Read the enterprise guide on large-scale passkey integration approaches, design of user flows and interfaces, and technical implementation considerations.
Vincent
Created: October 16, 2024
Updated: December 9, 2024
Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to keep you up to date on the latest developments in the industry.
Implementing passkeys into your large-scale consumer deployment is a significant endeavor that requires careful planning and strategic design. After securing preliminary approval and aligning key stakeholders, the next crucial step is to develop a comprehensive design and development strategy for integrating passkeys into your authentication system.
In this article, we will:
By carefully designing your passkey integration strategy, you can enhance security, improve user experience, and maximize the benefits of passkeys for both your organization and your users.
Recent Articles
♟️
Enterprise Guide: Passkeys for Existing Large-Scale Consumer Deployments
♟️
Enterprise Passkeys Guide: Part 1 - Initial Assessment and Planning
♟️
Enterprise Passkeys Guide: Part 2 - Stakeholder Engagement
♟️
Enterprise Passkeys: Apple, Google & Microsoft's Offerings
♟️
Enterprise Passkeys Guide: Part 4 – Integrating Passkeys Into an Enterprise Stack
Selecting the appropriate integration approach is a critical decision that impacts both the technical implementation and the user experience. There are four major options to consider:
Each option offers different benefits and challenges. Let's examine each approach in detail to help you decide which one aligns best with your organization's goals and your users' needs.
Become part of our Passkeys Community for updates and support.
JoinThis approach adds a separate "Continue with Passkey" button on the login screen, alongside existing authentication methods. Users can choose to log in directly with their passkey without first entering their identifier (e.g., email or username).
User Experience:
Benefits:
Challenges:
Example: Australia's myGov portal employs this approach, offering a separate button for passkey login.
Subscribe to our Passkeys Substack for the latest news, insights and strategies.
SubscribeThis method asks users to enter their identifier (e.g., email or username) first. The system then determines whether a passkey is registered for that identifier, is accessible on this device via platform or cross-platform authentication and, if so, prompts the user to authenticate with their passkey.
User Experience:
Benefits:
Challenges:
Google utilizes this approach, offering an automatic login experience when users enter their email and triggers a passkey authentication only on client environments where accessibility is very probable.
In this approach, users first enter their password. After successful password entry, they are prompted to authenticate with a passkey as a second factor, replacing SMS OTPs or other MFA methods.
User Experience:
Benefits:
Challenges:
An example for this kind of set-up is the implementation of Amazon who requires another authentication step in addition to passkeys.
This approach focuses on supporting cross-device authentication (CDA) and security keys. It enables users to create and use passkeys on mobile devices or external hardware security keys (e.g., YubiKeys), even when accessing services on devices that do not support passkeys directly making sure no device-bound passkeys are created.
User Experience:
Benefits:
Challenges:
Finom is a great example that promotes the CDA first approach to register a passkey on a mobile device or on a security key.
Why Are Passkeys Important For Enterprises?
Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.
If you have questions, feel free to
contact usWhen comparing integration methods, it's essential to consider the specific needs and objectives of your organization, as well as the context in which passkeys will be deployed. The most suitable approach will depend on a variety of factors, including the scale of deployment, security requirements, and technical feasibility. Additionally, the method you choose should align with the desired user experience and balance ease of use with robust security measures. The following table provides a comparative overview of each integration option, highlighting key characteristics and potential trade-offs.
