• Introduction
• Part 1: Initial Assessment and Planning
• Part 2: Stakeholder Engagement

Implementing passkeys into your large-scale consumer deployment is a significant endeavor that requires careful planning and strategic design. After securing preliminary approval and aligning key stakeholders, the next crucial step is to develop a comprehensive design and development strategy for integrating passkeys into your authentication system.

In this article, we will:

• Explore passkey integration options: Discuss different approaches to incorporating passkeys into your existing authentication flow, including their benefits and challenges.
• Emphasize user experience (UX) design: Highlight the importance of designing intuitive user flows across all platforms, including web desktop, web mobile, and native mobile apps.
• Technical feature considerations: We discuss how to cover all technical features and considerations that arise from your chosen integration strategy and the passkey integration in general.

By carefully designing your passkey integration strategy, you can enhance security, improve user experience, and maximize the benefits of passkeys for both your organization and your users.

Selecting the appropriate integration approach is a critical decision that impacts both the technical implementation and the user experience. There are four major options to consider:

• Option 1: Passkey Button (Manual approach)
• Option 2: Identifier-First Approach (Automatic Login)
• Option 3: Password + Passkey (Second Factor)
• Option 4: Cross-Device Authentication First (CDA First)

Each option offers different benefits and challenges. Let's examine each approach in detail to help you decide which one aligns best with your organization's goals and your users' needs.

This approach adds a separate "Continue with Passkey" button on the login screen, alongside existing authentication methods. Users can choose to log in directly with their passkey without first entering their identifier (e.g., email or username).

User Experience:

• Login: Users click the "Continue with Passkey" button and are prompted to authenticate using their device's biometric or PIN authentication.
• Passkey Creation: Users are encouraged to create a passkey after logging in with their existing credentials.

Benefits:

• Simplicity: Easy to implement without significant changes to the existing login flow.
• User Control: Users explicitly choose when to use passkeys.

Challenges:

• Lower Passkey Usage: Users may overlook the passkey login option, leading to lower adoption and minimal SMS OTP cost savings.
• Extra Step: Requires users to make an additional choice, which may add friction.

Example: Australia's myGov portal employs this approach, offering a separate button for passkey login.

This method asks users to enter their identifier (e.g., email or username) first. The system then determines whether a passkey is registered for that identifier, is accessible on this device via platform or cross-platform authentication and, if so, prompts the user to authenticate with their passkey.

User Experience:

• Login: Users enter their email or username. If a passkey is available, they are prompted to authenticate using biometrics or PIN. If not, they proceed to enter their password and their second factor.
• Passkey Creation: Users are prompted to create a passkey after successful login, often with automatic enrollment features.

Benefits:

• Seamless Experience: Provides a smooth login process with minimal steps.
• Higher Passkey Usage: Encourages passkey usage by integrating it into the primary login flow.
• SMS OTP Cost Savings: Increases passkey usage, reducing reliance on SMS OTPs.

Challenges:

• Account Enumeration Risk: May expose whether an email or username is registered, requiring mitigation strategies to protect user privacy like proactive bot management like Turnstile from Cloudflare.
• Technical Complexity: Requires more sophisticated logic to handle different authentication scenarios and being able to detect if a passkey is really available at a specific client environment (operating system, operating sytem version, browser, browser version).

Google utilizes this approach, offering an automatic login experience when users enter their email and triggers a passkey authentication only on client environments where accessibility is very probable.

In this approach, users first enter their password. After successful password entry, they are prompted to authenticate with a passkey as a second factor, replacing SMS OTPs or other MFA methods.

User Experience:

• Login: Users enter their password. After successful password verification, if a passkey is available, they are prompted to authenticate using biometrics or PIN. If not, they fall back to existing MFA methods like SMS OTP.
• Passkey Creation: Users are encouraged to create a passkey during the login process to streamline future authentications.

Benefits:

• Enhanced Security: Maintains two-factor authentication with a phishing-resistant second factor.
• Easuer transition & User Familiarity: Users continue to use their password, easing the transition including being able to use existing legacy application that cannot be updated on time.

Challenges:

• Additional Steps: Requires users to enter both a password and a passkey, potentially adding friction.
• Less passkey convenience & functionality: When using passkeys as second factor, automatic passkey login with One-Tap Passkey Login and Conditional UI / Passkey Autofill cannot be used, because the password needs to be entered first.

An example for this kind of set-up is the implementation of Amazon who requires another authentication step in addition to passkeys.

This approach focuses on supporting cross-device authentication (CDA) and security keys. It enables users to create and use passkeys on mobile devices or external hardware security keys (e.g., YubiKeys), even when accessing services on devices that do not support passkeys directly making sure no device-bound passkeys are created.

User Experience:

• Login: Users are prompted to authenticate using a passkey from their mobile device or hardware security key, often by scanning a QR code displayed on the login screen or via paired device at the same time they can opt to use a security key.
• Passkey Creation: Users are guided to create passkeys on their mobile devices or security keys, facilitating passkey use across devices, most likely during the signup.

