CIAM by example in four recipes: Add passwordless auth with passkeys 

This recipe is part of the series Learn CIAM by example: Four recipes to improve your apps security and UX. You can learn more about the series by downloading our four recipes in a cookbook format.

In this recipe, you learn how to add passwordless auth to your application using passkeys.

Attack vectors are becoming more sophisticated every day, and passwords aren’t the only easy target for malicious behavior. 

Consumers, legislators, and organizations are becoming more aware of malicious targeting with AI to phish, or fraudulently convince a party to share sensitive information.

For example, if a user’s number is leaked, bad actors can deploy a bot to harass them with a blast of push notifications through their registered devices, to pressure them to authorize a transaction, or even redirect them with a QR Code to a fake vendor page to sign in to steal even more data.

Phishing tactics include but are not limited to malware deployment, spyware monitoring, and account takeover to trick users into sharing more personal data that may see repeated abuse.

What is a passkey?

A passkey is a pair of keys — one for you that is public and one for your known user that is private and you never see. 

Users can count on their passkey’s private key to authorize any channel with an associated public key,  which means your users never have to set up biometrics directly with you but instead benefit from re-using their existing biometrics across your services and partner services. 

Developers can rest easy knowing that bad actors can’t do anything with their hosted public key because no consumer profile information or credentials are associated with a public key — only a user-authorized private key can link up with the public key to grant access.

With passkeys, organizations can sign in consumers across networks using their smartphone’s existing mobile technology, making it possible to authenticate almost anywhere using the same biometric or pin they use to unlock their devices. 

Why are passkeys so hot right now?

Customers want to spend less time logging in.

The way we send texts, make calls, and even post social media updates is the same technology that service providers like Apple and Google have baked into their products to make it easier and faster to log in to their ecosystems.

Now, organizations can make their own vendor ecosystems and offer users more secure ways to sign in and manage their data without a password. Passkeys can also speed up authentication by 2.6x  on your platform. 

Passkeys deliver better UX that gives organizations more control over their digital properties across systems and devices, with the added benefit for users of avoiding passwords altogether.

Fundamentally, passkeys make consumers happy because they can change devices in different contexts and environments and maintain a seamless experience, and organizations can boost their funnel.

While it may seem intimidating to add yet another digital credential to the list, passkeys are backed by strong cryptographic standards that are worth the hype, and any organization can add passkeys to their anti-phishing strategy with Auth0 by Okta. 

Recipe

Ingredients: 

Passkeys are super easy to set up. With just a few steps in the Auth0 dashboard, your cloud-hosted New Universal Login will update the rest, with passkeys available for all users.

  1. Navigate to Authentication > Authentication Profile, and select Identifier First.

    5N lXR7Tm mp9eI5ZGX6kHoICnrp9fJHr9uBb5ZJED2mtzZs XZh1LCHcSTxz0 HNWkZgWLB 8FigSl8 HEO2 UehOaYfVKeXXDRh3NEOpINvXNIt9sJqKVlUNnWFAaDKZihK4Qhi07WhVrJWPEEQvA
     

  2. Navigate to Authentication > Database and select Create DB Connection. Name it "Passkeys" and click Create. Select the Authentication Methods tab on the next screen and enable Passkey

    .2ahzaXQ1TJSeGaozgv3RE5YNTbZSh7iaJCMyKga2VyhIFfuIIdrMxbhgeiqBYEmv0KElFO 7rvh6K GEVL5lCEbMUb0P6OYJXexYQ9Jc6yg5fIABrxm0ygjtMoSrf4zmXGjn4ABYW4Vi6Fvhiime mE

    BDnhgT8t8xbSCd3 2 3RGTTGgneLUsmMMGYmW4pZuOjyopbVgZnzP7R3Ry2DiwfFlDWEYRzbug6fbXQMNku v jXGkyULiHO2Qv5NzFNS0lK1FPSMKkzy6 oL5zpsPRq1RNEcOlSdcbpH ljM2rPbvI
     

  3. And that’s it! When you go to log in or sign up, you will see passkey as an option, with all UX and secure authentication best practices baked in:

    zfpUHSynpMk 0oscH9yiK2YijNmdn3Mel37Iau6iPoS 8WJ7kD1nzZ80KfHbLjVCBeVSXPrM0hMBExPjdOJXjJfPEv3TVR74HNwrjirvhyuickyvOi  4wCB2DpN N4WBkGtu1Fvs gbmdSh1csUx1c

 

Passkeys: The customer-friendly security

Passkeys make it easy for users to safely traverse multiple networks and channels because passkeys cut through multiple vendor networks without sharing credentials, including passwords.