Characteristics | Option 1: Passkey Button | Option 2: Identifier-First | Option 3: Password + Passkey | Option 4: CDA First |
---|---|---|---|---|
Description | Separate passkey login button; users choose passkey login directly. | Users enter identifier first; automatic passkey login if available. | Passkey used as second factor after password entry. | Emphasizes cross-device authentication and security key support. |
SMS OTP Savings | 🔴 Low savings due to low passkey usage. | 🟢 High savings by increasing passkey login. | 🟢 High savings by replacing SMS OTP. | 🟡 Moderate savings; depends on user adoption. |
Passkey Adoption (Creation) | 🟢 High, with prompts to create passkeys. | 🟢 High, with automatic enrollment features. | 🟢 High, encourages passkey creation after login. | 🟢 High, facilitates passkey use across devices. |
Passkey Usage (Login) | 🔴 Low, users may not select passkey option. | 🟢 High, passkey login is seamless. | 🟢 High, replaces second factor with passkey. | 🟡 Moderate, depends on user willingness to use CDA. |
User Experience (Login) | 🔴 Extra step to select passkey login. | 🟢 Seamless automatic login after identifier entry. | 🟡 Requires password entry before passkey. | 🟡 Additional steps for cross-device authentication. |
Supports Cross-Device Auth | 🔴 Limited support. | 🟡 Possible with additional implementation. | 🔴 Not focused on CDA. | 🟢 Yes, emphasizes CDA and security keys. |
Security Key Support | 🟢 Yes, includes support for security keys. | 🟡 Not the primary focus. | 🟡 Not the primary focus. | 🟢 Yes, includes support for security keys. |
Account Enumeration Risk | 🟢 No identifier validation risk. | 🟡 Possible risk; mitigation needed. | 🟢 No risk; password step protects account info. | 🟢 No additional risk; CDA process can be designed securely. |
Factors to Consider When Choosing an Integration Approach
When deciding on the best integration method, consider the following factors:
There are even more ways to integrate passkeys, often using combinations or different approaches depending on the device. Therefore, it is a unique decision for every organization, and there is no single right solution.
Want to find out how many people can use passkeys?
View Adoption DataCorbado brings extensive expertise in implementing all four integration approaches, ensuring that your passkey deployment aligns perfectly with your organization's objectives and technical environment. Corbado Connect can be adopted to suite your needs and all passkeys that have been created will be usable in all scenarios even if your deployment changes in the future.
Our Support Includes:
By partnering with Corbado, you leverage our deep understanding of passkey technologies and large-scale deployments, ensuring a successful integration that delivers on your strategic objectives.
A critical aspect of passkey integration is designing intuitive user flows and interfaces that guide users through the authentication process effortlessly. This requires careful consideration of the user experience across all platforms. The flows heavily depend on the integration support, but some basic considerations relate to all of them.
It's essential to gain a comprehensive understanding of all target platforms, including the most relevant browsers, as they each handle onboarding and passkey creation differently. This includes evaluating web and mobile platforms, as well as different mobile operating systems (iOS and Android). Familiarizing yourself with these variations will help you anticipate how layouts and flows will appear across devices. Reviewing existing prototypes, such as those in Corbado blog reviews of existing implementations or FIDO Alliance materials, can provide valuable insights into user interactions and help inform design decisions.
When creating user flows, build real-world visuals that reflect actual operating system interactions. This includes designing for specific OS input methods and device prompts. Use design tools like Figma or Adobe XD to craft screens that capture key steps in the passkey process, such as login screens, passkey creation flows, and cross-device authentication prompts. The goal is to create high-fidelity mockups that enable a clear understanding of the user journey and interface interactions.
Manual testing is crucial to ensure that the implemented functionality works as expected. This includes testing fallback mechanisms, key passkey features, and cross-device functionality based on your system landscape. Create a thorough test scenario that outlines the scenarios to be tested, such as passkey creation, login, and fallback options like password or SMS OTP. Through this process, you'll identify any usability issues and refine the flows to enhance the overall experience. We are working on a separate article on this topic and will link it here once it is complete.
To automate tests and enhance coverage, you can use virtual authenticators with tools like Selenium 4 and Playwright. These tools allow you to simulate passkey interactions and test cross-device functionalities across various environments. This approach helps ensure the robustness of your authentication system by validating it against a wide range of potential use cases and device setups.
Corbado offers comprehensive support in designing and optimizing user experiences for passkey integration, ensuring that your implementation is intuitive, accessible, and effective across all platforms.
Our Support Includes:
By partnering with Corbado, you ensure that your passkey integration is not only technically sound but also delivers a user experience that fosters adoption and satisfaction.
