Blog

Passkeys, a safer and simpler alternative to passwords

Passkeys allow you to log into your account using biometrics instead of a password. They are now available for free to all AuthKit customers.


Today, we are launching passkeys for AuthKit, a secure-by-design credential that enables you to log into your account using biometrics, like a fingerprint or a face scan, instead of a password. Passkeys are now available to all AuthKit customers for free.

In this article, we will learn about passkeys and how you can use them to keep your users safer while providing them with a better user experience.

What are passkeys?

No one likes passwords. They are either too easy to guess or too hard to remember. And they are not making us safer either, as years of data breaches and phishing attempts have shown. Password managers help, but not all users use them. As a response to the password problem, the Fast Identity Online (FIDO) Alliance created passkeys.

From an end-user’s perspective, a passkey is a way to log into their account using biometrics - fingerprint, facial recognition, or a PIN or pattern as a fallback. The user enters their username, uses their fingerprint, face scan, or passcode, and is logged in.

From a technical perspective, passkeys use public-private cryptographic key pairs to authenticate users. When a user creates an account using a passkey, their device generates two cryptographic keys, one public and one private. The public key stays on the service provider's server, and the private one is saved on the user’s device.

The public key stored on the server is not sensitive information and cannot be used alone to access the account. Thus, passkeys are not vulnerable to server breaches. Even if someone gets your public key, they cannot do anything with it. The private key is securely stored on the user’s device within dedicated components designed to keep sensitive data. These components are isolated and function as a vault, guaranteeing data safety even in the event of a malware attack.

Since you use biometrics to login to an app, a passkey counts also as a second factor, replacing both a password and 2FA, all in one step.

Implement passkeys with WorkOS

To start using passkeys navigate to the Authentication section of the WorkOS dashboard, click Enable under Passkeys, and use the toggle to enable the functionality for your users.

This enables passkeys for all sign ups. New users will have the option to enroll a passkey instead of needing to generate a secure password.

Once the user signs up, the next time they sign in, the browser already knows they have a passkey registered for that site. All mainstream browsers will show an autofill prompt allowing the user to proceed directly to authenticating with biometrics.  No need for the user to even enter their email address.

You also have the option to progressively enroll existing users into using passkeys. If you choose to enable this in the dashboard, any existing users will be prompted upon next sign-in to create a passkey. Users will have the option to accept, dismiss the prompt permanently, or snooze it for two weeks.

Finally, if you are using Multi-Factor Authentication (MFA), passkeys count as a second factor and users can choose to use a passkey instead of a one-time passcode.

Developers should configure an AuthKit custom domain before enabling passkeys in their production environment. Passkeys are bound to the domain they were created at, so adding a custom domain later would prevent the usage of passkeys registered on the old domain.

To get started with passkeys, see the docs.

In this article

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.