ConfigurationAuthentication

Passkeys

A passkey is a digital credential tied to a specific user account and application. Based on the WebAuthn standard, passkeys are designed to replace traditional password-based authentication with a simpler and more secure experience that often uses biometric identification.

By default, passkeys are disabled in Auth.it. To enable them:

  1. In the Authentication view, locate the Passkeys section.
  2. Click Enable Passkeys to open the settings window.
  3. Switch the first toggle from Disabled to Enabled.

If you want to make passkeys mandatory for all users, switch the second toggle from Not required to Required.

Configuring passkeys

Click Save changes when you’re done configuring passkeys.

Registering a passkey

If passkeys are enabled and required, then the next time a user logs in with their username and password, they’ll see a screen prompting them to register a new passkey: Passkey registration screen

When the user clicks Register, an operating system– and browser-specific flow begins to create and save a passkey.

For example, in Chrome on macOS, the user starts by selecting where to save the passkey: Passkey save locations

On the next screen, they create a passkey in the selected location. If the device has a biometric sensor, creating a passkey usually requires only a Touch ID or Face ID confirmation: Passkey creation screen

If the device doesn’t have a built-in biometric sensor, the browser automatically offers a cross-device flow: a QR code appears on the screen, which the user can scan with a phone that has a biometric sensor to create a passkey.

Once a passkey is created, the user is prompted to assign it a label for easier identification: Passkey label screen

How passkeys are stored and synced

Depending on where a user chooses to store it, a passkey may be available only on one device or automatically synced across multiple devices.

If cloud-synced storage is used — such as iCloud Keychain, Google Password Manager, or Microsoft Account — the passkey is synced across devices and can be used on any device signed in to the same Apple, Google, or Microsoft account.

In other cases, such as when using a hardware key, the passkey is only available on the device where it was created.

Signing in with a passkey

On subsequent logins, the user enters their email address as usual. When asked for a password, they’ll see an additional option labeled Try Another Way: Password entry form with a link to log in with a passkey

Clicking this link displays all available login options, including Passkey: Passkey login options

If the user chooses to sign in with a passkey, they’re prompted to unlock it using a biometric sensor on their device or, if unavailable, by scanning a QR code with their mobile device: Passkey login UI

Once the passkey is successfully verified, the user is signed in and redirected back to your application.