The design decisions you make will have significant implications for the technical implementation of passkeys. It's important to collaborate closely with your development team to address these considerations, but next to those design specific things, there a are a lof of technical considerations that we can’t list here completely.
There are a lof of technical considerations and a lof of resources on the web that address those issues, we have listed the most important ones. We have written blog posts about most developer areas.
Component | Considerations and Actions |
---|---|
WebAuthn Server Updates | WebAuthn Server Integration - Incorporate a WebAuthn-compliant server component for passkey registration and authentication. - Choose compatible server libraries or frameworks (e.g., Node.js, Java, .NET). WebAuthn Ceremony Settings Configuration - Define WebAuthn parameters like rpId, user verification requirements, and attestation preferences. - Ensure settings align with security policies and compliance requirements. |
Frontend Application Modifications | WebAuthn API Implementation - Utilize the Web Authentication API in your frontend JavaScript for passkey creation and authentication ceremonies. - Handle the public nature of this API carefully to maintain security while providing a smooth user experience. User Interface Updates - Update login and registration interfaces to include passkey options. - Provide clear prompts and guidance to help users create and use passkeys effectively. |
Backend Logic Adjustments | Authentication Flow Changes - Modify existing authentication flows to accommodate passkey-based login alongside traditional methods. - Implement logic to determine when to prompt for passkeys versus other authentication factors. Credential Management - Securely store passkey credentials (public keys, credential IDs) in your database. - Ensure credential storage complies with best practices and data protection regulations. |
Database Schema Modifications | Data Model Updates - Extend user profiles to include passkey-related information. - Plan how existing user data will integrate with new passkey data without disrupting current operations. Migration Strategy - Develop a strategy for migrating or updating existing accounts to support passkeys. - Ensure data integrity and continuity during the transition. |
Library and Tooling Decisions | Component Selection - Choose appropriate frontend and backend libraries that support WebAuthn and are well-maintained. - Evaluate options based on compatibility, community support, and compliance with standards. Tool Integration - Incorporate tools that assist with development, testing, and deployment of passkey functionalities. |
Security Enhancements | Secure Data Handling - Implement robust security measures for storing and transmitting passkey-related data to improve MFA functionality - Protect against common threats like replay attacks and man-in-the-middle attacks. |
User Experience Considerations | Flow Optimization - Design intuitive user flows for passkey creation and login to minimize friction. - Consider different user journeys based on device capabilities and user preferences. Cross-Device Support - Ensure consistent functionality across various devices and browsers. - Plan for scenarios where users switch devices or use multiple devices. |
Testing and Quality Assurance | Comprehensive Testing - Conduct thorough testing of passkey functionalities, including registration, authentication, and error handling. - Test across different platforms, browsers, and devices to identify and fix compatibility issues. Fallback Mechanisms - Verify that fallback authentication methods work seamlessly when passkeys are not available. - Ensure users can recover access without compromising security. |
Deployment and Monitoring | Rollout Strategy - Plan the deployment in phases, possibly starting with a pilot group. - Monitor system performance and user feedback to make iterative improvements. Analytics and Reporting - Implement analytics to track passkey adoption rates and usage patterns. - Use insights to optimize the system and address any barriers to adoption. |
It is beyond this article to describe all parts of the technical implementation, also be sure to address most passkey misconceptions early on.
Corbado provides comprehensive support for your technical teams, ensuring a smooth and secure integration of passkeys into your authentication system.
It Includes:
By leveraging Corbado's technical resources and expertise, your development team can implement passkeys efficiently and confidently, focusing on delivering a secure and high-performing authentication experience to your users.
Integrating passkeys requires a strategic approach across design, user experience, and technical execution. This guide covered three key areas:
In sum, selecting the right approach, prioritizing UX, and addressing technical requirements will ensure a successful passkey integration, with Corbado as a partner to streamline this process and maximize benefits.
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
Recent Articles
Enterprise Guide: Passkeys for Existing Large-Scale Consumer Deployments
Vincent - September 26, 2024
Enterprise Passkeys Guide: Part 1 - Initial Assessment and Planning
Vincent - October 3, 2024