Activate Passkeys and Let Your Users Log in without a Password

Auth0 by Okta now supports passkeys! Here’s how you activate them so your users can enjoy passwordless login.
Read more…

:writing_hand:t2: Brought to you by @joey.devilla

1 Like

Has anyone tried Passkeys before? Let us know if you have any comments or thoughts!

1 Like

Hi there, we tried passkeys on android (using sdk react native) and browser on linux devices and it works fine. Great feature, unfortunately ios does not seem to work as easily and i cannot seem to find a guideline about how to configure it? i think we are maybe missing something from the ios-side

Is enabling passkeys with a custom database on your roadmap or will that never be supported?

:wave: @nowens Welcome to the community :sunglasses:

As you may already be aware, Passkeys utilize public/private key cryptography, where the public key is stored on the server - in this case Auth0 as the IdP - and the private key is stored on the device. In Auth0, a database connection is used for storing public keys as this is already backed by an Auth0 secured data store in which all user credentials are kept. A custom database connection, on the other hand, is not backed by a secured Auth0 credential store, so by default there is no where to store Passkey public key information.

Whilst I’ll never say never, I would think it unlikely that Auth0 will provide Passkey support against a pure custom database connection…unless, of course, there’s a real demand for doing so. What Auth0 does support, however, is Passkey support for Authomatic (a.k.a. Lazy) Migration - which is a scenario in which custom database connectivity and a secured Auth0 credential store act in tandem.

Hope this helps :hugs:

1 Like

:wave: @elena.padovani and welcome to the community! :sunglasses:

Please accept my apologies for the delayed response here. :thinking: If you’ve not already found a solution, would it be possible for you to share some further details around the problem(s) you’re experiencing in iOS? Please remember that Passkeys are a browser based technology, so using the feature in Auth0 will require you to use browser based workflows for user authentication.

Hope this helps :hugs:

1 Like

I think the passkeys feature is a really big step forward. I appreciate that Auth0 is pushing the envelope here.

There is one critical issue that I’d like to get help on before integrating it into production: Recovering account access after losing a passkey
If a user with a passkey is locked out (by losing their device / yubikey etc), there is no way to securely recover the account access.

Not-so-secure Workaround:
The user could recover access by clicking “Can’t login to your account?” on the Universal Login screen, send a password reset email and set a new password. However, from that point the user will be stuck in password login state. The passkey security benefit is gone.

Feature request:
Send a passkey enrollment invitation” feature

  • The above problem will be solved if a new passkey enrollment invitation could be sent to the user’s email, instead of a password reset email.
  • User-initiated: “Can’t login to your account?” on the Universal Login screen shows an option for passkey
  • Admin-initiated: It’d be very straightforward if such a button is under: Dashboard > User Management > Users > user_instance > Passkeys
    I’m not sure if adding a new passkey via email invitation is technically feasible, but UX-wise that would be very straightforward.

I’d love to hear the Auth0 team’s view on the lost passkey scenario.

hey @riku-df welcome to the Auth0 Community! I’m also really excited about passkeys and I’m glad to see folks are as well!

So let me go through your message and see if I can help out:

If a user using a passkey is locked out, you can go through the password recovery flow as you mentioned. However the passkey benefit won’t be gone, once you have set a password you can create a new passkey for your account in another device (I actually tested this with my phone and my mac)

Feature request:
Send a passkey enrollment invitation ” feature

This is a great point! our product team is actually considering it for a future iteration.

Hope this helps a bit! let me know if you have any other questions

Thanks @carlastabile for your insights! I really appreciate this discussion.

The password recovery flow + creating a new passkey certainly solves many parts of the problem, but there are a few issues left with the current flow.

  1. After the recovery, the user is left with a (potentially weak) password, which opens up a new attack surface if the user was originally passkey-only.
  2. (Less importantly) this passkey creation flow requires the Progressive Enrollment turned on, which may or may not work with some app’s needs.

Both of these points will be resolved if there is an option in the recovery flow to create a new passkey instead of a password.

I’m really glad that the product team is considering this feature!
We have been extensively testing the passkeys behavior, and I believe having this piece will make Auth0’s passkey solution very well-rounded.

Is there any ballpark timeline on the feature? We’d really love to see that coming :slight_smile: