Enterprise Passkeys Guide: Part 5 – Testing Passkey Implementations

• Introduction
• Part 1: Initial Assessment and Planning
• Part 2: Stakeholder Engagement
• Part 3: Product, Design & Strategy Development
• Part 4: Integrating Passkeys Into an Enterprise Stack

After integrating passkeys into your enterprise stack and completing the implementation, the next critical phase is to ensure that the system functions flawlessly and meets all internal standards. This involves comprehensive testing and a carefully planned release strategy. In the enterprise context, where systems are complex and user bases are large, rigorous testing and monitoring are essential to mitigate risks and ensure a smooth rollout.

In this article, we will focus on:

• Functional Testing: What are the essential functional tests required to validate passkey implementation?

• Non-Functional Testing: How can we ensure that the system meets performance, security, and reliability standards?

By addressing these critical questions, we aim to provide a comprehensive guide on testing your passkey implementation. This will help ensure that your deployment is robust, secure, and delivers a seamless experience to your users. Let's go into the specifics of testing in an enterprise context and outline the steps necessary for a successful passkey rollout.

Testing and quality assurance are critical components in the successful deployment of passkeys within an enterprise environment. Given the complexity of large enterprise systems and the large number of users they serve, it's important to ensure that every aspect of the passkey implementation functions correctly and meets internal standards before a full-scale rollout. This involves a comprehensive approach to testing that addresses both functional and non-functional aspects of the system. Because testing and quality assurance are handled very differently among enterprises we shortly want to summarize what we think the key points are:

1. User Acceptance Testing/Manual Testing: Allows testers to experience the system as real users would, uncovering usability issues and ensuring workflows are logical.

   • Passkey Registration and Authentication: Ensure users can successfully create passkeys and authenticate using them across different devices and platforms.

   • User Interface and Experience: Validate that the user interface is intuitive, responsive, and provides a seamless experience.

   • Error Handling: Test how the system handles incorrect inputs, failed authentications, and edge cases, ensuring appropriate feedback and recovery options are provided to the user.

   • Usability Evaluation: Assess the ease of use and intuitiveness of the passkey implementation from the end-user's perspective.

   • Accessibility Compliance: Verify that the system meets accessibility standards to accommodate all users.

   • Cross-Device Scenarios: Manually test on a variety of devices to identify any inconsistencies or device-specific issues.

2. Automated Testing: Complements manual user acceptance testing by enabling repetitive tasks and regression tests to be conducted efficiently.

   • Regression Testing: Automatically retest existing functionalities to ensure new code changes do not introduce defects.

   • Performance Scripts: Use automated tools to simulate user actions under various conditions and loads.

   • Continuous Integration: Integrate automated tests into the development pipeline to catch issues early.

3. Passkey Intelligence Testing: Critical due to the diversity of devices, operating systems, and browsers used by enterprise users.

   • Compatibility Testing: Ensure the passkey system works seamlessly across all supported platforms and browsers.

   • Device Matrix: Develop a testing matrix that covers different combinations of devices, OS versions, and browsers.

   • Emulators and Real Devices: Utilize both emulators for broad coverage and real devices for accurate results.

4. Non-Functional Testing: Addresses performance, security, and reliability aspects of the passkey system.

   • Performance and Load Testing: Validate that the system can handle expected authentication volumes without degradation.

   • Security Testing: Conduct penetration tests and vulnerability assessments to identify and mitigate potential security risks.

By integrating these considerations into the testing and quality assurance process, it reduces the risks associated with deploying a new authentication method like passkeys. In the following sections we will go through every step and also outline how Corbado and the Corbado Connect System can help in those situations.

Functional testing is a critical phase in the deployment of passkeys within an enterprise environment. It focuses on verifying that all features and functionalities of the passkey implementation work as intended. This type of testing ensures that the system meets the specified requirements and provides a seamless user experience. Functional testing serves as the foundation for quality assurance, as it validates the core operations of the authentication system before moving on to non-functional aspects like performance and security.

Key Objectives of Functional Testing:

• Verification of Features: Ensure all passkey-related features, such as registration, authentication, and management, function correctly.

• User Experience Validation: Assess the usability and intuitiveness of the passkey implementation from the end-user's perspective.

• Error Handling: Confirm that the system gracefully handles errors and provides informative feedback to users.

• Compatibility: Test across different devices, operating systems, and browsers to guarantee a consistent experience for all users.

In the context of passkeys, functional testing involves a comprehensive examination of all user interactions, authentication flows, and system responses. It is essential to test both typical user scenarios and edge cases to ensure the system behaves correctly under all conditions. By thoroughly validating each function, enterprises can identify and rectify issues early in the deployment process, reducing the risk of problems during the live rollout.

