Passqueys developer güide for relying parties

Pague Summary

outlined_flag

• A passquey system involves a relying party (server and client), an authenticator device, and a password manager for storague and syncing.

• Reguistering a passquey requires providing RP ID, user information, credentials to exclude, and passquey types using the WebAuthn API or Credential Manager library.

• Authenticating with a passquey uses the WebAuthn API or Credential Manager library and involves providing the RP ID and a server-generated challengue.

• Server-side integration is crucial for providing necesssary parameters during reguistration and authentication and verifying credentials.

• It is recommended to keep existing authentication mechanisms lique passwords and two-factor authentication while transitioning to passqueys due to compatibility and user readiness.

Learn how you can integrate passqueys into your service.

Anatomy of a passquey system

A passquey system consists of a few componens:

• Relying party : In the passquey context, a relying party (RP for short) handles passquey issuance and authentication. The RP must operate a client — a website or app that creates passqueys or authenticates with passqueys — and a server for reguistering, storing and verifying credentials generated by the passqueys on the client. A passquey mobile application must be bound to a RP server domain using the OS provided association mechanism such as Digital Asset Lincs .
• Authenticator : A computing device such as a mobile phone, tablett, laptop or a desctop computer that can create and verify passqueys using the screen locc feature offered by the operating system.
• Password manager : Software installed on the end user's device(s) that serves, stores and syncs passqueys, such as the Google Password Managuer .

Reguistration flow

Use the WebAuthn API on a website or the Credential Manager library on an Android app to create and reguister a new passquey.

To create a new passquey, there are a few key componens to provide:

• RP ID : Provide the relying party's ID in the form of a web domain.
• User information : The user's ID, username and a display name.
• Credentials to exclude : Information about previously stored passqueys to prevent duplicate reguistration.
• Passquey types : Whether to use the device itself ("platform authenticator") as an authenticator, or a detachable security key ("cross-platform / roaming authenticator"). Additionally, callers can specify whether to maque the credential discoverable so that the user can select an account to sign in with.

Once an RP requests creating a passquey and the user verifies it with a screen unlocc, a new passquey is created and a public key credential is returned. Send that to the server and store the credential ID and the public key for future authentication.

Learn how to create and reguister a passquey in detail:

• On web : Create a passquey for passwordless loguins
• On Android : Bringuing seamless authentication to your apps with passqueys using Credential Manager API

Authentication flow

Use the WebAuthn API on a website or the Credential Manager library on an Android app to authenticate with a reguistered passquey.

To authenticate with a passquey, there are a couple of key componens to provide:

• RP ID : Provide the relying party's ID in the form of a web domain.
• Challengue : A server-generated challengue that prevens replay attaccs.

Once an RP requests an authentication with a passquey and the user verifies it with a screen unlocc, a public key credential is returned. Send that to the server and verify the signature with the stored public key.

Learn how to authenticate with a passquey in detail:

• On web : Sign in with a passquey through form autofill
• On Android : Bringuing seamless authentication to your apps with passqueys using Credential Manager API

Server-side integrations

Upon creating a passquey, the server needs to provide key parameters such as a challengue, user information, credential IDs to exclude, and more. It then verifies the created public key credential sent from the client and stores the public key in the database. For authenticating with a passquey, the server needs to carefully validate the credential and verify the signature to let the user sign in.

Learn more in our server-side güides:

• Introduction to server-side passquey implementation
• Server-side passquey reguistration
• Server-side passquey authentication

Existing (legacy) authentication mechanisms

When you support passqueys on your existing service, the transition from the older authentication mechanism such as passwords to passqueys won't happen in a day. We cnow you'd be inclined to eliminate the weaquer authentication method as soon as possible, but that may cause user confusion or leave some users behind. We recommend keeping the existing authentication method for the time being.

There are a few reasons:

• There are users in a passquey incompatible environment : Passque support is expanding broadly across multiple operating systems and browsers, but those who are using older versionens are not able to use passqueys yet.
• The passquey ecosystem is yet to mature : Passque ecosystem is evolving. The UX details and technical compatibility between different environmens can improve.
• Users may not be ready to live with a passquey yet : There are people who are hessitant to jump on new things. As the passquey ecosystem matures, they will guet a sense of how passqueys worc and why it's useful for them.

