Passkey Troubleshooting: Solutions for Passkey Issues & Errors

Passkeys are rapidly becoming the standard for secure and seamless user authentication. Major tech players like Amazon, WhatsApp, Coinbase, and TikTok have already embraced this technology, with others like Facebook, LinkedIn, and X/Twitter soon to follow. However, as with any emerging technology, there are still some UI / UX concepts, like error messages, that are new to end users. Users often face passkey issues like "there are no matching passkeys" or "passkeys not working". Moreover, many relying parties define their own error messages, as there are not too many best demonstrated practices (apart from FIDO alliance's UIX guidelines).

Passkeys represent a paradigm shift in authentication, moving authentication in general from the backend to the frontend, as passkeys interact via operating system APIs with a device's secure enclave, TPM, or TEE.

As a result, effective user communication and error handling become important. Users, accustomed to traditional authentication methods, now face a learning curve with passkeys. We've observed frequent passkey errors and a lot of confusion through our interactions on platforms like X (formerly Twitter) and Reddit. Our goal with this article is to help more users when facing these passkey problems. We'll anlayze the common passkey issues and offer practical solutions, thereby enhancing user experience and confidence in passkeys.

Passkeys represent a huge step in passwordless authentication, utilizing the WebAuthn API, and are backed by the FIDO Alliance and the World Wide Web Consortium (W3C). Moreover, passkeys are grounded in the principles of public-key cryptography.

Imagine creating an account where your device autonomously generates a unique pair of public and private keys. These keys are linked, much like a custom- made key tailored for a specific lock. For successful authentication, both elements are essential.

The fascinating part? The public key is the only component shared with a website or app (the relying party). The private key, on the other hand, remains securely on your device.

The authentication process is very user-friendly. When you attempt to sign in, the website or app sends a challenge. This is where your part comes in: by utilizing your device's biometrics or PIN (e.g. via Face ID, Touch ID or Windows Hello), you unlock your private key. Your device then utilizes this key to sign the challenge, sending this signature back for verification. The website or app, with the public key at its disposal, confirms the authenticity of this signature.

What makes this process truly seamless is its speed and transparency. From a user perspective, you're merely verifying your identity via Face ID. Meanwhile, under the hood, this sophisticated mechanism efficiently validates your credentials, granting access to your account.

iCloud Keychain Enabled:

For users on Apple devices utilizing Safari, iCloud Keychain must be enabled to use passkeys. This is essential for password sharing and synchronization across devices. To set up iCloud Keychain, navigate to your device's settings, select your Apple ID, go to iCloud, and then enable iCloud Keychain (read more here). On iCloud accounts with Keychain enabled, the underlying iCloud account is enforced to be MFA protected by Apple.

iOS 16 or macOS Ventura Required:

Passkeys are supported on devices running iOS 16 or later, or macOS Ventura or later. These newer operating systems include enhanced security features necessary for passkey functionality. Users should ensure their devices are updated to these versions or higher (read more here).

Windows Hello Setup:

On Windows 10+ devices, Windows Hello must be configured to use passkeys (see here for more details on the passkey support of different Windows versions). Windows Hello is a biometric-based technology that enables users to authenticate secure access to their devices and applications using a fingerprint, facial recognition, or a PIN. To set up Windows Hello, go to Settings, then Accounts, and under Sign-in options, follow the prompts for setting up Windows Hello (read more here).

Android Version 9 or Later:

Passkey support requires at least Android 9. This is because newer Android versions have better integration with security features like biometrics and secure hardware storage, which are crucial for passkeys.

Google Play Services Updated:

Ensure that Google Play Services is up-to-date, as it plays a critical role in managing security and authentication processes on Android devices.

Besides, on all platforms, ensure that the web browser being used is updated to the latest version. Browsers like Safari, Chrome, and Edge often release updates that improve security features, including passkey support.

The following lists consists of typical passkey errors. Besides providing the cause of the error a potential solution that has worked for others is given:

pane of System Settings

• Cause: This error occurs when iCloud Keychain, which is required to store passkeys on Apple devices, is not enabled.
• Solution: Enable iCloud Keychain by going to the Apple ID pane in System Settings. Ensure it's properly set up to sync passkeys across your devices.

• Cause: This error typically occurs when a user tries to access a service using a passkey that is not stored in their iCloud Keychain or not synchronized across their devices.
• Solution: Ensure that iCloud Keychain is enabled and properly synchronized across all devices. Check if the passkey for the specific service is indeed saved in the iCloud Keychain.

