Passkeys for Auth0 Database Connections

Passkeys for Auth0 Database Connections

Passkeys are a phishing-resistant alternative to traditional authentication factors (such as username/password) that offer an easier and more secure login experience to users. Passkeys are modeled from FIDO® W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) specifications.

Passkeys reduce the friction experienced with single-device authentication methods by allowing credentials to sync across devices. Cross-device authentication eliminates the need for users to re-enroll on each of their devices. It also supports a more reliable recovery method as the stored credentials can survive the loss of an originating device. To learn more about passkeys, review the FIDO® Alliance Passkey FAQs.

Auth0 currently supports passkeys as an authentication method for database connections.

Configure a passkey policy

Manage authentication methods

You can manage passkeys through the Auth0 Dashboard:

  1. Navigate to Authentication > Database.

    • Note: Passkeys are currently only available for database connections.

  2. Select a connection to update and access the Authentication Methods tab.

  3. Enable the toggle in the Passkey row. Then, select Configure.

Auth0 Dashboard > Authentication > Database > [Connection Name] > Authentication Methods tab.

Requirements for implementation

The list below outlines the prerequisites for implementing passkeys. If these prerequisites are not met, passkeys will not function correctly in your end-user flows.

To help guide your implementation, a readiness checklist displays at the top of the Passkey Policy screen. You can quickly access the relevant settings and monitor the status of each task through this checklist.

Auth0 Database > Authentication > Database > [Connection Name] > Authentication Methods > Configure (Passkeys)

Additional Recommendations: During this Early Access period, we recommend the following best practices:

  • Passkeys are associated with specific relying party domains. If a domain name changes at any time, passkeys enrolled with that domain will become invalid. To avoid any interruptions, set up a custom domain for your tenant prior to enabling passkeys. To learn more, review Custom Domains.

  • To ensure an optimal user experience, enable passkeys for a maximum of one database connection.

  • Users cannot use passkeys when creating an account through an Organization invitation email. To allow these users to create passkeys, use an alternate method of user creation or ensure progressive enrollment is enabled.

Configure your policy

On the Passkey Policy screen, you can configure the following:

Before configuring these options, ensure you have completed the necessary prerequisites.

Passkey Challenge

The Passkey Challenge determines how users can trigger passkey authentication during login and sign-up. The options include:

  • Autofill: Users must log in with their browser’s autofill feature to leverage passkeys. Autofill allows users to select a saved account from a dropdown menu when engaging with the login prompt. With autofill, users do not need to manually enter their credentials.

    • Note: Users can only use autofill if the functionality has been enabled in their browser settings. If autofill is not available, users can log in using the Passkey button or their traditional credentials.

  • Passkey Button: Users must choose the Continue with a passkey option on the login prompt.

  • Both: Users can trigger passkey authentication through autofill or the Passkey button on the login prompt.

An example Login Prompt featuring the Continue with a passkey button.

Progressive Enrollment

Enabled by default, progressive enrollment prompts users to create a passkey after logging in with their email and password. This step is not required and users can choose to delay this action every 30 days.

Progressive enrollment is useful when migrating users to a new passkey flow as it offers a more seamless transition between authentication methods.

When a user creates their passkey, it is added to their account as an authentication method. Their standard email or username and password remain valid and can be used to log in as needed. Passkeys do not replace or invalidate users’ standard credentials.

Local Enrollment

Enabled by default, local enrollment prompts existing users to create a local passkey when using a cross-device passkey to log in to a new device. For example, existing passkey users can use a QR code to log in to a new device that is within physical proximity of a previously-enrolled device. If local enrollment is enabled in this scenario, the user is prompted to create a local passkey on the new device after they log in with the QR code. If desired, users can choose to delay this action.

Monitor passkey events in tenant logs

You can monitor passkey flows associated with your database connections through tenant logs.

You can manually review log events through Auth0 Dashboard > Monitoring > Logs. You can also retrieve logs using the Management API.

The table below outlines common log events associated with passkeys.

Scenario Event Code Notes
During sign-up, a user registered a passkey as their primary authentication method. ss This log event contains the details.authentication_method field set to "passkey".

If a user registered with a password, this field is set to "password".
During login, a user authenticated with a passkey. s This log event contains the details.prompts array which lists the set of prompts a user navigated through during login.

If the user authenticated using a passkey, the array contains an element with the following field: "performed_amr" : ["phr"]
A progressive or local enrollment flow was successfully completed. gd_enrollment_complete
An error occurred during a progressive or local enrollment flow. gd_webauthn_enrollment_failed

Was this article helpful?