Do Passkeys Work in Incognito Mode?

More and more companies are implementing passkeys into their websites and apps. While doing so, many software developers and product managers question themselves if passkeys work in in incognito or private browsing modes, as this has major influence on the overall user experience.

With this blog post, we try to answer the following questions:

1. Do passkeys work in incognito / private browsing mode?
2. What is the behavior of passkey authentication in incognito / private mode in Chrome, Safari, Edge and Firefox?

This knowledge ensures a smooth user experience across different browsers and operating systems, positioning your application at the forefront of security and convenience.

Passkeys are essentially cryptographic keys used for authenticating users without the need for traditional passwords. They offer enhanced security by eliminating the risks associated with password theft and phishing attacks.

Typically, passkeys are stored securely within the device, and their functionality remains consistent even in incognito or private modes for most operating systems apart from Windows 10 (see below), provided the device is passkey-ready.

Incognito or private modes are commonly used to browse the internet without leaving a trace. This feature is valuable for users who prioritize privacy, and it's essential that authentication methods, such as passkeys, work seamlessly within these modes.

In the history of WebAuthn development, however, there have been ongoing discussions and improvements as the behavior used to be quite confusing and inconsistent among operating systems and browser (see these old discussions and bug reports for reference here, here and here).

Understanding the behavior of passkeys in various browsers and operating systems helps in ensuring compatibility and a smooth user experience.

Do passkeys work in incognito / private browsing mode?

On Windows 10 (22H2), we discovered the only exception for passkeys not reliably working and got the two following screenshots when trying to use a platform authenticator (Windows Hello):

Chrome incognito mode passkey error message on Windows 10

Edge inPrivate mode passkey error message on Windows 10

When we switched into the regular browsing mode, everything worked as expected, so the error message in the popup is misleading.

Moreover, if we tried to use a cross-platform authenticator (e.g. hardware security key, like YubiKey, or Cross-Device Authentication via QR code / Bluetooth) this worked.

When digging further down into the issue and executing the following two commands in the browser console to determine if the platform authenticator (PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()) and Conditional UI (PublicKeyCredential.isConditionalMediationAvailable()) was available, we made an interesting discovery: the first promise returned false, while the second one returned true, which didn’t make any sense, as platform authenticators are required for Conditional UI to work.

When using Windows Hello as platform authenticator, a security pop-up appears during passkey creation in incognito mode (on Chrome) / inPrivate mode (on Edge), alerting users that the passkey will be stored and usable later in non-incognito mode (this behavior was tested on Windows 11 22H2). Considering one of the use-cases of incognito mode, where a user wants to create an account without the trace of any information, this warning makes sense.

On Android and using the incognito mode (on Chrome) / inPrivate mode (on Edge), the behavior is similarly to Windows 11, as there is an informational popup shown that tells the user that the passkey will be saved in the password manager and anyone with access to the password manager will also have access to the passkey.

In summary, passkeys function reliably in incognito and private modes across major browsers and operating systems, with some specific exceptions on Windows 10. By leveraging Corbado's solutions, developers can implement passkeys efficiently, and product managers can enhance user experiences without compromising on security.