Passkey Authentication
Overview
Passkeys, a cutting-edge authentication method, offer faster, easier, and more secure sign-ins across devices and applications. Unlike traditional passwords, passkeys use public-key cryptography to eliminate shared secrets, making them inherently resistant to phishing and credential theft. Their ease of use makes them a simple and effective solution for your authentication needs.
By adopting passkeys, businesses can enhance security, improve user experience, reduce password fatigue, and minimize IT support overhead for password recovery.
This document provides an in-depth look at passkeys, including their key features, use cases, configuration, and API implementation.
Key Features
Passkeys introduce a secure and seamless authentication process with several advantages. They offer a flexible approach to authentication, allowing users to choose from various options that best suit their needs.
- Enhanced Security – Eliminates weak passwords and reduces vulnerabilities by using public-key cryptography.
- Phishing Resistance – Authentication is tied to specific services, preventing credential theft.
- Improved User Experience – Enables effortless login through biometrics or device authentication, eliminating the need for memorized passwords.
- Cross-Device Compatibility – Supports authentication across multiple devices and platforms.
Business Use Cases
Passkeys enhance authentication security and user experience across both B2B and B2C environments by eliminating passwords, reducing credential theft risks, and improving login convenience.
- Seamless Workforce Authentication: Enterprises can enhance employee security while reducing password reset requests and IT support costs.
- Customer Account Protection: B2C platforms can leverage passkeys to safeguard users from phishing attacks and credential leaks.
- Frictionless User Onboarding: New users can register instantly without passwords, improving conversion rates and reducing account recovery issues.
- Regulatory Compliance: Organizations in finance, healthcare, and other regulated industries can use passkeys to meet security standards like GDPR and SOC 2.
- Cross-Device Authentication: Users can seamlessly access their accounts across different devices without password resets or multi-factor authentication (MFA) prompts.
Authenticator Options for Passkeys
Passkeys rely on authenticators to store and manage cryptographic key pairs. LoginRadius supports the following types of authenticators:
- Platform Authenticators:
- Built into device operating systems or hardware.
- Use biometric verification (e.g., fingerprints, facial recognition) or secure device methods (e.g., PINs or Windows Hello).
- Roaming Authenticators (Cross-Platform):
- Portable external security keys (e.g., USB-based authenticators)
- Allow users to authenticate securely across multiple devices.
Configuration
The Configuration section guides you through setting up Passkeys in the Admin Console and explains their usage via APIs.
If you encounter a 'Feature not available' message, it means that the particular feature is not enabled in your account. Please contact the LoginRadius support team for assistance in enabling this feature.
Admin Console Configuration
-
Navigate to Authentication > Passkeys section of the LoginRadius admin console.
-
Enable the Passkey Authentication toggle.
-
Configure the following settings as per the business requirements:
-
Passkey Selection: Choose between Autofill, Button, or Both.
- Autofill allows users to select the passkey from the autofill form.
- The button displays a "Sign In with Passkey" button on the login page.
- Both enable the Autofill and Button options.
-
Progressive Enrollment: This feature allows you to prompt users to establish a passkey during email/password login if needed. Users can skip this step, and it will reappear after a specified delay, which you can set in the 'Progressive Enrollment Delay' option.
- Progressive Enrollment Delay (Days): Specify the number of days after which the progressive enrollment option will reappear for users who skip it.
-
Local Enrollment: Enable this to require users to generate a local passkey when logging in on a new device using a cross-device passkey. Users can skip this step if needed.
-
Relying Party Display Name: This is the brand name of the site or service the user is trying to access. Enter the brand name of the relying party(site) here.
-
Relying Party ID: Enter the base domain name without schema or ports.
-
Relying Party Origins: Enter the exact domain name with schema and port, if applicable. Example: https://.hub.loginradius.com
-
-
Click the Update button to apply the configurations.
API Implementation
LoginRadius provides multiple APIs that are associated with Passkeys. These API’s include all the functionalities required for passkeys like:
Passkeys Registration:
- Registration Begin By Passkey API can be used to initiate the Passkey registration process.
- Registration Finish By Passkey API can be used to finish the Passkey registration process.
Passkeys Login:
- Login Begin By Passkey API can be used to start the Login process using the Passkey.
- Login Finish By Passkey API is used to finalize the passkey-based login.
Passkey Management:
- List User Passkeys API can fetch a list of all the passkeys registered for a user.
- Remove Passkey By Passkey ID API can delete a particular passkey from a user profile based on the Passkey ID.
Example API Call:
curl -X GET \
'https://api.loginradius.com/identity/v2/auth/register/passkey/begin?apikey=&identifier=' \
-H 'Cache-Control: no-cache' \
-H 'content-Type: application/json' \
Additional APIs are available to help you meet your use cases. The documentation provides an overview and guidance on how to use them.