйте подсказке на устройстве.',
+  'settings.passkey.passwordRequired': 'Требуется ваш текущий пароль.',
+  'settings.passkey.namePlaceholder': 'Название (необязательно, напр. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey добавлен',
+  'settings.passkey.added': 'Добавлен',
+  'settings.passkey.addError': 'Не удалось добавить passkey',
+  'settings.passkey.cancelled': 'Настройка passkey отменена',
+  'settings.passkey.deleted': 'Passkey удалён',
+  'settings.passkey.deleteConfirm': 'Удалить этот passkey? Подтвердите паролем.',
+  'settings.passkey.rename': 'Переименовать',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Синхронизирован',
+  'settings.passkey.deviceBound': 'Это устройство',
+  'settings.passkey.lastUsed': 'Последнее использование',
+  'settings.passkey.neverUsed': 'Не использовался',
 };

 export default settings;
@@ -363,5 +363,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Seyahat',
  'admin.addons.catalog.journey.description':
    'Check-in, fotoğraf ve günlük hikâyelerle seyahat takibi ve seyahat günlüğü',
+  'admin.passkey.title': 'Passkey ile oturum açma',
+  'admin.passkey.cardHint':
+    'Kullanıcıların passkey (WebAuthn) ile oturum açmasına izin verin. Varsayılan olarak kapalı.',
+  'admin.passkey.login': 'Passkey ile oturum açmayı etkinleştir',
+  'admin.passkey.loginHint':
+    'Bir "Passkey ile oturum açın" seçeneği gösterin ve kullanıcıların ayarlarında passkey kaydetmesine izin verin.',
+  'admin.passkey.notConfigured':
+    'Bu dağıtım için henüz çözümlenen bir WebAuthn alan adı yok. Aşağıdan APP_URL veya Relying Party ID değerini ayarlayın — o ana kadar passkey’ler gizli kalır.',
+  'admin.passkey.rpId': 'Relying Party ID (alan adı)',
+  'admin.passkey.rpIdHint':
+    'Passkey’lerin bağlı olduğu yalın alan adı, ör. trek.example.org. APP_URL’den türetmek için boş bırakın. Daha sonra değiştirmek mevcut passkey’leri geçersiz kılar.',
+  'admin.passkey.origins': 'İzin verilen kaynaklar',
+  'admin.passkey.originsHint':
+    'Virgülle ayrılmış tam kaynaklar, ör. https://trek.example.org. APP_URL kullanmak için boş bırakın.',
+  'admin.passkey.reset': 'Passkey’leri sıfırla',
+  'admin.passkey.resetHint':
+    'Bu kullanıcının tüm passkey’lerini kaldırın (ör. kaybolan bir cihazda). Yine de şifreleriyle oturum açabilirler.',
+  'admin.passkey.resetConfirm': '{name} için tüm passkey’ler kaldırılsın mı?',
+  'admin.passkey.resetDone': '{count} passkey kaldırıldı',
 };
 export default admin;
@@ -96,5 +96,8 @@ const login: TranslationStrings = {
    'Bu bağlantı eksik veya bozuk. Devam etmek için yeni bir tane isteyin.',
  'login.resetPasswordFailed':
    'Sıfırlama başarısız oldu. Bağlantının süresi dolmuş olabilir.',
+  'login.passkey.signIn': 'Passkey ile oturum açın',
+  'login.passkey.failed':
+    'Passkey ile oturum açma başarısız oldu. Lütfen tekrar deneyin.',
 };
 export default login;
@@ -297,6 +297,30 @@ const settings: TranslationStrings = {
  'settings.oauth.badge.machine': 'makine',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkey’ler',
+  'settings.passkey.description':
+    'Passkey ile daha hızlı ve kimlik avına dayanıklı şekilde oturum açın — parmak iziniz, yüzünüz, PIN’iniz veya bir donanım anahtarı. Şifreniz yedek olarak kalır.',
+  'settings.passkey.notConfigured':