User Acceptance Testing (UAT) involves human testers manually interacting with the passkey system to validate its functionality and user experience. This hands-on approach is vital for uncovering issues that automated tests might miss, such as usability problems, interface inconsistencies, and device-specific behaviors. In the context of passkey implementation, manual testing allows testers to experience the authentication flows as real users would, providing valuable insights into the system's effectiveness and intuitiveness.

Key Considerations for User Acceptance Testing Passkeys:

• Diverse User Accounts: Create test accounts representing different user roles or status types or account types within your application This ensures the passkey implementation works correctly across all user segments.

• Device-Account Mapping: Maintain a strict mapping between test accounts and devices. Assign specific accounts to specific devices to support cross-device authentication testing. This approach helps in accurately testing scenarios where a user may authenticate on one device using a passkey created on another (use the + mail pattern to identify them).

• Passkey-Enabled and Passkey-Disabled Devices: Include both passkey-enabled devices (those that support passkeys) and passkey-disabled devices (those that do not) in your testing matrix. This allows you to verify that the system provides appropriate fallback authentication methods on devices that do not support passkeys.

• Cross-Device Authentication Testing: Test cross-device authentication scenarios where a passkey created on one device is used to authenticate on another device. This includes testing the scanning of QR codes that enable cross-device passkey authentication.

• Consistency Across Platforms: Ensure that the user experience and functionality are consistent across different platforms, operating systems, and browsers. Pay special attention to device-specific behaviors and interface differences.

What functionality should be tested?

1. Passkey Registration and Authentication:

   • Creating a Passkey: Test the process of registering a new passkey, ensuring that users can successfully set up passkeys on various devices.

   • Logging in with Passkeys: Verify that users can authenticate using their registered passkeys across different platforms and that the login process is smooth and error-free.

   • Logging in with Passkeys via Conditional UI: Verify that users can authenticate using Conditional UI on platforms that support it and the UI responds adequately.

   • Logging in with a deleted Passkey: Make sure the user sees a customised error message, because most browser currently do not support signalling of server-side deletions.

   • Cross-Device Authentication: Check that passkeys created on one device can be used on others if supported, and that the system handles such scenarios appropriately.

2. Passkey Management:

   • Adding Passkeys: Ensure users can add multiple passkeys to their accounts, accommodating scenarios where users have multiple devices.

   • Deleting Passkeys: Test the ability to remove passkeys, confirming that the system updates the user's account status correctly.

   • Listing Passkeys: Verify that users can view all registered passkeys associated with their account, with clear information and management options.

   • Email Notifications: Confirm that email notifications (e.g., when a passkey is added or deleted) are triggered correctly and sent to the right customer email addresses. These notifications should be properly localized, contain clear instructions, descriptions of the passkeys, and follow branding guidelines.

3. Interaction with Existing MFA Logic:

   • MFA Status Changes: Test how enabling or disabling passkeys affects the user's multi-factor authentication (MFA) status. Including removing all passkeys from the account.

   • Fallback Mechanisms: Ensure that, when passkey authentication is unavailable (e.g., on unsupported devices), users are presented with alternative authentication methods like passwords or OTPs.

   • MFA Conversion: Validate the transition process from traditional MFA methods to passkeys, ensuring that existing security measures remain intact.

4. User Interface and Experience:

   • Usability Evaluation: Assess whether the passkey workflows are intuitive and user-friendly, minimizing confusion and errors.

   • Accessibility Compliance: Confirm that the interface meets accessibility standards (e.g., WCAG guidelines) to support users with disabilities if required.

   • Localization and Language Support: Verify that the passkey features are correctly localized for different regions and languages, if applicable.

5. Error Handling and Edge Cases:

   • Devices without platform-authenticator: Test the behavior when the device does not support passkeys (i.e., when isUserVerifyingPlatformAuthenticatorAvailable() returns false or is not defined). Confirm the system hides passkey options, provides appropriate alternative authentication methods or gracefully falls back.

   • Aborted Passkey Ceremonies: Test how the system handles situations where users abort the passkey authentication process, such as canceling or exiting during the ceremony. Ensure that on the first abort, the system treats it as a normal event, provides clear and reassuring messages, and encourages the user to retry. If the user aborts a second time, verify that the system offers alternative authentication methods and guides the user appropriately. This ensures a seamless user experience even when passkey authentication is interrupted

   • Incorrect Inputs: Test how the system responds to invalid data or actions, such as incorrect biometric inputs, canceled authentication attempts, or invalid OTPs. Ensure error messages are clear and guide the user on how to proceed.

   • Device-Specific Issues: Identify and document any inconsistencies or problems that occur on specific devices, operating systems, or browsers. This includes UI rendering issues, functional discrepancies, or performance problems.

