Passkeys Developer Resources on passkeys.dev

What are passkeys?

Sat, 24 Sep 2022 16:02:27 +0000

Passkeys are:

Intuitive

Creating and using passkeys is as simple as consenting to save and use them. No having to create a password.

Automatically unique

Bootstrapping

Mon, 10 Oct 2022 19:52:26 +0000

Authenticating the user

This section applies when the Relying Party (RP) does not yet know who is controlling the client device. There is no browser artifact (such as a cookie or a credential ID in local storage) available to the RP, although for now we assume that the user has an existing account with the RP.

To bootstrap an account, serve the user a sign-in page.

Reauthentication

Mon, 10 Oct 2022 19:52:16 +0000

Reauthentication might happen for the following reasons:

The user signed out and now wants to sign in again
The user session expired due to inactivity, and the user wants to sign in again
The user is about to perform a sensitive action, and needs to re-confirm control over the user session

You’ll use passkeys that you set up in the previous section to reauthenticate the user in each of these situations. The WebAuthn API call is the same in all three cases, but the UI treatment that you provide is slightly different. Since the particular account is specified by you, the platform will not offer the user to select a different account on your service.

Client Hints

Wed, 24 Sep 2025 05:07:38 +0000

Overview

When creating a passkey, WebAuthn Clients display a credential manager selection screen asking users to choose where to store their new passkey. The selector typically defaults to local credential managers because they offer immediate availability and support for synced passkeys, the default credential type in unmanaged, consumer contexts.

During a sign in flow, the WebAuthn Client will do its best to help the user select a passkey which is immediately available, and fall back to an external authenticator selection screen. This typically shows an option for FIDO Cross-Device Authentication and security keys. In environments where only security keys are allowed, having additional options such as displaying a QR code for cross-device authentication flows can confuse users and lead to unnecessary support costs.

Related Origin Requests

Thu, 22 Aug 2024 15:20:51 +0000

Use Cases

Where suppoted, Related Origin Requests (ROR) can help Relying Parties offer users the ability to use a single origin-bound passkey across the following deployment patterns:

Deployments that use different country code top-level domains (ccTLD) across the world
Deployments where a single company’s different services are served from different domains

Warning

Libraries

Sat, 24 Sep 2022 16:02:27 +0000

Selection criteria

Companies that want to own passwordless authentication internally, or are looking to implement a turnkey solution for passkeys, will likely look for libraries or vendors. When selecting a library to implement passkeys, what should Relying Party developers keep an eye on?

Note: A small set of these criteria are not specific to passkeys, but are useful to keep in mind when selecting an open-source solution.

Test Sites & Tools

Sat, 24 Sep 2022 16:02:27 +0000

FIDO2/WebAuthn Tools

(create and use passkeys from another device)

Overview

Windows Hello, the local platform authenticator in Windows 10 and 11, has the following capabilities:

Known Issues

Sat, 03 Sep 2022 16:09:38 +0000

User Verification

The following list of passkey providers have not implemented User Verification in a spec-compliant manner.

Provider	Architecture	`uv`=`required`	`uv`=`preferred`
1Password	Extension	❌ Handles request without performing UV, sets UV true	❌ Sets UV true without performing UV
1Password	Native	✅ Performs UV	✅ UV flag accurate
Bitwarden	Extension	❌ Handles request without performing UV, sets UV true	❌ Sets UV true without performing UV
KeepassXC	Extension	❌ Handles request without performing UV, sets UV true	❌ Sets UV true without performing UV
Okta Personal	Extension	❌ Handles request without performing UV, sets UV true	❌ Sets UV true without performing UV
Okta Personal	Native	✅ Performs UV	✅ UV flag accurate
Proton Pass	Extension	❌ Handles request without performing UV, sets UV true	❌ Sets UV true without performing UV
Proton Pass	Native	❌ Handles request without performing UV, sets UV true	❌ Sets UV true without performing UV
Strongbox	Native	❌ Handles request without performing UV, sets UV true	❌ Sets UV true without performing UV

Architecture: Extension = web browser extension, Native = OS native app using provider APIs

Specifications

Thu, 04 Aug 2022 17:33:14 +0000

The two primary technical specifications that work together to enable passkeys are Web Authentication, commonly referred to as WebAuthn, and the Client to Authenticator Protocol (CTAP), commonly referred to as FIDO2.

The two specs together are often referred to as one stack, FIDO2/WebAuthn.

W3C Web Authentication (WebAuthn)

WebAuthn is the primary specification used by developers.

Platforms also create their own platform-specific abstractions of the WebAuthn API for use by native apps.

Terms

Thu, 12 Nov 2020 13:26:54 +0100

2FA user

A user whose account has 2FA turned on, i.e., who must present 2 authentication factors during sign-in.

2-Factor Authentication (2FA)

also sometimes referred to as MFA: multi-factor authentication or 2SV: two-step verification

This refers to a contract between a user and a Relying Party (RP) where the RP must collect at least two distinct authentication factors from the user during a bootstrap sign-in.

About passkeys.dev

Mon, 01 Jan 0001 00:00:00 +0000

passkeys.dev is brought to you by members of the W3C WebAuthn Community Adoption Group and the FIDO Alliance .

Engage and Contribute

Ask & Discuss

Github

Device Support

Mon, 01 Jan 0001 00:00:00 +0000

This page, along with the rest of passkeys.dev, is targeted at relying party developers and is not intended to be an end user facing resource.

Said differently, please don’t link to this page from end user focused resources 😉

Matrix

This matrix represents the default capabilities for a user out of the box. Additional capabilities may be available when a user installs a different passkey provider.

Privacy Policy

Mon, 01 Jan 0001 00:00:00 +0000

TLDR: We do not use cookies and we do not collect any personal data.

Website visitors

No personal information is collected.
No information is stored in the browser.
No information is shared with, sent to or sold to third-parties.
No information is shared with advertising companies.
No information is mined and harvested for personal and behavioral trends.
No information is monetized.