6.3.1.11. Passkey

Starting with version 3.11 privacyIDEA supports Passkey token. A passkey is a FIDO authentication credential based on FIDO standards, that allows a user to sign in to apps and websites with the same process that they use to unlock their device (biometrics, PIN, or pattern). Passkeys are FIDO cryptographic credentials that are tied to a user’s account on a website or application. Passkeys are phishing resistant and secure by design. They inherently help reduce attacks from cybercriminals such as phishing, credential stuffing, and other remote attacks.

This is a variation of the WebAuthn token, which is also a FIDO2 token supported by privacyIDEA. Therefore, it inherits the configuration of the Webauthn token, which is described here: WebAuthn Token Config. The Passkey token always requests to be created as a resident credential, i.e. the option resident_key is always set to required, in contrast to the WebAuthn token, which does not request a resident key.

To enroll a passkey, the policies webauthn_relying_party_id and webauthn_relying_party_name have to be set. Moreover, passkeys always require a user assignment for enrollment.

Passkeys are eligible for offline use as specified here Offline as well as enroll_via_multichallenge. However, these features also have to be implemented in the client application.

Using passkeys in different browsers and environments can yield different user experiences. Most, if not all browsers, will not allow enrollment of a passkey to a authenticator which does not have a PIN set, i.e. user verification is always required for enrollment. Therefore, webauthn_user_verification_requirement does not affect passkey enrollment. The same policy webauthn_user_verification_requirement is available in the scope authentication and that policy does affect passkey authentication.

On the token detail page, the passkey can be tested and, if successful, will show the username that is returned by privacyIDEA to use for login.

6.3.1.11.1. Avoiding double registration

During passkey enrollment, privacyIDEA always sends the credential ids of the user’s existing passkey and WebAuthn tokens in the WebAuthn excludeCredentials list. The authenticator will then refuse to create a new credential if it already holds one of these, preventing a user from accidentally registering the same authenticator twice. Unlike the webauthn_avoid_double_registration policy for WebAuthn tokens, this behavior is always on for passkeys and is not configurable.

Tokens that have been revoked are excluded from this list, so the same authenticator can be re-enrolled for the user after revocation. Tokens that are merely disabled are still included, since disabling is reversible and the underlying credential is still bound to the user. Tokens whose enrollment never finished (rollout state clientwait) are also excluded.

A non-exhaustive list of devices that are known to work can be found here FIDO2 & WebAuthn Devices.