Passkey Auth
Estimated time to read: 4 minutes
Passkey is a digital credential that binds a user account with a website or application.
Passkeys use public key cryptography that reduces the threat from potential data breaches. They are safer than passwords as they reduce the attack surface. Since passkeys are uniquely generated for every account by the user device and work only on the registered websites and apps, they are less vulnerable to phishing.
The Passkeys Auth feature in the Arcana Auth SDK lets Web3 apps to onboard users through a biometric sensor (such as a fingerprint or facial recognition), a PIN, or a pattern supported by the OS or device where the app is running.
graph LR
A[[User]]--Create Passkey--> D(Public/Private Key)--Store-->C>Browser/User Device];
classDef an-pink stroke:#ff4e9f,stroke-width:0.25rem;
class C,D an-pinkSecurity & Privacy
Passkeys are based on FIDO standards, they work on Android, Chrome, Microsoft Windows, Microsoft Edge, MacOS, iOS and Safari.
Note that when logging in to an app via a passkey, there is no biometric information or any sensitive information that is shared with the associated website for authentication. Also, passkeys by themselves do not allow tracking of users or devices across sites. Passkeys use public key cryptography. A public–private key pair is generated when a user creates a passkey for a site or application. This is generated on the user's device. Only the public key is stored by the site. Device based passkey managers protect passkeys from unauthorized access and use.
Passkeys do not expire but they can be unlinked/deleted and new ones linked/created, if required.
How do Passkeys Work?
Passkeys are intended to be used through operating system infrastructure that allows passkey managers to create, backup, and make passkeys available to the applications running on that operating system.
Each passkey is linked or bound to the app or website.
Users aren't restricted to using the passkey only on the device where they're available. The passkey available on phones can be used when logging into a laptop, even if the passkey isn't synchronized to the laptop, as long as the phone is near the laptop and the user approves the sign-in on the phone.
graph LR
L[[User on Device A]]--1.Choose Login with Passkeys Option-->M[App/Website]
M --2.Passkey Challenge-->L
L --3.Challenge Response--> M
M -.-> V{Challenge Match}==Yes==>M--4.User Authenticated-->LPasskey Usage Options
Apps can enable passkey authentication for onboarding in two ways:
- Use passkeys for sign-up & login
- Offer passkeys as an alternate login method
Sign-up & Login
Apps that support only passkey auth can go all-in on this option. Users can sign up, create an account, and set up passkey login all in one go—no need for any other login method.
graph LR
U[[User on Device/Browser]] --1a.App Sign-up/Register Passkey--> K>App/Website];
U --1b.Create Passkey--> PK(Public/Private Key)-->U;
U --Store Public Key--> K
U --2.Login with Passkey--> K --> L((User Authenticated));
classDef an-pink stroke:#ff4e9f,stroke-width:0.25rem;
class L an-pinkFor subsequent app logins, the browser or operating system will prompt the user to select and use one of the passkeys linked with the app. To validate and ensure that the rightful owner uses a passkey, the operating system may ask users to unlock their device before supplying the passkey for authentication.
Alternate Login
Apps with multiple onboarding options only let users log in with passkeys after they’ve first used another login method and set up passkeys for future use.
Users need to sign up and log in using a different method before they can enable passkeys for future logins. Keep in mind, passkeys can’t be used for the initial sign-up.
graph LR
U[[User on Device/Browser]]--1.App Login (non-passkey)-->K>App/Website];
U--2.Create/Link Passkey-->PK(Public/Private Key)-->U;
U--Store Public Key-->K
U--3.Login with Passkey-->K-->L((User Authenticated));
classDef an-pink stroke:#ff4e9f,stroke-width:0.25rem;
class L an-pinkAfter setting up passkey for an account, on the subsequent log in attempt to the website or app, passkeys can be used. When signing in via passkeys, the browser or operating system will prompt the user to select one of the passkey associated with the app or website. To validate and ensure that the rightful owner uses a passkey, the operating system may ask users to unlock their device before supplying the passkeys list to choose from.
Passkey Configuration
-
Log in to the Arcana Developer Dashboard and register the app to get a unique Client ID. Then configure domain setting in the dashboard.
2. Install Arcana Auth SDK, integrate it with your app, and initializegraph TD DFLA{{ Developer }} --Login --> setup subgraph setup[Arcana Developer Dashboard] direction LR SP1[1. Register App] --> CLID((Unique ClientID)) SP2[2. Configure App] --> SP3[Edit/Save Passkey Usage Settings] end classDef an-pink stroke:#ff4e9f,stroke-width:0.25rem; class CLID an-pinkAuthProvider. Choose the passkey onboarding option that fits your needs: useregisterWithPasskey()for sign-up with passkey option orlinkPasskey()for using passkey as an alternate login. Then, log in users withloginWithPasskeys().graph TD DFLA{{ Developer }} --1. Install --> authsdk DFLA --2. ClientID -->AUTHP DFLA --3. Select Sign-up/Alternate Login Passkey Onboarding -->POP -->COA subgraph app[App] AUTHP[Create/Init AuthProvider] --> authsdk COA[B. Call loginWithPasskeys] --> authsdk POP[A. Call registerWithPasskey/linkPasskey] subgraph authsdk[Arcana Auth SDK] direction TB SDK1[AuthProvider Interface] end end linkStyle 1,2 stroke: deeppink; authsdk --Process Passkeys Login --> STD[Standard Passkey Validation via OS/Browser] authsdk --Fetch Key Shares --> BEP[Arcana Auth Protocol] <--> BEK[DKG] -
The Arcana Auth SDK uses the application details from the dashboard settings and
loginWithPasskeysinput data for Passkeys login processing. After verification, it gets the user's key shares from the Arcana backend and generates a user specific key locally in the app. This key lets users securely sign blockchain transactions.graph LR BED[Arcana Developer Dashboard] --Passkey Usage Settings--> BEC{Gateway} BEC <--> BEA[Arcana Auth Protocol] <--> BEDKG[DKG]
Domain
To enable passkey login for an app, as part of configuration settings, the developer must use the Arcana Auth SDK and specify the Domain of the relying party. The domain is typically a CNAME or vanity URL.
Relying Party
The relying party is the website or Web3 app that allows user to create passkeys or authenticate with passkeys.
When a user enrolls a passkey, it associates with the relying party domain. If the domain name changes at any time, all of the passkeys associated with the old domain become invalid.