+    'Passkey’ler etkin ancak bu sunucuda henüz tam olarak yapılandırılmadı. WebAuthn alan adını ayarlaması için yöneticinize başvurun.',
+  'settings.passkey.add': 'Passkey ekle',
+  'settings.passkey.addTitle': 'Passkey ekle',
+  'settings.passkey.passwordPrompt':
+    'Mevcut şifrenizi onaylayın, ardından cihazınızın istemini izleyin.',
+  'settings.passkey.passwordRequired': 'Mevcut şifreniz gerekli.',
+  'settings.passkey.namePlaceholder': 'Ad (isteğe bağlı, ör. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey eklendi',
+  'settings.passkey.added': 'Eklendi',
+  'settings.passkey.addError': 'Passkey eklenemedi',
+  'settings.passkey.cancelled': 'Passkey kurulumu iptal edildi',
+  'settings.passkey.deleted': 'Passkey kaldırıldı',
+  'settings.passkey.deleteConfirm':
+    'Bu passkey kaldırılsın mı? Şifrenizle onaylayın.',
+  'settings.passkey.rename': 'Yeniden adlandır',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Senkronize edildi',
+  'settings.passkey.deviceBound': 'Bu cihaz',
+  'settings.passkey.lastUsed': 'Son kullanım',
+  'settings.passkey.neverUsed': 'Hiç kullanılmadı',
 };

 export default settings;
@@ -370,5 +370,24 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': 'Journey',
  'admin.addons.catalog.journey.description':
    'Відстеження поїздок і щоденник подорожей з позначками, фото та щоденними історіями',
+  'admin.passkey.title': 'Вхід за допомогою passkey',
+  'admin.passkey.cardHint':
+    'Дозволити користувачам входити за допомогою passkey (WebAuthn). За замовчуванням вимкнено.',
+  'admin.passkey.login': 'Увімкнути вхід за допомогою passkey',
+  'admin.passkey.loginHint':
+    'Показувати опцію «Увійти за допомогою passkey» та дозволити користувачам реєструвати passkeys у своїх налаштуваннях.',
+  'admin.passkey.notConfigured':
+    'Для цього розгортання поки не визначено жодного домену WebAuthn. Вкажіть APP_URL або Relying Party ID нижче — до того часу passkeys залишатимуться прихованими.',
+  'admin.passkey.rpId': 'Relying Party ID (домен)',
+  'admin.passkey.rpIdHint':
+    'Чистий домен, до якого прив’язані passkeys, напр. trek.example.org. Залиште порожнім, щоб визначити його з APP_URL. Подальша зміна робить наявні passkeys недійсними.',
+  'admin.passkey.origins': 'Дозволені джерела (origins)',
+  'admin.passkey.originsHint':
+    'Повні джерела через кому, напр. https://trek.example.org. Залиште порожнім, щоб використати APP_URL.',
+  'admin.passkey.reset': 'Скинути passkeys',
+  'admin.passkey.resetHint':
+    'Видалити всі passkeys цього користувача (напр. у разі втрати пристрою). Він зможе входити за допомогою свого пароля.',
+  'admin.passkey.resetConfirm': 'Видалити всі passkeys для {name}?',
+  'admin.passkey.resetDone': 'Видалено passkeys: {count}',
 };
 export default admin;
@@ -94,5 +94,7 @@ const login: TranslationStrings = {
  'login.oidcLoggedOut':
    'Ви вийшли з системи. Увійдіть знову через вашого SSO-провайдера.',
  'login.demoHint': 'Спробуйте демо — реєстрація не потрібна',
+  'login.passkey.signIn': 'Увійти за допомогою passkey',
+  'login.passkey.failed': 'Не вдалося увійти за допомогою passkey. Спробуйте ще раз.',
 };
 export default login;
@@ -295,6 +295,30 @@ const settings: TranslationStrings = {
  'settings.oauth.badge.machine': 'машина',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkeys',
