Added
- Passkey / Security key sign-in (WebAuthn / FIDO2). Sign in with Touch ID, Face ID, Windows Hello, an Apple/Google passkey, or a YubiKey instead of typing a TOTP code. Works alongside the existing authenticator-app 2FA — register either or both, the login screen offers a picker when you have more than one. Multiple passkeys per account (phone + laptop + hardware key, each named), with a list of registered devices in Settings → Passkeys showing when each was last used. Admins can reset a user's passkeys from the Users page.
- Requires HTTPS on a real domain to register passkeys — the WebAuthn standard doesn't allow IP addresses. On a LAN-IP install Settings shows a "Passkeys — Unavailable" card with a short explanation; everything else keeps working as before. See the install guide for the env vars to set when you put the Manager behind Caddy / a reverse proxy.