Authdog

Passkeys

Last updated Jul 19, 2026
View as Markdown

Passkeys use WebAuthn public-key credentials instead of a shared password. A user's authenticator keeps the private key; Authdog stores credential metadata and the public material needed to verify a sign-in.

Current availability

Passkey registration and sign-in are available in Authdog's hosted identity flow when Passkeys is enabled for the environment. Registration requires an authenticated user session. Authentication uses discoverable credentials and local user verification.

Authdog supports ES256 and RS256 credential keys. Registration requests no attestation, so Authdog verifies the WebAuthn ceremony without collecting device-identifying attestation.

How the flow works

Passkeys use two ceremonies:

  1. Registration — Authdog creates a short-lived challenge scoped to an environment and user. Browser calls navigator.credentials.create(), and Authdog verifies the returned registration response before storing the credential.
  2. Authentication — Authdog creates another challenge. Browser calls navigator.credentials.get(), and Authdog verifies challenge, relying-party origin, authenticator data, signature, user verification, and signature counter before creating a session.

Credentials and challenges are isolated by Authdog environment. Relying-party ID comes from identity host, so passkeys are bound to that site rather than portable across unrelated domains.

Plan your user experience

Keep account recovery independent of a single device:

  • Offer another verified sign-in or recovery path.
  • Let users register more than one authenticator.
  • Show credential-management controls only inside an authenticated account session.
  • Require recent authentication before deleting the last credential.
  • Explain that synced passkeys may follow a user's platform account, while device-bound authenticators may not.

Passkeys can satisfy possession and local user verification, but they do not remove need for server-side session validation. Continue validating Authdog sessions on every protected backend request.

Security notes

Authdog verifies challenge, exact origin, relying-party ID hash, user-presence and user-verification flags, credential signature, credential ownership, expiration, one-time challenge consumption, and authenticator signature counters. Registration and credential management require a validated session.

Operations

Before rollout:

  • Test platform authenticators, roaming security keys, and synced passkeys.
  • Test cancellation, unavailable authenticators, lost devices, and recovery.
  • Keep at least one non-passkey sign-in method enabled during migration.
  • Monitor authentication failures in Audit logs.
  • Separate development and production credentials by using different Authdog environments.

Learn more