Benefits:

• Broad Device Support: Allows users on devices without passkey support (e.g., older browsers) to still use passkeys via their mobile devices.
• Security Key Integration: Supports users who prefer physical security keys for authentication.
• Increased Passkey Adoption: Encourages passkey use by overcoming device compatibility barriers.

Challenges:

• Complexity: Implementation of cross-device authentication can be more technically complex for the average consumer user.
• User Education: Requires clear instructions to guide users through the cross-device authentication process.
• Potential Friction: Scanning QR codes or using external devices introduces additional steps on every authentication.

Finom is a great example that promotes the CDA first approach to register a passkey on a mobile device or on a security key.

When comparing integration methods, it's essential to consider the specific needs and objectives of your organization, as well as the context in which passkeys will be deployed. The most suitable approach will depend on a variety of factors, including the scale of deployment, security requirements, and technical feasibility. Additionally, the method you choose should align with the desired user experience and balance ease of use with robust security measures. The following table provides a comparative overview of each integration option, highlighting key characteristics and potential trade-offs.

Factors to Consider When Choosing an Integration Approach

When deciding on the best integration method, consider the following factors:

• Security Requirements: Assess your organization's security policies and potential regulatory requirements.
• User Experience: Evaluate the impact on user experience, aiming for minimal friction and intuitive interactions.
• Technical Feasibility: Consider the complexity of implementation and compatibility with your existing authentication system.
• SMS OTP Cost Savings: If reducing SMS costs is a priority, favor options that maximize passkey usage.
• Device Compatibility: Determine whether supporting cross-device authentication and hardware security keys is important for your user base (based on the device landscape defined earlier)
• Account Enumeration Risks: Be mindful of potential privacy risks and implement necessary mitigations.

There are even more ways to integrate passkeys, often using combinations or different approaches depending on the device. Therefore, it is a unique decision for every organization, and there is no single right solution.

Corbado brings extensive expertise in implementing all four integration approaches, ensuring that your passkey deployment aligns perfectly with your organization's objectives and technical environment. Corbado Connect can be adopted to suite your needs and all passkeys that have been created will be usable in all scenarios even if your deployment changes in the future.

Our Support Includes:

• Expert Consultation: We work closely with your team to understand your specific needs and help you choose the integration method that best suits your security requirements, user experience goals, and technical capabilities.
• Tailored Implementation Strategies: Whether you opt for the Passkey Button, Identifier-First Approach, Password + Passkey method, or CDA First, we provide customized solutions that seamlessly integrate with your existing authentication system and includes our Passkey Intelligence to smooth customer experience.
• Cross-Device Authentication Expertise: Our components support CDA First approach and CDA in general out of the box, implement cross-device authentication and support for security keys, enhancing accessibility and security for your users.
• Mitigation of Account Enumeration Risks: For approaches that may introduce account enumeration vulnerabilities, we offer proven strategies and technical solutions to mitigate these risks effectively.
• Maximizing Passkey Adoption and Usage: Our expertise in user engagement ensures that passkey creation and usage are optimized, leading to higher SMS OTP cost savings and enhanced security.
• Seamless User Experience: We prioritize creating intuitive and frictionless user flows, enhancing overall satisfaction and reducing barriers to adoption.
• Technical Support and Resources: Our team provides comprehensive technical assistance, including SDKs, documentation, and best practices, to facilitate a smooth implementation process. More about our SLO/SLA Enterprise offerings can be found here.

By partnering with Corbado, you leverage our deep understanding of passkey technologies and large-scale deployments, ensuring a successful integration that delivers on your strategic objectives.

A critical aspect of passkey integration is designing intuitive user flows and interfaces that guide users through the authentication process effortlessly. This requires careful consideration of the user experience across all platforms. The flows heavily depend on the integration support, but some basic considerations relate to all of them.

It's essential to gain a comprehensive understanding of all target platforms, including the most relevant browsers, as they each handle onboarding and passkey creation differently. This includes evaluating web and mobile platforms, as well as different mobile operating systems (iOS and Android). Familiarizing yourself with these variations will help you anticipate how layouts and flows will appear across devices. Reviewing existing prototypes, such as those in Corbado blog reviews of existing implementations or FIDO Alliance materials, can provide valuable insights into user interactions and help inform design decisions.

When creating user flows, build real-world visuals that reflect actual operating system interactions. This includes designing for specific OS input methods and device prompts. Use design tools like Figma or Adobe XD to craft screens that capture key steps in the passkey process, such as login screens, passkey creation flows, and cross-device authentication prompts. The goal is to create high-fidelity mockups that enable a clear understanding of the user journey and interface interactions.

