6.3.1.11. Passkey

Starting with version 3.11 privacyIDEA supports Passkey token. A passkey is a FIDO authentication credential based on FIDO standards, that allows a user to sign in to apps and websites with the same process that they use to unlock their device (biometrics, PIN, or pattern). Passkeys are FIDO cryptographic credentials that are tied to a user’s account on a website or application. Passkeys are phishing resistant and secure by design. They inherently help reduce attacks from cybercriminals such as phishing, credential stuffing, and other remote attacks.

This is a variation of the WebAuthn token, which is also a FIDO2 token supported by privacyIDEA. Therefore, it inherits the configuration of the Webauthn token, which is described here: WebAuthn Token Config. The Passkey token always requests to be created as a resident credential, i.e. the option resident_key is always set to required, in contrast to the WebAuthn token, which does not request a resident key.

To enroll a passkey, the policies webauthn_relying_party_id and webauthn_relying_party_name have to be set. Moreover, passkeys always require a user assignment for enrollment.

Passkeys are eligible for offline use as specified here Offline as well as enroll_via_multichallenge. However, these features also have to be implemented in the client application.

Using passkeys in different browsers and environments can yield different user experiences. Most, if not all browsers, will not allow enrollment of a passkey to a authenticator which does not have a PIN set, i.e. user verification is always required for enrollment. Therefore, webauthn_user_verification_requirement does not affect passkey enrollment. The same policy webauthn_user_verification_requirement is available in the scope authentication and that policy does affect passkey authentication.

On the token detail page, the passkey can be tested and, if successful, will show the username that is returned by privacyIDEA to use for login.