Passkeys Developer Resources on passkeys.dev

What are passkeys?

Sat, 24 Sep 2022 16:02:27 +0000

Passkeys are:

Intuitive

Creating and using passkeys is as simple as consenting to save and use them. No having to create a password.

Automatically unique

Bootstrapping

Mon, 10 Oct 2022 19:52:26 +0000

Authenticating the user

This section applies when the Relying Party (RP) does not yet know who is controlling the client device. There is no browser artifact (such as a cookie or a credential ID in local storage) available to the RP, although for now we assume that the user has an existing account with the RP.

To bootstrap an account, serve the user a sign-in page.

Reauthentication

Mon, 10 Oct 2022 19:52:16 +0000

Reauthentication might happen for the following reasons:

The user signed out and now wants to sign in again
The user session expired due to inactivity, and the user wants to sign in again
The user is about to perform a sensitive action, and needs to re-confirm control over the user session

You’ll use passkeys that you set up in the previous section to reauthenticate the user in each of these situations. The WebAuthn API call is the same in all three cases, but the UI treatment that you provide is slightly different. Since the particular account is specified by you, the platform will not offer the user to select a different account on your service.

Client Hints

Wed, 24 Sep 2025 05:07:38 +0000

Overview

When creating a passkey, WebAuthn Clients display a credential manager selection screen asking users to choose where to store their new passkey. The selector typically defaults to local credential managers because they offer immediate availability and support for synced passkeys, the default credential type in unmanaged, consumer contexts.

During a sign in flow, the WebAuthn Client will do its best to help the user select a passkey which is immediately available, and fall back to an external authenticator selection screen. This typically shows an option for FIDO Cross-Device Authentication and security keys. In environments where only security keys are allowed, having additional options such as displaying a QR code for cross-device authentication flows can confuse users and lead to unnecessary support costs.

Related Origin Requests

Thu, 22 Aug 2024 15:20:51 +0000

Use Cases

Where suppoted, Related Origin Requests (ROR) can help Relying Parties offer users the ability to use a single origin-bound passkey across the following deployment patterns:

Deployments that use different country code top-level domains (ccTLD) across the world
Deployments where a single company’s different services are served from different domains

Warning

Libraries

Sat, 24 Sep 2022 16:02:27 +0000

Selection criteria

Companies that want to own passwordless authentication internally, or are looking to implement a turnkey solution for passkeys, will likely look for libraries or vendors. When selecting a library to implement passkeys, what should Relying Party developers keep an eye on?

Note: A small set of these criteria are not specific to passkeys, but are useful to keep in mind when selecting an open-source solution.

Test Sites & Tools

Sat, 24 Sep 2022 16:02:27 +0000

FIDO2/WebAuthn Tools

Basic

(create and use passkeys from the local device)

External Authenticator

Known Issues

Sat, 03 Sep 2022 16:09:38 +0000

Passkey Metadata

Samsung Pass

According to Samsung documentation ( source), Samsung Pass creates synced passkeys which are available on other devices where Samsung Pass is installed.

During testing on 2024-09-05, it was observed that passkeys created in Samsung Pass return the backup eligible flag as false, signaling a device-bound passkey.

Specifications

Thu, 04 Aug 2022 17:33:14 +0000

The two primary technical specifications that work together to enable passkeys are Web Authentication, commonly referred to as WebAuthn, and the Client to Authenticator Protocol (CTAP), commonly referred to as FIDO2.

The two specs together are often referred to as one stack, FIDO2/WebAuthn.

W3C Web Authentication (WebAuthn)

WebAuthn is the primary specification used by developers.

Platforms also create their own platform-specific abstractions of the WebAuthn API for use by native apps.

Terms

Thu, 12 Nov 2020 13:26:54 +0100

2FA user

A user whose account has 2FA turned on, i.e., who must present 2 authentication factors during sign-in.

2-Factor Authentication (2FA)

also sometimes referred to as MFA: multi-factor authentication or 2SV: two-step verification

This refers to a contract between a user and a Relying Party (RP) where the RP must collect at least two distinct authentication factors from the user during a bootstrap sign-in.

Device Support

Mon, 01 Jan 0001 00:00:00 +0000

This page, along with the rest of passkeys.dev, is targeted at relying party developers and is not intended to be an end user facing resource.

Said differently, please don’t link to this page from end user focused resources 😉

Matrix

This matrix represents the default capabilities for a user out of the box. Additional capabilities may be available when a user installs a different passkey provider.

Modal search

Mon, 01 Jan 0001 00:00:00 +0000

Privacy Policy

Mon, 01 Jan 0001 00:00:00 +0000

TLDR: We do not use cookies and we do not collect any personal data.

Website visitors

No personal information is collected.
No information is stored in the browser.
No information is shared with, sent to or sold to third-parties.
No information is shared with advertising companies.
No information is mined and harvested for personal and behavioral trends.
No information is monetized.