Passkeys are never shared outside of their device or services and capture a user’s consent (double tapping that side button) to access their digital properties without entering a password. 
 

NApKRVyf5O3zjuF7ELtPkThoiSA62D Hfc1cORNbXz d3QfVUYc8SmWTy4IAwi1kxut7Yv l6TvjGoCj9F6Otp83rCE ZiHiZF01VTgYABxQrusz5LldISIIpv 0VPf7VHtCIJK5L3zPIMkW3UYF0C0

 

Software-bound

Passkeys can authenticate users without passwords across devices and services to continue streaming your favorite show from your smartphone to your tablet.

 

Let’s say your user signed up for your streaming service using their Google credentials, but they use their Apple ID for everything else because they have an iPhone and an iPad.

 

A user’s iPhone passkey can be used (with their consent) to create a passkey for that streaming service on their iPad for their Google account, without any of the steps that are involved with normal biometrics enrollment and sharing between vendors, which are replaced by a synced passkey. 

 

0MhJt3C X9sDVKrDv NRcsF0ZWMGtKa8WXpcbq9NxSQqENOEFudlAYx6MjQvU0R4fIYCPPfg4H4IvU RCqzM1lXrvL0oAQi4NQVeJEki73biwy687b5QspIupZ x1if5IlaJ09ZNf2T1P5XruR1R1gc

a67R9Iq98zUwZWya7TeXYcJ9xMNxqakWv7SsS1ooLAowCJi32m6aNjNJ IJtxbDgUxIxX3vR6 4VAFuEC6 XcDIM4dPe9Nt9qQDy HKTJh 7ue9 K8mlsguSPKoi8qa8Iu drEq QPvYQ5fqJjde9lA

KWWXtHrtcjYAcVAJRZaLUgokMu1agQ3y3UuJH5PKKzI dHmVIB1aMzp6s7joWGI OD97ScUSaH lmvgESVHq3y9X7VhvCN0bFcqzGT7kTe sv0WKMfUJCXyeROnaXKjvlLj0c2yNDjoSLQCplvj8pA4

QqpZeG11G9IBOM2AAfU4h6tzeG0OX5pafxkScBDhpdbk YA M69Iup7l10PZuXgF9749BlByMmqhtwjIC3dzSSltI2WHSs3A2CrzlLPY6VMMCe1mLo2 75bdZLj22TytAwhpytPI3awRVcEGtfKtOyQ

 

Device-bound 

Passkey hardware, like a Yubikey, is the gold standard for phishing resistance and consumer-available security. In fact, when performed over near-field communication,  it is the most secure way to use a passkey because the passkey never leaves the device, and the use of a physical device accommodates proof of presence.

A device-bound passkey can be used to perform cross-device authentication in proximity to each other — and instantly sync, sign in, (and start streaming) across devices, and is considered the most secure passkey pattern.

Brands can protect their perimeters by encouraging the use of passkey hardware and, like one media giant, see higher conversion rates and a dramatic decrease in account service requests, all while protecting against malicious activity and delivering a secure, frictionless experience that consumers love.

To learn more about device-bound passkeys, check out our post on how to set up with Auth0.

What's next?

Congratulations on adding passwordless to your apps with passkeys! Now, we're ready to check in on data privacy! To fully protect your customers' information and comply with regulations like GDPR, HIPAA, and CCPA, your app needs to deliver additional features like user consent, data auditing, and a preference center.

In our upcoming recipe, we'll delve into essential elements to get your app inline with data privacy. To get all recipes in a comprehensive guide, download our cookbook.