Passkeys for Auth0 Database Connections
Early Access Note: Passkeys for Auth0 Database Connections is an Early Access feature currently rolling out in waves to customers on most subscription plans. If you are a Converged Private Cloud customer interested in this feature, contact your account manager for assistance. To learn more about Auth0 release stages, review Product Release Stages.
Passkeys are a phishing-resistant alternative to traditional authentication factors (such as username/password) that offer an easier and more secure login experience to users. Passkeys are modeled from FIDO® W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) specifications.
Passkeys reduce the friction experienced with single-device authentication methods by allowing credentials to sync across devices. Cross-device authentication eliminates the need for users to re-enroll on each of their devices. It also supports a more reliable recovery method as the stored credentials can survive the loss of an originating device. To learn more about passkeys, review the FIDO® Alliance Passkey FAQs.
Auth0 currently supports passkeys as an authentication method for database connections.
Support for passkeys is currently rolling out across major operating systems and browsers. For a list of supported platforms, review passkey.dev’s Device Support documentation.
Configure a passkey policy
Manage authentication methods
You can manage passkeys through the Auth0 Dashboard:
Navigate to Authentication > Database.
Note: Passkeys are currently only available for database connections.
Select a connection to update and access the Authentication Methods tab.
Enable the toggle in the Passkey row. Then, select Configure.
Currently, if you enable passkeys for a connection, you must also configure passwords as a backup authentication method. This ensures users can continue to access their accounts from browsers and older devices that may not yet support passkeys. You can configure both passkeys and passwords from the Authentication Method tab.
![Auth0 Dashboard > Authentication > Database > [Connection Name] > Authentication Methods tab.](http://images.ctfassets.net/cdy7uua7fh8z/2ZpiwdnuMCOeNB90vjx3tl/bc2e8bfaa393acbc2c9de8c521c1d250/Authentication_Methods_-_New_Tab.png)
Requirements for implementation
The list below outlines the prerequisites for implementing passkeys. If these prerequisites are not met, passkeys will not function correctly in your end-user flows.
Ensure you are using the New Universal Login Experience.
Ensure you are using Identifier First authentication.
Disable the following settings:
Customize Login Page: This setting allows you to customize login pages when using custom domains. It’s available under Branding > Universal Login > Advanced Options > Login tab.
Requires Username: This database connection setting requires users to provide both a username and their email when logging in. It’s available under Authentication > Database > [Your Connection] > Settings.
Use my own database: This custom database setting allows you to use an external database to store users. It’s available under Authentication > Database > [Your Connection] > Custom Database.
To help guide your implementation, a readiness checklist displays at the top of the Passkey Policy screen. You can quickly access the relevant settings and monitor the status of each task through this checklist.
![Auth0 Database > Authentication > Database > [Connection Name] > Authentication Methods > Configure (Passkeys)](http://images.ctfassets.net/cdy7uua7fh8z/2WlMA6l08xkQ6wtnO8VC18/cf618ab83774931ff4b9512e71da665d/2_-_Readiness_Checklist.png)
Additional Recommendations: During this Early Access period, we recommend the following best practices:
Passkeys are associated with specific relying party domains. If a domain name changes at any time, passkeys enrolled with that domain will become invalid. To avoid any interruptions, set up a custom domain for your tenant prior to enabling passkeys. To learn more, review Custom Domains.
To ensure an optimal user experience, enable passkeys for a maximum of one database connection.
Users cannot use passkeys when creating an account through an Organization invitation email. To allow these users to create passkeys, use an alternate method of user creation or ensure progressive enrollment is enabled.
Configure your policy
On the Passkey Policy screen, you can configure the following:
Before configuring these options, ensure you have completed the necessary prerequisites.
As passkeys already offer a more secure experience, users leveraging passkeys can choose to skip secondary verification challenges, such as CAPTCHA. Users authenticating with passwords or other traditional methods must continue to complete secondary verification when prompted.
Passkey Challenge
The Passkey Challenge determines how users can trigger passkey authentication during login and sign-up. The options include:
Autofill: Users must log in with their browser’s autofill feature to leverage passkeys. Autofill allows users to select a saved account from a dropdown menu when engaging with the login prompt. With autofill, users do not need to manually enter their credentials.
Note: Users can only use autofill if the functionality has been enabled in their browser settings. If autofill is not available, users can log in using the Passkey button or their traditional credentials.
Passkey Button: Users must choose the Continue with a passkey option on the login prompt.
Both: Users can trigger passkey authentication through autofill or the Passkey button on the login prompt.
Progressive Enrollment
Enabled by default, progressive enrollment prompts users to create a passkey after logging in with their email and password. This step is not required and users can choose to delay this action every 30 days.
Progressive enrollment is useful when migrating users to a new passkey flow as it offers a more seamless transition between authentication methods.
When a user creates their passkey, it is added to their account as an authentication method. Their standard email or username and password remain valid and can be used to log in as needed. Passkeys do not replace or invalidate users’ standard credentials.
Local Enrollment
Enabled by default, local enrollment prompts existing users to create a local passkey when using a cross-device passkey to log in to a new device. For example, existing passkey users can use a QR code to log in to a new device that is within physical proximity of a previously-enrolled device. If local enrollment is enabled in this scenario, the user is prompted to create a local passkey on the new device after they log in with the QR code. If desired, users can choose to delay this action.
Monitor passkey events in tenant logs
You can monitor passkey flows associated with your database connections through tenant logs.
You can manually review log events through Auth0 Dashboard > Monitoring > Logs. You can also retrieve logs using the Management API.
The table below outlines common log events associated with passkeys.
| Scenario | Event Code | Notes |
|---|---|---|
| During sign-up, a user registered a passkey as their primary authentication method. | ss |
This log event contains the details.authentication_method field set to "passkey".If a user registered with a password, this field is set to "password". |
| During login, a user authenticated with a passkey. | s |
This log event contains the details.prompts array which lists the set of prompts a user navigated through during login.If the user authenticated using a passkey, the array contains an element with the following field: "performed_amr" : ["phr"] |
| A progressive or local enrollment flow was successfully completed. | gd_enrollment_complete |
|
| An error occurred during a progressive or local enrollment flow. | gd_webauthn_enrollment_failed |
FIDO® is a trademark (registered in numerous countries) of FIDO Alliance, Inc.