identity & security

Activate Passkeys and Let Your Users Log in without a Password

Auth0 by Okta now supports passkeys! Here’s how you activate them so your users can enjoy passwordless login.

Oct 4, 20237 min read

Passkeys Are Now Available in Auth0 by Okta!

Passkeys are a replacement for passwords, and they’re now a feature in Auth0! Your users can enjoy the convenience and enhanced security that passkeys provide.

If you’d like to find out more about what passkeys are, what the user experience is like, and how they work, take a look at this article on the Okta blog: Adding Passkeys to Your Applications with Okta Customer Identity Cloud Powered by Auth0. It will provide you with plenty of background information about this new feature.

If you want to activate passkeys for your users, read on! You’ll be pleased that the process takes very few steps.

learnpasskeys.io logo

Curious about how passkeys work? Try passkeys now →

learnpasskeys.io

Activating Passkeys

Passkeys are available as a feature on all Auth0 plans — even the free ones! This means that if you want to familiarize yourself with passkeys and their user experience, you can set up a free tenant and add passkey-enabled authentication to your applications at no cost.

Good news for developers: you don’t have to update any code!

Developer in chair with a laptop in their lap, arms raised in victory.

You don’t have to change any of your application code to support passkeys. The code that displays the Universal Login box with the email and password displays the new version with the Continue with a passkey button once you enable passkeys in your tenant.

How to activate passkeys

To enable passkeys for your users, sign into the Auth0 Dashboard, and if necessary, select a tenant.

In the left column menu, select AuthenticationDatabase. You will be taken to the Database Connections page:

Database Connections page

Remember that with passkeys, the authentication server stores the users’ public keys. This means that in order to enable passkeys, user information must be stored in an Auth0 database. You cannot use a custom database if you want users to sign in with passkeys.

Choose an existing Customer Identity Cloud database from the list or create a new one by clicking the + Create DB Connection button and then choose that database. In this example, we’ll enable passkeys on the default Username-Password-Authentication database connection.

You should now be on the Settings tab of the database connection:

Settings page of the Username-Password-Authentication database connection

Click the Authentication Methods tab. This is where you activate passkeys:

Authentication Methods tab, with Passkey switch in the “off“ position

Turn on the Passkey switch. This will activate passkeys for the tenant’s users.

Depending on your current database setup, you might need to change some settings before you can enable passkeys. You’ll know this is the case if you click the Passkey switch and see a pop-up like this:

Pop-up showing missing passkey prerequisites

Click the link for any item marked PENDING and make the required changes. For example, if “New Universal Login Experience must be enabled:” is PENDING, click that link to go to the login experience page and enable the New Universal Login.

Here are all the required configurations for passkeys:

  • Enable these features:
    • Identifier First login flow. The Identifier First login flow presents the user with a screen where they enter their identifier, followed by another step where the user provides proof of their identity, such as a password or confirmation from a face or fingerprint recognition system. It differs from the Identifier + Password login flow, which presents the user with a single screen to enter both their email and password.
    • New Universal Login Experience. The New Universal Login Experience provides many improvements over the Classic Universal Login Experience, including support for the W3C/FIDO Web Authentication API, which is necessary for passkeys.
  • Disable these features:
    • Custom Login Page. Currently, the login flow for passkeys does not support custom login pages.
    • Requires username. With passkeys, there is no need for an additional text field for the user to enter a username.
    • Use my own database. Passkeys require a specific database setup, so only the Customer Identity Cloud database is allowed when passkeys are enabled.

Once you’ve met all the prerequisites for passkeys, you can enable them. The page should look like this:

Authentication Methods tab, with Passkey switch in the “on“ position

You can now configure the settings for passkeys. Do this by clicking the Configure link for the Passkey item. This will take you to the Passkey Policy tab of the Policies page for the database connection:

Passkey Policy tab of Policies page

Let’s take a closer look at each of the settings areas on this page.

The first section is the Passkey Challenge section, which defines how Universal Login presents passkey options to the user:

Passkey Challenge section

The default selection, Both, results in a Universal Login box that looks like this:

Universal Login box featuring both email address text field and “Continue with a passkey” button

This version of the Universal Login box provides two options for logging in with a passkey. First, there’s the very obvious Continue with a passkey button at the bottom, which presents a list of passkey options when pressed.

There’s also the less obvious autofill. It appears when you click on the Email address field, also providing passkey options:

Universal Login box with a pop-up menu appearing beside the Email address text field

This is where the “discoverable” part of passkeys comes in. The user doesn’t have to type in their email address to log in because the browser is able to discover this information.

Since passkeys will be new to most users, we recommend providing users with as many options as possible by selecting the Both option.

The next section contains the enrollment controls:

Progressive Enrollment and Local Enrollment sections

We recommend that you turn on both Progressive Enrollment and Local Enrollment, as they make for a better user experience. This is especially true for the Local Enrollment option, which lets users create a new passkey on their local device.

Take Passkeys for a Test Run

Now that you’ve enabled passkeys, it’s time to try them out. Click on Getting Started in the left column menu, then click the Try it out link in the Try your Login box section:

The Getting Started page

You’ll see the Universal Login box:

Universal Login box featuring both email address text field and “Continue with a passkey” button

Create a new account by clicking the login box’s Sign up link. You’ll see this:

The “Create Your Account” window” button

Enter an email address into the field and click the Continue button. You’ll be given the option to create a passkey:

Create a passkey for All Applications on this device

Click the Create a passkey button. You’ll see this pop-up:

The “Create a passkey” pop-up

Select the This device option. The pop-up will be replaced with this:

The follow-up “Create a passkey” pop-up

Click Continue to create a passkey on your computer. You’ll then be asked to verify your identity with your computer:

“Google Chrome is trying to verify your identity” pop-up

Once you’ve authenticated yourself, you’ll see this sign of success:

The Deashboard’s “It Works!” screen

Congratulations! You’ve successfully enabled passkeys on your tenant!

Try creating passkeys using your tenant’s applications and then logging in. Here’s one of my mobile apps authenticating against my passkey-enabled tenant:

Universal Login screen with passkeys activated, as seen on an iPhone 14

Conclusion

Activate passkeys now and see how you can give your users a more convenient, more secure login experience!