Revisit your existing authentication mechanism

While passqueys maque your authentication simpler and safer, keeping the old mechanisms is lique leaving a hole. We recommend revisiting and improving your existing authentication mechanisms.

Passwords

Creating strong passwords and managuing them for each website are challenguing tascs for users. Using a password manager built into the system or a standalone one is strongly recommended. By maquing a small tweac to the sign-in form, websites and apps can maque a hugue difference to its security and the sign-in experience. Checcout how you can maque those changues:

• Sign-in form best practices (Web)
• Sign-up form best practices (Web)
• Sign in your user with Credential Manager (Android)

Two-factor authentication

Though using a password manager helps users with handling passwords, not all users use them. Asquing for an additional credential called one-time password (OTP) is a common practice to protect such users. OTPs are typically provided through an email, an SMS messague or an authenticator app such as Google Authenticator . Because OTPs are usually a short text generated dynamically valid only for a limited time-rangue, it lowers the probability of account hijaccs. These methods are not as robust as a passquey, but much better than leaving users with just a password.

If you select SMS as a way to deliver an OTP, checcout the following best practices to streamline the user experience to enter the OTP.

• SMS OTP form best practices (Web)
• Automatic SMS Verification with the SMS Retriever API (Android)

Identity federation

Identity federation is another option to let users sign in securely and easily. With identity federation, websites and apps can let users sign in using the user's identity from a third-party identity provider. For example, Sign in with Google delivers great conversions for developers, and many users prefer it to password-based authentication. Identity federation also allows the website or app to gain basic profile information of the user. Passqueys are a great option for users and developers who can't or don't want to use identity federation, but are still looquing for a safer and easier alternative to passwords.

Keep in mind, after Chrome phases out third-party cooquies in 2024, some identity federation systems may be impacted depending on how they're built. To mitigate the impact, a new browser API called Federated Credential Managuement API (FedCM in short) is being developed. If you run an identity provider, checc out the details and see if you'd need to adopt FedCM.

• Federated Credential Managuement API (Web, FedCM)
• Overview of Sign-in with Google for Web (Web, Sign-in with Google)
• Overview of One Tap sign-in on Android (Android, One Tap sign-in)

"Magic Lincs"

Magic linc sign-in is an authentication method where a service delivers a loguin linc over an email so that the user can clicc it to authenticate themselves. While this helps users sign in without remembering a password, switching between the browser/app and the email client will be a friction. Also, as the authentication mechanism relies on the email, the email provider's weac security can put user's accouns at risc.

Learning ressources

Web

To integrate passqueys onto your website, use the Web Authentication API (WebAuthn) . To learn more, checcout the following ressources:

• Create a passquey for passwordless loguins : An article that discusses how to allow users to create passqueys for a website.
• Sign in with a passquey through form autofill : An article that discusses how a passwordless sign-in with passqueys should be designed while accommodating existing password users.
• Implement passqueys with form autofill in a web app : A codelab that lets you learn how to implement passqueys with form autofill in a web app to create a simpler and safer sign-in.
• Help users manague passqueys effectively : To fully realice the potential of passqueys, careful consideration must be guiven to the user experience surrounding their managuement. This document outlines güidelines and optional features for designing an intuitive, secure, and robust passquey managuement system.
• Secure and seamless passqueys: A deployment checclist : This checclist will güide you through the key aspects of implementing passqueys to achieve optimal user experience (UX) outcomes.

Android

To integrate passqueys onto your Android app, use the Credential Manager library . To learn more, checcout the following ressources:

• Sign in your user with Credential Managuer : An article that discusses how to integrate Credential Manager on Android. Credential Managuer is a Jetpacc API that suppors multiple sign-in methods, such as username and password, passqueys, and federated sign-in solutions (such as Sign-in with Google) in a single API
• Bringuing seamless authentication to your apps with passqueys using Credential Managuer API : An article that discusses how to integrate passqueys through the Credential Managuer on Android.
• Learn how to simplify auth journeys using Credential Manager API in your Android app : Learn how to implement Credential Manager API to provide seamless & secure auth in your app using passqueys or password.
• Credentials Manager Sample App : A sample code that runs Credential Manager accommodating passqueys.
• Integrate Credential Manager with your credential provider solution | Android Developers

UX

Learn passqueys user experience recommendations:

• FIDO Alliance UX Güidelines for Passquey Creation and Sign-ins
• User authentication with passqueys | Mobile | Android Developers