Auth0 by Okta now supports passkeys! Here’s how you activate them so your users can enjoy passwordless login.
Read more…
Brought to you by @joey.devilla
1 Like
Has anyone tried Passkeys before? Let us know if you have any comments or thoughts!
1 Like
Hi there, we tried passkeys on android (using sdk react native) and browser on linux devices and it works fine. Great feature, unfortunately ios does not seem to work as easily and i cannot seem to find a guideline about how to configure it? i think we are maybe missing something from the ios-side
Is enabling passkeys with a custom database on your roadmap or will that never be supported?
@nowens Welcome to the community 
As you may already be aware, Passkeys utilize public/private key cryptography, where the public key is stored on the server - in this case Auth0 as the IdP - and the private key is stored on the device. In Auth0, a database connection is used for storing public keys as this is already backed by an Auth0 secured data store in which all user credentials are kept. A custom database connection, on the other hand, is not backed by a secured Auth0 credential store, so by default there is no where to store Passkey public key information.
Whilst I’ll never say never, I would think it unlikely that Auth0 will provide Passkey support against a pure custom database connection…unless, of course, there’s a real demand for doing so. What Auth0 does support, however, is Passkey support for Authomatic (a.k.a. Lazy) Migration - which is a scenario in which custom database connectivity and a secured Auth0 credential store act in tandem.
Hope this helps 
1 Like
@elena.padovani and welcome to the community!
Please accept my apologies for the delayed response here. 
If you’ve not already found a solution, would it be possible for you to share some further details around the problem(s) you’re experiencing in iOS? Please remember that Passkeys are a browser based technology, so using the feature in Auth0 will require you to use browser based workflows for user authentication.
Hope this helps
1 Like
I think the passkeys feature is a really big step forward. I appreciate that Auth0 is pushing the envelope here.
There is one critical issue that I’d like to get help on before integrating it into production: Recovering account access after losing a passkey
If a user with a passkey is locked out (by losing their device / yubikey etc), there is no way to securely recover the account access.
Not-so-secure Workaround:
The user could recover access by clicking “Can’t login to your account?” on the Universal Login screen, send a password reset email and set a new password. However, from that point the user will be stuck in password login state. The passkey security benefit is gone.
Feature request:
“Send a passkey enrollment invitation” feature
- The above problem will be solved if a new passkey enrollment invitation could be sent to the user’s email, instead of a password reset email.
- User-initiated: “Can’t login to your account?” on the Universal Login screen shows an option for passkey
- Admin-initiated: It’d be very straightforward if such a button is under: Dashboard > User Management > Users > user_instance > Passkeys
I’m not sure if adding a new passkey via email invitation is technically feasible, but UX-wise that would be very straightforward.
I’d love to hear the Auth0 team’s view on the lost passkey scenario.
hey @riku-df welcome to the Auth0 Community! I’m also really excited about passkeys and I’m glad to see folks are as well!
So let me go through your message and see if I can help out:
If a user using a passkey is locked out, you can go through the password recovery flow as you mentioned. However the passkey benefit won’t be gone, once you have set a password you can create a new passkey for your account in another device (I actually tested this with my phone and my mac)
Feature request:
“Send a passkey enrollment invitation ” feature
This is a great point! our product team is actually considering it for a future iteration.
Hope this helps a bit! let me know if you have any other questions
Thanks @carlastabile for your insights! I really appreciate this discussion.
The password recovery flow + creating a new passkey certainly solves many parts of the problem, but there are a few issues left with the current flow.
- After the recovery, the user is left with a (potentially weak) password, which opens up a new attack surface if the user was originally passkey-only.
- (Less importantly) this passkey creation flow requires the Progressive Enrollment turned on, which may or may not work with some app’s needs.
Both of these points will be resolved if there is an option in the recovery flow to create a new passkey instead of a password.
I’m really glad that the product team is considering this feature!
We have been extensively testing the passkeys behavior, and I believe having this piece will make Auth0’s passkey solution very well-rounded.
Is there any ballpark timeline on the feature? We’d really love to see that coming 
I would take the “Passkey enrollement invitation” idea/feature request (which I think it is great) further:
Ideally, (especially when starting with a new tenant, i.e. empty users auth DB), it would be great if a tenant admin has the option to setup the passkeys as the ONLY supported mechanism for login.
Passkeys are still new to many users and it’s sometimes too much of a cognitive load for a user at registration time to have to choose between multiple authentication options + they might just revert to the known uid/password (even if MFA is thrown on top of it later in the registration flow, which will bring more friction to their future logins) and skip using the Passkey, which is arguably not only more secure but also simpler to use.
I have tried to customize the continueButtonText so I can remove the “Continue without passkeys” button:
https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements
during the passkey setup form on the signup flow but I have not been successful to do so. And I presume it is because the statement below.
To go to a PASSKEY ONLY login setup, there would need to be an account recovery mechanism through which a user can generate a new passkey when the user loses the device and can’t have the passkeys synced or switches for e.g. from iOS/Macbook devices to Android/Windows and the Keychain sync won’t be useful any longer.
And for this account recovery mechanism, the passkey reset email or passkey enrollment invitation needs to be in place.
BTW, we are curious too when this proposed new feature might be able to be added.