The Passkeys authenticator enables strong, public key-based credentials for user authentication. Passkeys are WebAuthn credentials that require user verification and are available across different contexts/devices. Authenticating using a Passkey usually requires a user to perform a biometric gesture in the device or enter a device’s PIN. The Passkeys specification refers to an authentication device as authenticator. An authenticator has a different meaning in the Curity Identity Server, and thus we use the word device.
When creating a Passkeys authenticator, there are some configuration options that can be used.
allow-registration-during-login
account-manager
When allowing for a device registration for this authenticator, a prerequisite authenticator is mandatory to configure. This prerequisite authenticator is used to establish a subject by which to lookup an account using the configured Account Manager.
The Passkeys authenticator supports the Hypermedia Authentication API on iOS devices. HAAPI model utilises the following two client-operation - webauthn-registration and webauthn-authentication. Android and web clients should utilize the fallback mechanism triggering an external browser flow in the form of an error action.
client-operation
webauthn-registration
webauthn-authentication
The iOS domain association allows for the creation of a connection between the Identity Server and mobile application for passkey generation. To serve the apple-app-site-association (association) file from Identity Server, application details need to be configured in environments/environment/service/zones/{appropriate zone}/mobile-app-association/ios-app-configuration. Alternatively the file can be placed in dist/usr/share/webroot/.well-known/ directory.
apple-app-site-association
environments/environment/service/zones/{appropriate zone}/mobile-app-association/ios-app-configuration
dist/usr/share/webroot/.well-known/
The following limitations are known about the Passkeys authenticator