• Cause: No passkey can be found on the current device and the WebAuthn server does not allow any cross-platform passkey authentication.
• Solution: Verify if a passkey exists on your device. If you have deleted the passkey locally / client-side (e.g. in your iCloud Keychain settings or Google Password Manager settings), you also need to delete the passkey server-side in the account settings of your relying party, so that the relying party does not prompt another time, that the passkey should exist.

• Cause: This message appears when there's an attempt to register a new passkey on a device that already has one for the same account. Some relying parties restrict that users can only have one passkey per device (or ecosystem, e.g. synced iCloud Keychain or 1Password password manager) and account. Usually, this setting is defined in the WebAuthn server property excludeCredentials .
• Solution: Check your device settings to see if a passkey already exists and use it, or try adding a new passkey from a different device. Alternatively, enter the relying partys account settings, delete the existing passkey for this device and account and try to create a new one.

• Cause: A passkey is tied to a specific account and platform (e.g. the device or a cloud synced platform account like iCloud keychain). If you see a QR code when attempting to log in using a passkey, this means that you do not yet have a passkey on the current device / platform that you are using (but may have had one set up on your iOS or Android smartphone one previously). Another cause is that the server limits the passkeys that are allowed to be used (via the WebAuthn server property AllowCredentials) and those passkeys are not available on your device.
• Solution: If the device you previously made a passkey on has a camera, you may be able to scan the QR code to login using that existing passkey (this is called passkey cross-platform authentication). If provided, you should be able to use an alternative authentication method to log in. Once logged in, you can then set up an additional passkey for the new / current device youre using in the relying partys account settings.

• Cause: This prompt appears when a hardware security key (e.g. YubiKey) is required for authentication, possibly due to lack of a TPM or disabled Windows Hello. Another cause is that you are on a device that has no Bluetooth capabilities (e.g. an older desktop machine) and there are no fitting passkeys on the device.
• Solution: Insert the hardware security key (e.g. YubiKey) into the USB port. Alternatively, enable Windows Hello if you wish to authenticate without the hardware security key (a passkey with Windows Hello needs to be created beforehand).

• Cause: This error often occurs when the Android device that is supposed to use the passkey does not have the screen lock feature activated. The presence of a screen lock is a prerequisite for using passkeys in Android for security reasons.
• Solution: To resolve this issue, enable the screen lock feature on your Android. This can typically be done through the security settings of the device. Once the screen lock is activated, try using the passkey again.

• Cause: This error can arise due to several reasons such as a glitch in the application or software you are using, a temporary server issue, or incompatible device settings.
• Solution: Restart the application or device and try generating the passkey again. If the problem persists, check for any available updates for the application or your device's operating system. If it's a server-side issue, you may need to wait and try again later.

• Cause: A lot of error messages are caused if you delete a passkey manually. This can happen that you delete it on the client-side, so in your platform account, on your device or in your password manager. This means that the private keys doesn't exist anymore, but the server-side doesn't know about that, yet causing an error. On the other hand side, you could have also deleted the public key of the passkey on the server-side, e.g. in the account settings. If your local private key still exists and you use Conditional UI to log in, there's not matching public key on the server causing such an error.
• Solution: Try to access your account either from another device or use an alternative login method that you might have set up earlier. You can then usually create a new passkey in the account settings.

• Cause: This is an error typically indicated by PayPal or similar platforms, suggesting that the device or browser being used does not support or have the functionality to create or use passkeys.
• Solution: Ensure that your device and browser are up to date. If the device or browser inherently does not support passkeys, consider switching to a compatible one.

• Cause: This could be due to incorrect passkey entry, temporary communication issues between the server and your device, or a malfunction in the authentication process.
• Solution: Double-check the passkey you are entering. If correct, try again after a short while. If the problem continues, check your internet connection or consider resetting your passkey if possible.

• Cause: This error typically occurs when the server takes too long to respond, possibly due to network connectivity issues or high server load.
• Solution: Check your internet connection to ensure a stable and strong signal. If the connection is fine, the issue might be on the server side, in which case you should try again later when the server is less busy.

Passkeys are paving the way towards a more secure, user-friendly digital landscape. By leveraging the power of public key cryptography, they eliminate traditional password vulnerabilities, offering a robust and seamless authentication experience. As we move forward, understanding and troubleshooting common passkey errors becomes crucial. This knowledge not only enhances user confidence but also fosters wider adoption. If you want to stay up-to-date about all news around passkeys (incl. passkey error handling and passkey troubleshooting), join our passkeys community on Slack or subscribe to our passkeys Substack.