Passkey authentication process

From the user's perspective, the process of logging in to a web service using passkey authentication looks something like this:

• Access Web Services
• Authentication is performed using biometrics or PIN input
• Web service login success

Passkey authentication is included in FIDO authentication, a standardization standard set by the FIDO Alliance, as a form of passwordless authentication that uses public key cryptography and challenge-response authentication. With public key cryptography, the public key is stored on the Web service side during the initial passkey registration process, and the private key is stored on the user's device. During the authentication process, the private key is used by the user to sign a challenge issued by the service provider to verify the user's identity. The service provider then uses the public key to determine the legitimacy of the challenge returned from the user.

The flow of the passkey authentication process is as follows:

• Web service: Receives a login request from the user
• Web service: Generates a challenge that is valid only for this flow and requests the user's device to sign the challenge.
• On the user's device, the user is prompted to verify their identity.
• User: Authenticate via biometrics or PIN entry
• User's device: Signs with the private key registered on the device and returns a challenge to the web service
• Web service: The returned challenge value and the challenge value generated in ② are verified using the registered public key. If the verification is successful, the login process is complete.

Compared to password authentication, passkey authentication has the following advantages from the perspectives of both the user and the service provider:

• Authentication is done using biometric authentication or PIN input on the device, so you can log in to the service in the same way you would unlock your smartphone.
  →User side: There is no need to prepare new authentication information such as passwords to authenticate the services used.
• Since the secret information (private key) is stored only on the user side, there is no need to share the secret information between the user and the service provider. Even if the public key is leaked from the service provider, authentication will not be successful unless the secret information is leaked from the user side.
  → Service provider: Achieves authentication infrastructure with higher security compared to password authentication

Passkey authentication is divided into two specifications: Device-bound passkey and Synced passkey, depending on how the private key is stored.

Until now, Auth0 only supported device-bound passkeys, but with the January 2024 update, it now also supports synced passkeys.

Passkey authentication specifications

• Device-bound passkey
  A device-bound passkey is a specification in which the private key is stored only on a single device. Therefore, the passkey information will not be leaked outside the device. However, if a registered device is lost or replaced, the passkey must be registered again.

• Synced passkey
  Synced passkey is a specification that allows you to synchronize passkey information between multiple devices. The synchronization is linked to accounts on platforms such as Apple and Google, and the private key is stored in the cloud of each platform.
  • Apple (iOS/iPadOS/macOS): Sync via iCloud Keychain​
  • Google (Android): Sync with Google Password Manager​

You will need to use a device with the OS provided by each platform, but as long as the devices have the OS of the same platform, secret keys can be shared between multiple devices, so you can continue to use the registered passkey even if you lose or replace a device.

In addition to the two specifications above, there is a specification called Cross-device Authentication.

• Cross-device Authentication (Hybrid)
  Cross-device Authentication (Hybrid) is a specification that enables passkey authentication by using a different device that supports passkey authentication when logging in to a web service from a device that does not support passkeys.
  In order to prevent unauthorized persons from abusing the cross-device authentication mechanism to log in to a web service, the device attempting to log in to the web service and the device used for passkey authentication are required to be in close proximity to each other, subject to Bluetooth pairing communication.

Functions required for passkey authentication

To implement user passkey authentication, the following functions are mainly required on the Web service side:

• Features for users
  • Passkey registration/authentication processing function
  • Screen Features
    ・Passkey registration screen
    - Passkey authentication screen
    ・Passkey authentication migration proposal screen
  • Registration passkey management function
    - View registered passkeys/devices
    ・Delete registered passkey/device
• Admin Features
  • Passkey authentication usage selection function for each application or user
  • Registration passkey management function
    - Viewing devices for which a user has registered a passkey
    - Deletion of a device for which a user has registered a passkey
    - View the date of user passkey authentication use

reference

• Passkeys - Auth0 docs
• FIDO2 - FIDO Alliance
• Cross-Device Authentication：Terms/ | passkeys.dev
• Device-bound passkey：Terms | passkeys.dev
• Synced passkey：Terms | passkeys.dev