Skip to main content

Passkeys & WebAuthn

Passkeys provide passwordless authentication using the FIDO2/WebAuthn standard. Users authenticate with biometrics (fingerprint, face recognition) or hardware security keys instead of passwords.

What Are Passkeys?

Passkeys are cryptographic credentials stored on the user's device. They use public-key cryptography - the private key never leaves the device, and the public key is stored in LumoAuth. Authentication is verified by a cryptographic challenge-response, making passkeys:

  • Phishing-resistant - Bound to the specific origin (domain)
  • No shared secrets - Nothing to steal from the server
  • Biometric-backed - Require fingerprint, face, or PIN to use
  • Cross-device - Sync across devices via platform credential managers

Supported Credential Types

TypeExamplesUse Case
Platform AuthenticatorsTouch ID, Face ID, Windows HelloBuilt into the device
Roaming AuthenticatorsYubiKey, Titan Security KeyUSB/NFC hardware keys
Synced PasskeysiCloud Keychain, Google Password Manager, 1PasswordCross-device passkeys

How It Works

Registration (Enrollment)

  1. User navigates to account security settings
  2. Clicks "Add Passkey"
  3. Browser prompts for biometric verification (fingerprint/face) or security key
  4. A new public-private key pair is generated on the device
  5. The public key is stored in LumoAuth
  6. Done - the passkey is ready to use

Authentication

  1. User enters their email (or clicks "Sign in with Passkey")
  2. LumoAuth sends a cryptographic challenge to the browser
  3. Browser prompts for biometric verification
  4. The private key on the device signs the challenge
  5. LumoAuth verifies the signature with the stored public key
  6. Login is complete - no password needed

Configuration

Enable Passkeys

Navigate to ConfigurationAuth Settings at:

/t/{tenantSlug}/portal/configuration/auth-settings

Under Authentication Methods, toggle Passkeys / WebAuthn to enabled.

Settings

SettingDescription
Allow Passkey RegistrationUsers can create passkeys in account settings
Allow Passkey LoginUsers can log in with passkeys
Require User VerificationEnforce biometric/PIN (recommended)
Attestation Preference"none", "indirect", or "direct" attestation
Authenticator TypesAllow platform, roaming, or both

WebAuthn Routes

LumoAuth exposes WebAuthn endpoints for registration and authentication:

POST /webauthn/register/options     → Generate registration options
POST /webauthn/register             → Complete registration
POST /webauthn/authenticate/options → Generate authentication options
POST /webauthn/authenticate         → Verify authentication

These endpoints follow the WebAuthn specification and are used by the browser's built-in navigator.credentials API.

User Experience

Enrolling a Passkey

From the account security page:

/account/security
  1. Click "Add Passkey"
  2. Name the passkey (e.g., "MacBook Touch ID", "YubiKey")
  3. Complete the biometric prompt
  4. The passkey appears in the list of enrolled credentials

Logging In with a Passkey

On the login page:

  1. Click "Sign in with Passkey" (or start typing email)
  2. The browser shows available passkeys
  3. Select a passkey and verify with biometrics
  4. Instant login - no password or MFA needed

Managing Passkeys

Users can manage their passkeys from account settings:

  • View all enrolled passkeys with names and creation dates
  • Delete individual passkeys
  • Add new passkeys

Passkeys as MFA

Passkeys can also be used as a second factor alongside password authentication:

  1. User enters email and password
  2. Instead of TOTP/SMS, the system prompts for a passkey
  3. User verifies with biometrics
  4. MFA is satisfied

This provides the strongest MFA - phishing-resistant and hardware-backed.

Security Benefits

FeaturePasswordsPasskeys
Phishing RiskHigh - can be entered on fake sitesNone - bound to origin
Server BreachHashed passwords can be crackedOnly public keys stored
Replay AttacksPossibleImpossible - challenge-response
User EffortRemembering complex passwordsTouch fingerprint sensor
Cross-SiteSame password often reusedUnique per site

Browser Support

Passkeys are supported in:

  • Chrome 108+ (Windows, macOS, Android)
  • Safari 16+ (macOS, iOS)
  • Firefox 122+ (Windows, macOS, Linux)
  • Edge 108+ (Windows, macOS)

For older browsers, passkey options will not appear and users can fall back to password + MFA authentication.