Missed DevDay24? Register for the Best of DevDay

Authentication with Passkeys

Published on February 1, 2024

Go Beyond Passwords with Passkeys

We all know the limitations and challenges of passwords: they're often weak, easily forgotten, and susceptible to phishing attacks. Enter passkeys, a new and revolutionary approach to online authentication that promises to address these pain points and usher in a passwordless future.

Passkeys are a new technology based on public key cryptography that replaces passwords, enabling users to securely sign in to websites and apps using their biometrics (fingerprint, facial recognition), PIN, or a hardware security key. Passkeys eliminate the need to remember complex passwords or type them repeatedly, enhancing user experience and security.

Passkeys replace passwords with cryptographic key pairs for phishing-resistant sign-in security and an improved user experience. You can use these cryptographic keys from end-user devices like computers, phones, or security keys for user authentication. Any passwordless FIDO credential is a passkey.

You can learn more about passkeys with Auth0 by Okta in Passkeys for Auth0 Database Connections.

Why Use This Technology?

Passkeys are a new and innovative way to sign in to apps and websites, offering several compelling advantages over traditional passwords and other authentication methods:

  • Enhanced Security: Passkeys are inherently more secure than passwords due to their unique cryptographic nature and device-based authentication. They are resistant to phishing attacks, where users are tricked into revealing their passwords on fake websites, as passkeys are only associated with trusted websites and apps. Passkeys are stored in the user's device, and only public information is stored on the server, reducing the risks associated with data breaches.

  • Intuitive: Passkeys eliminate the hassle of remembering and managing multiple passwords for different accounts. Instead, users can sign in with their fingerprint, facial recognition, or PIN, making the sign-in process seamless and secure.

  • Backed by the Industry's Best: Passkeys are backed by a strong consortium of tech giants, including Apple, Google, Okta, and Microsoft, ensuring widespread adoption and compatibility across various platforms and devices. This broad support will facilitate a smooth transition from passwords to a more secure and convenient authentication method.

  • Enhanced Privacy: Passkeys are designed to be more privacy-focused than traditional passwords or social logins. They are stored locally on users' devices, and only public keys are shared with websites or apps.

  • Simple: With Auth0, implementing passkey authentication can be as simple as switching a toggle, as you'll demonstrate by completing this lab.

Lab Setup

Before we get started, let's make sure you have all you need to run this workshop:

New tenant wizard asking data to create an Auth0 tenant

Enable Passkeys in Your Auth0 Tenant

Log in to your Auth0 Dashboard and navigate to "Authentication" > "Database" > "Username-Password-Authentication".

Click on the tab "Authentication Methods" to access the Passkey feature.

Toggle the switch on "Passkey". The passkey's flow is dependent on other configurations of your tenant. If your tenant doesn't meet some of the requirements, you'll be prompted with a screen like the following highlighting what additional steps you are required to implement to effectively use passkeys:

A modal that shows all the required configuration elements that you need to set for passkeys to work in your Auth0 tenant.

Let's break down these passkey prerequisites.

We need to enable these features to use passkeys:

  • Identifier First login flow. The Identifier First login flow presents the user with a screen where they enter their identifier, followed by another step where the user provides proof of their identity, such as a password or confirmation from a face or fingerprint recognition system. It differs from the Identifier + Password login flow, which gives the user a single screen to enter their email and password.

  • New Universal Login Experience. The New Universal Login Experience provides many improvements over the Classic Universal Login Experience, including support for the W3C Web Authentication API, which is necessary for passkeys.

In turn, we need to disable these features:

  • Custom Login Page. Currently, the login flow for passkeys does not support custom login pages.

  • Requires username. With passkeys, there is no need for an additional text field for the user to enter a username.

  • Use my own database. Passkeys cannot be used when using external databases.

If you are using a freshly created tenant or you have not customized your Authentication Profile before, you likely need to set your tenant's Authentication Profile to use the "Identifier First" login flow.

In the "Passkey Authentication Prerequisites" modal, right-click on the first option, "Identifier First login flow", and open that link in a new browser window or tab to address that pending prerequisite.

In the "Authentication Profile" page that loads up, select "Identifier First" and then save your changes by clicking on the "Save" button in the top-right corner.

A web page showing the login flows that Auth0 supports for the Authentication Profile. Each flow shows a diagram of the elements that make up the login flow, such as a form that collects the username.

By selecting the "Identifier First", you change the login and sign-up flow so that an email address goes first, followed by prompting for passwords or other authentication methods on a second step screen, similar to what Google does with its login flow.

Head back to the "Username-Password-Authentication" page, and toggle the "Passkey" option to enable it. This time around, you get a confirmation message saying that your tenant has passkeys enabled:

A web page that shows a confirmation message that passkey is enabled for a connection in the Auth0 Dashboard.

You can optionally click on "Configure" to customize the passkeys experience further, though the default configuration is all you need for now.

It's now time to test your passkey workflow.

Test Your Passkeys Connection

From the Database Connections screen or the Auth0 Dashboard home page, click on the "Try now" button to start a new Universal Login preview, which now displays a new option to log in with passkeys:

The Auth0 Universal Login page now shows an option to log in using a passkey

Create a new account by clicking the login box's "Sign up" link.

Enter an email address into the field and click the Continue button. Then, you are given the option to create a passkey:

A form modal giving you information on how a passkey works and the option to create a passkey

Click the "Create a passkey " button. You'll see a pop-up giving you different options to create a passkey:

A pop-up from macOS Safari, giving you the option to create a passkey using an iCloud account.

Depending on your OS and device (mobile phone or laptop), things can differ, but the general idea remains the same: you need to choose how to create and store your passkey. It can be a hardware device like a security key, your laptop, or a smartphone or can be software, for example, with Chrome using your Google Account, using Apple's keychain, or password managers with passkey support like 1Password.

For quick setup, you can choose a built-in functionality to create a passkey, which you'll normally confirm with a method such as biometrics or a PIN.

At this point, you will see the following page as a sign of success:

A confirmation page with a smiling emoji that signals that you have successfully logged in to the Auth0 Universal Login page testing widget.

Congratulations! You've successfully enabled passkeys on your Auth0 tenant!

Recap

In this lab, you learned how to configure Auth0 to use passkeys for authentication. Welcome to the future of authentication!

To learn more about passkeys and Auth0, please visit Passkeys for Auth0 Database Connections in our documentation.

giveFeedback logo
Give us feedback