+  'settings.passkey.description':
+    'Входьте швидше та з захистом від фішингу за допомогою passkey — відбитка пальця, обличчя, PIN-коду або апаратного ключа. Ваш пароль залишається як резервний варіант.',
+  'settings.passkey.notConfigured':
+    'Passkeys увімкнено, але цей сервер ще не повністю налаштовано. Попросіть адміністратора вказати домен WebAuthn.',
+  'settings.passkey.add': 'Додати passkey',
+  'settings.passkey.addTitle': 'Додати passkey',
+  'settings.passkey.passwordPrompt':
+    'Підтвердіть поточний пароль, а потім дотримуйтесь підказок на вашому пристрої.',
+  'settings.passkey.passwordRequired': 'Потрібен ваш поточний пароль.',
+  'settings.passkey.namePlaceholder': 'Назва (необов’язково, напр. "iPhone")',
+  'settings.passkey.addedToast': 'Passkey додано',
+  'settings.passkey.added': 'Додано',
+  'settings.passkey.addError': 'Не вдалося додати passkey',
+  'settings.passkey.cancelled': 'Налаштування passkey скасовано',
+  'settings.passkey.deleted': 'Passkey видалено',
+  'settings.passkey.deleteConfirm':
+    'Видалити цей passkey? Підтвердіть паролем.',
+  'settings.passkey.rename': 'Перейменувати',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': 'Синхронізовано',
+  'settings.passkey.deviceBound': 'Цей пристрій',
+  'settings.passkey.lastUsed': 'Останнє використання',
+  'settings.passkey.neverUsed': 'Не використовувався',
 };

 export default settings;
@@ -327,5 +327,23 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': '旅程',
  'admin.addons.catalog.journey.description':
    '旅行追蹤與旅行日誌，包含打卡、照片和每日故事',
+  'admin.passkey.title': 'Passkey 登入',
+  'admin.passkey.cardHint': '讓使用者使用 Passkey（WebAuthn）登入。預設為關閉。',
+  'admin.passkey.login': '啟用 Passkey 登入',
+  'admin.passkey.loginHint':
+    '顯示「使用 Passkey 登入」選項，並讓使用者在設定中註冊 Passkey。',
+  'admin.passkey.notConfigured':
+    '此部署尚未解析出任何 WebAuthn 網域。請設定下方的 APP_URL 或 Relying Party ID——在此之前 Passkey 將保持隱藏。',
+  'admin.passkey.rpId': 'Relying Party ID（網域）',
+  'admin.passkey.rpIdHint':
+    'Passkey 綁定的純網域，例如 trek.example.org。留空則從 APP_URL 推導。日後變更將使現有 Passkey 失效。',
+  'admin.passkey.origins': '允許的來源',
+  'admin.passkey.originsHint':
+    '以逗號分隔的完整來源，例如 https://trek.example.org。留空則使用 APP_URL。',
+  'admin.passkey.reset': '重設 Passkey',
+  'admin.passkey.resetHint':
+    '移除此使用者的所有 Passkey（例如裝置遺失時）。他們仍可使用密碼登入。',
+  'admin.passkey.resetConfirm': '要移除 {name} 的所有 Passkey 嗎？',
+  'admin.passkey.resetDone': '已移除 {count} 個 Passkey',
 };
 export default admin;
@@ -84,5 +84,7 @@ const login: TranslationStrings = {
  'login.oidcOnly': '密碼登入已關閉。請透過 SSO 提供商登入。',
  'login.oidcLoggedOut': '您已登出。請重新透過 SSO 提供商登入。',
  'login.demoHint': '試用演示——無需註冊',
+  'login.passkey.signIn': '使用 Passkey 登入',
+  'login.passkey.failed': 'Passkey 登入失敗，請重試。',
 };
 export default login;
@@ -284,6 +284,28 @@ const settings: TranslationStrings = {
    '在地圖上顯示車站 / 機場名稱。關閉時僅顯示圖示。',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': 'Passkey',
+  'settings.passkey.description':
+    '使用 Passkey 更快登入，並可抵禦網路釣魚——透過你的指紋、臉部、PIN 碼或硬體金鑰。你的密碼仍會保留作為備援。',
+  'settings.passkey.notConfigured':
+    'Passkey 已啟用，但此伺服器尚未完成設定。請聯絡管理員設定 WebAuthn 網域。',
+  'settings.passkey.add': '新增 Passkey',
+  'settings.passkey.addTitle': '新增 Passkey',
+  'settings.passkey.passwordPrompt': '請確認你目前的密碼，然後依照裝置提示操作。',