Manual testing is crucial to ensure that the implemented functionality works as expected. This includes testing fallback mechanisms, key passkey features, and cross-device functionality based on your system landscape. Create a thorough test scenario that outlines the scenarios to be tested, such as passkey creation, login, and fallback options like password or SMS OTP. Through this process, you'll identify any usability issues and refine the flows to enhance the overall experience. We are working on a separate article on this topic and will link it here once it is complete.

To automate tests and enhance coverage, you can use virtual authenticators with tools like Selenium 4 and Playwright. These tools allow you to simulate passkey interactions and test cross-device functionalities across various environments. This approach helps ensure the robustness of your authentication system by validating it against a wide range of potential use cases and device setups.

Corbado offers comprehensive support in designing and optimizing user experiences for passkey integration, ensuring that your implementation is intuitive, accessible, and effective across all platforms.

Our Support Includes:

• Expert UX Consultation: Our UX specialists collaborate with your design and product teams to develop user flows and interfaces that align with best practices and cater to your users' needs, including cross-device authentication and security key usage if nessasary.
• Pre-Built UI Components: Leverage our library of customizable UI components designed specifically with passkey integration, saving development time, ensuring consistency and allowing for updates required. UI Components are available for Login, Append (Adding Passkeys to existing Accounts) and the Passkey List in account settings.
• Localization and Internationalization: If your user base spans multiple regions and languages, we help adapt your user interfaces to accommodate cultural differences, language preferences, and support for right-to-left languages.
• Cross-Platform Design Expertise: We provide guidance on adapting designs for web desktop, web mobile, and native mobile apps, ensuring a seamless experience regardless of the user's device.
• User Testing Support: We assist in planning and conducting user testing sessions, analyzing results, and applying insights to refine the user experience.
• Automated Test Implementations for Enterprise Deployments: We provide dedicated automated test implementations for large-scale deployments, ensuring thorough and consistent validation of your passkey functionality across environments.
• Customization Options with Figma: We offer customization options that we can visualize using Figma, allowing us to tailor the visual design and interactive elements to meet your specific branding and UX requirements.

By partnering with Corbado, you ensure that your passkey integration is not only technically sound but also delivers a user experience that fosters adoption and satisfaction.

The design decisions you make will have significant implications for the technical implementation of passkeys. It's important to collaborate closely with your development team to address these considerations, but next to those design specific things, there a are a lof of technical considerations that we can’t list here completely.

There are a lof of technical considerations and a lof of resources on the web that address those issues, we have listed the most important ones. We have written blog posts about most developer areas.

It is beyond this article to describe all parts of the technical implementation, also be sure to address most passkey misconceptions early on.

Corbado provides comprehensive support for your technical teams, ensuring a smooth and secure integration of passkeys into your authentication system.

It Includes:

• All of the above: By using Corbado, frontend (UI components), backend & deployment are covered by us. All technical complexities are covered by us.
• Robust SDKs and Libraries: Access our well-documented SDKs and libraries compatible with various programming languages, frameworks and platforms, simplifying the integration process, including cross-device authentication features.
• Detailed Documentation: Utilize our extensive documentation that covers implementation guides, API references, and best practices to support your development team.
• Technical Expertise and Support: Our experienced engineers are available to assist with architectural decisions, code reviews, and troubleshooting throughout the implementation.
• Security Best Practices: We provide guidance on secure credential storage, encryption, and adherence to FIDO2 and WebAuthn standards, ensuring your implementation is resilient against threats.
• Scalability Solutions: Our infrastructure is designed to handle large-scale deployments, and we offer advice on optimizing performance and scalability for your specific needs.
• Compliance and Certification: We ensure that our solutions comply with relevant regulations and industry certifications, aiding your organization's compliance efforts.
• Regular Updates and Maintenance: Stay up-to-date with the latest advancements in passkey technology through our continuous updates and feature enhancements.

By leveraging Corbado's technical resources and expertise, your development team can implement passkeys efficiently and confidently, focusing on delivering a secure and high-performing authentication experience to your users.

Integrating passkeys requires a strategic approach across design, user experience, and technical execution. This guide covered three key areas:

• Passkey Integration Options: We explored four methods—Passkey Button, Identifier-First, Password + Passkey, and CDA First. Each offers unique benefits, from the simplicity of a Passkey Button to the seamless experience of Identifier-First and the flexibility of CDA First, allowing you to align the implementation with your security and user experience goals.
• User Experience (UX) Design: A seamless UX is essential for adoption. We discussed cross-platform compatibility, wireframing, and thorough testing to refine interactions across devices. Focus on intuitive flows ensures users engage with passkeys easily, enhancing satisfaction and adoption rates.
• Technical Feature Considerations: Implementing passkeys involves WebAuthn integration, frontend and backend updates, and strong security practices. Corbado’s solutions cover these complexities, offering a secure, compliant, and scalable deployment.

In sum, selecting the right approach, prioritizing UX, and addressing technical requirements will ensure a successful passkey integration, with Corbado as a partner to streamline this process and maximize benefits.