Core authentication

Passkeys

Passkeys provide fast, phishing-resistant authentication with device-bound credentials.

Enable passkeys

Turn on passkeys in the Admin UI for your tenant and configure allowed origins.

How passkey registration works

Passkey registration requires an authenticated user session. In the hosted UI, users are offered passkeys after their first successful login (PIN or magic link).

Registration flow:

  1. Passkeys registration returns WebAuthn publicKey options.
  2. The browser calls navigator.credentials.create() to create a credential.
  3. Passkeys registration verifies the response and stores the credential.

How passkey login works

Passkeys use discoverable WebAuthn credentials so users can sign in without entering a username.

Login flow:

  1. Passkeys login returns a login challenge.
  2. The browser calls navigator.credentials.get().
  3. Passkeys login validates the assertion, creates a session, and continues the OAuth2 flow.

Registration UX in hosted login

After a successful first login, the hosted UI can prompt users to “Set up a passkey.” If they register, they’re redirected to passkeys registration view. If they skip, the UI continues without registering a passkey.

Operational notes

  • Ensure your tenant domain or custom domain is included in allowed origins for WebAuthn.
  • Users can register multiple passkeys; credentials are stored per user.

UX recommendations

  • Offer passkeys as the default sign-in option.
  • Provide a magic link fallback for unsupported devices.
Previous
Authentication overview
Next
Magic links