+  'settings.passkey.passwordRequired': '請輸入你目前的密碼。',
+  'settings.passkey.namePlaceholder': '名稱（選填，例如 "iPhone"）',
+  'settings.passkey.addedToast': 'Passkey 已新增',
+  'settings.passkey.added': '已新增',
+  'settings.passkey.addError': '無法新增 Passkey',
+  'settings.passkey.cancelled': 'Passkey 設定已取消',
+  'settings.passkey.deleted': 'Passkey 已移除',
+  'settings.passkey.deleteConfirm': '要移除此 Passkey 嗎？請以密碼確認。',
+  'settings.passkey.rename': '重新命名',
+  'settings.passkey.defaultName': 'Passkey',
+  'settings.passkey.synced': '已同步',
+  'settings.passkey.deviceBound': '此裝置',
+  'settings.passkey.lastUsed': '上次使用',
+  'settings.passkey.neverUsed': '從未使用',
 };

 export default settings;
@@ -326,5 +326,23 @@ const admin: TranslationStrings = {
  'admin.addons.catalog.journey.name': '旅程',
  'admin.addons.catalog.journey.description':
    '旅行追踪与旅行日志，包含签到、照片和每日故事',
+  'admin.passkey.title': '通行密钥登录',
+  'admin.passkey.cardHint': '允许用户使用通行密钥（WebAuthn）登录。默认关闭。',
+  'admin.passkey.login': '启用通行密钥登录',
+  'admin.passkey.loginHint':
+    '显示"使用通行密钥登录"选项，并允许用户在其设置中注册通行密钥。',
+  'admin.passkey.notConfigured':
+    '此部署尚未解析出有效的 WebAuthn 域名。请设置 APP_URL 或下方的 Relying Party ID——在此之前通行密钥将保持隐藏。',
+  'admin.passkey.rpId': 'Relying Party ID（域名）',
+  'admin.passkey.rpIdHint':
+    '通行密钥所绑定的纯域名，如 trek.example.org。留空则从 APP_URL 推导。之后更改将使现有通行密钥失效。',
+  'admin.passkey.origins': '允许的来源',
+  'admin.passkey.originsHint':
+    '以逗号分隔的完整来源，如 https://trek.example.org。留空则使用 APP_URL。',
+  'admin.passkey.reset': '重置通行密钥',
+  'admin.passkey.resetHint':
+    '移除该用户的所有通行密钥（如设备丢失时）。他们仍可使用密码登录。',
+  'admin.passkey.resetConfirm': '移除 {name} 的所有通行密钥？',
+  'admin.passkey.resetDone': '已移除 {count} 个通行密钥',
 };
 export default admin;
@@ -83,5 +83,7 @@ const login: TranslationStrings = {
  'login.oidcOnly': '密码登录已关闭。请通过 SSO 提供商登录。',
  'login.oidcLoggedOut': '您已退出登录。请重新通过 SSO 提供商登录。',
  'login.demoHint': '试用演示——无需注册',
+  'login.passkey.signIn': '使用通行密钥登录',
+  'login.passkey.failed': '通行密钥登录失败，请重试。',
 };
 export default login;
@@ -283,6 +283,28 @@ const settings: TranslationStrings = {
  'settings.notificationPreferences.ntfy': 'Ntfy',
  "settings.currency": "Currency",
  "settings.currencyHint": "All amounts in Costs are converted to and shown in this currency.",
+  'settings.passkey.title': '通行密钥',
+  'settings.passkey.description':
+    '使用通行密钥更快登录，并能抵御钓鱼攻击——通过指纹、面容、PIN 或硬件密钥验证。你的密码仍可作为备用方式。',
+  'settings.passkey.notConfigured':
+    '通行密钥已启用，但此服务器尚未完成完整配置。请联系管理员设置 WebAuthn 域名。',
+  'settings.passkey.add': '添加通行密钥',
+  'settings.passkey.addTitle': '添加通行密钥',
+  'settings.passkey.passwordPrompt': '确认你的当前密码，然后按照设备提示操作。',
+  'settings.passkey.passwordRequired': '需要输入你的当前密码。',
+  'settings.passkey.namePlaceholder': '名称（可选，如 "iPhone"）',
+  'settings.passkey.addedToast': '通行密钥已添加',
+  'settings.passkey.added': '已添加',
+  'settings.passkey.addError': '无法添加通行密钥',
+  'settings.passkey.cancelled': '已取消通行密钥设置',
+  'settings.passkey.deleted': '通行密钥已移除',
+  'settings.passkey.deleteConfirm': '移除此通行密钥？请输入密码确认。',
+  'settings.passkey.rename': '重命名',
+  'settings.passkey.defaultName': '通行密钥',
+  'settings.passkey.synced': '已同步',
+  'settings.passkey.deviceBound': '此设备',
+  'settings.passkey.lastUsed': '上次使用',
+  'settings.passkey.neverUsed': '从未使用',
 };

 export default settings;