Skip to main content

Passkeys & WebAuthn

Passkeys provide passwordless authentication using the FIDO2/WebAuthn standard. The user authenticates with a biometric (fingerprint, face) or hardware security key, and your server never handles a shared secret. The private key never leaves the device; LumoAuth stores only the public key and verifies a signed challenge at login.

What Are Passkeys?

Passkeys are cryptographic credentials stored on the user's device. They use public-key cryptography — the private key never leaves the device, and the public key is stored in LumoAuth. Authentication happens via a challenge-response, which makes passkeys:

  • Phishing-resistant — bound to the specific origin (domain).
  • Free of shared secrets — nothing reusable to steal from the server.
  • Biometric-backed — require fingerprint, face, or PIN to use.
  • Cross-device — can sync across devices via platform credential managers.

Supported Credential Types

TypeExamplesUse Case
Platform AuthenticatorsTouch ID, Face ID, Windows HelloBuilt into the device
Roaming AuthenticatorsYubiKey, Titan Security KeyUSB/NFC hardware keys
Synced PasskeysiCloud Keychain, Google Password Manager, 1PasswordCross-device passkeys

How It Works

Registration (Enrollment)

  1. User navigates to account security settings.
  2. Clicks Add Passkey.
  3. Browser prompts for biometric verification or security key.
  4. A new public-private key pair is generated on the device.
  5. The public key is stored in LumoAuth.
  6. The passkey is ready to use.

Authentication

  1. User enters their email (or clicks Sign in with Passkey).
  2. LumoAuth sends a cryptographic challenge to the browser.
  3. Browser prompts for biometric verification.
  4. The private key on the device signs the challenge.
  5. LumoAuth verifies the signature with the stored public key.
  6. Login is complete — no password needed.

Configuration

Enable Passkeys

Navigate to Configuration → Auth Settings at:

/orgs/{orgId}/portal/configuration/auth-settings

Under Authentication Methods, toggle Passkeys / WebAuthn to enabled.

Settings

SettingDescription
Allow Passkey RegistrationUsers can create passkeys in account settings
Allow Passkey LoginUsers can log in with passkeys
Require User VerificationEnforce biometric/PIN (recommended)
Attestation Preferencenone, indirect, or direct attestation
Authenticator TypesAllow platform, roaming, or both

WebAuthn Routes

LumoAuth exposes WebAuthn endpoints for registration and authentication:

POST /webauthn/register/options     → Generate registration options
POST /webauthn/register             → Complete registration
POST /webauthn/authenticate/options → Generate authentication options
POST /webauthn/authenticate         → Verify authentication

These endpoints follow the WebAuthn specification and are used by the browser's built-in navigator.credentials API.

User Experience

Enrolling a Passkey

From the account security page:

/account/security
  1. Click Add Passkey.
  2. Name the passkey (e.g., "MacBook Touch ID", "YubiKey").
  3. Complete the biometric prompt.
  4. The passkey appears in the list of enrolled credentials.

Logging In with a Passkey

On the login page:

  1. Click Sign in with Passkey (or start typing an email).
  2. The browser shows available passkeys.
  3. Select a passkey and verify with biometrics.
  4. Login proceeds — no password or MFA needed.

Managing Passkeys

Users can manage their passkeys from account settings:

  • View all enrolled passkeys with names and creation dates.
  • Delete individual passkeys.
  • Add new passkeys.

Passkeys as MFA

Passkeys can also be used as a second factor alongside password authentication:

  1. User enters email and password.
  2. Instead of TOTP/SMS, the system prompts for a passkey.
  3. User verifies with biometrics.
  4. MFA is satisfied.

This provides phishing-resistant, hardware-backed MFA.

Security Benefits

FeaturePasswordsPasskeys
Phishing riskHigh — can be entered on fake sitesNone — bound to origin
Server breachHashed passwords can be crackedOnly public keys stored
Replay attacksPossibleImpossible — challenge-response
User effortRemember complex passwordsTouch fingerprint sensor
Cross-siteSame password often reusedUnique per site

Browser Support

Passkeys are supported in:

  • Chrome 108+ (Windows, macOS, Android)
  • Safari 16+ (macOS, iOS)
  • Firefox 122+ (Windows, macOS, Linux)
  • Edge 108+ (Windows, macOS)

For older browsers, passkey options will not appear and users can fall back to password + MFA authentication.