Passkeys
Passkeys are a phishing-resistant alternative to traditional authentication factors (such as identifier/password) that offer an easier and more secure login experience to users. Passkeys are modeled from FIDO W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) specifications.
Passkeys reduce the friction experienced with single-device authentication methods by allowing credentials to sync across devices. Cross-device authentication eliminates the need for users to re-enroll on each of their devices. It also supports a more reliable recovery method as the stored credentials can survive the loss of an originating device. To learn more about passkeys, review the FIDO Alliance Passkey FAQs.
Our Platform supports passkeys as an authentication method for database connections.
User experience flows
Similar to traditional authentication factors, passkeys can support several user experience flows such as signup, login, and account recovery.
The Unified Login widget currently supports the signup and login user experience flows for passkeys.
Signup flow
The signup flow requires the user to provide an email address, and then create a passkey on either their current device or another device through cross-device authentication.
- Prompts the user to enter their email address.
- User enters their email address.
- Prompts the user to create a passkey.
- If the user selects Create a passkey, it triggers the browser (or operating system) flow to create a passkey.
- If the user selects Continue, it prompts them to authenticate with their device’s credentials.
- If the user selects Try another way, it prompts them to create a passkey on another device.
Login flow
The login flow allows the user to authenticate with a passkey associated with their device. If the user has not enrolled a passkey for their device, the Unified Login widget redirects them to the sign up flow.
- Prompts the user for an email address or a passkey.
- User can use autofill or select Continue with a passkey.
- Prompts the user to authenticate with the device’s credentials.
Account reset
If the user needs to reset their account, they can trigger an interactive password reset flow through the Unified Login widget.
Passkeys are only supported on the Email/Password connection type to guarantee another factor for recovery purposes and to facilitate migration of users from passwords to passkeys.
Passkeys with multi-factor authentication (MFA) enabled
If MFA is enabled, the user may be prompted to complete an MFA challenge after authenticating with a passkey based on settings and risk assessment.
The default behavior is to require the completion of an MFA challenge regardless if the authentication method used was a password or a passkey. Given the high level of security passkeys provide, you may skip MFA for users that have authenticated with a passkey in order to reduce friction.
To learn more, read Reduce friction with passkeys and Multi-Factor Authentication.
Passkeys with multiple custom domains
If you have multiple custom domains configured for your tenant, our platform allows users to enroll one passkey per domain. Each domain-passkey combination is considered unique and stored on your tenant accordingly.
For passwordless login, the selected custom domain is reflected in the generated magic link.