   • Network Conditions: Simulate varying network conditions (e.g., offline, slow connections, intermittent connectivity, blocking network connections via developer extension) to see how the system handles connectivity issues during authentication. Ensure the system provides appropriate feedback and recovery options.

6. Account Lifecycle Scenarios:

   • Account Creation and Onboarding: Test the complete onboarding flow for new users, including passkey setup during account creation or after first sign-up (depending on the use-case). Verify users can set up passkeys as part of the initial MFA setup.

   • Account Recovery: Test scenarios where users need to recover access to their account, such as when they lose access to their passkey-enabled device. Ensure the recovery process is secure and user-friendly.

   • Mobile Number Changes: Test the process of updating mobile numbers, especially when mobile numbers are used for MFA or account recovery. Verify changes are properly reflected in the system and authentication methods are updated accordingly.

7. Additional functionality based on your Implementation: Customer Support Notification Management, and more.

   • Test the complete Enterprise Stack: In this article, we focus primarily on the changes to the Website and Authentication system, as these represent the most critical functionality. However, as discussed in our previous article, there are additional components involved in the overall implementation. Remember to thoroughly test all elements of the Enterprise Stack as well.

• Customer Support: While the primary focus is on consumer-facing features, test that the customer support functionality is properly integrated. Verify that support agents can view passkey-related data and delete single or multiple passkeys on behalf of the user. Ensure the UI provides sufficient information for the support agent to identify and manage passkeys accurately.

• Security, Logging & Audit: Validate that all passkey actions performed by support agents are correctly reflected in the user’s account logs and customer-facing interfaces. Check for consistency and integrity of the displayed data across different interfaces, ensuring a unified and reliable user experience.

Which device should be used for testing?

Testing across a diverse set of devices is essential to ensure that the passkey implementation functions consistently for all users. This includes both modern devices that support passkeys and older devices that do not. Here's a sample device matrix you can enrich with additional browser based on your user base:

Passkey-Enabled Devices:

Passkey-Disabled Devices:

By integrating these focused testing strategies with a comprehensive device test matrix, you establish a good foundation for ensuring the quality of your passkey implementation. Thorough testing across diverse devices—both passkey-enabled and passkey-disabled—allows you to identify and address potential issues, ensuring a consistent and seamless user experience for all users. Together, these efforts contribute to delivering a secure, user-friendly passkey authentication system that meets the high standards required in an enterprise environment. In case you do not have sufficient access to old devices you can use services like Browserstack for testing passkey-disabled devices. In case you are working on a Mac you can also use Parallels for a Windows Virtual Desktop.

Automated testing complements manual testing by enabling repetitive tasks and regression tests to be conducted efficiently. However, testing passkey functionality presents unique challenges, primarily because genuine passkey authorizations using platform authenticators cannot be directly tested in an automated environment. This is due to the reliance on biometric inputs or hardware interactions, which are not feasible to simulate in standard testing frameworks.

To overcome this limitation, automated tests for passkeys rely on the use of a virtual authenticator. The virtual authenticator is a software-based representation of an authenticator, available as part of Chromium and accessible via automation frameworks. It allows developers to simulate passkey registration and authentication processes without the need for physical devices or biometric inputs.

Before utilizing the virtual authenticator in your automated tests, it must be activated within your testing environment. This typically involves initiating a session with the browser's debugging protocol (e.g., Chrome DevTools Protocol) and enabling the WebAuthn domain. It's important to note that the state of the virtual authenticator can be reset under certain conditions, such as browser restarts or context changes. Therefore, tests must be developed carefully to ensure the virtual authenticator is consistently initialized and maintained throughout the testing process. The authenticator supports CTAP2 and needs to be configured with user verification and resident key support to work with passkeys.

Successful implementations of automated passkey testing have been achieved using frameworks like Selenium and Playwright, and others that provide access to the necessary browser automation protocols. For Selenium 4 and Playwright, native support for the virtual authenticator is available, providing APIs to manage the virtual authenticator's lifecycle and simulate user interactions. Passkey testing with Selenium 3 it is possible, but you need to directly implement the functionality (contact us if you need help).

Automated tests should cover the most important functionalities of your passkey implementation, including:

• Creating Passkeys: Simulate the process of a user registering a new passkey, ensuring that the registration flow works correctly.

• Logging in with a Passkey: Verify that users can authenticate using their registered passkeys, and that the login process is smooth and error-free.

• Account Management Functionality: Test adding, listing, and deleting passkeys associated with a user account to ensure that passkey management features function as intended.

• Error States and Network failures: Simulate the backend failing to respond this especially important for mobile operations as networking is not always reliable.

By incorporating these tests into your automated testing suite, you can consistently validate critical passkey functionalities, reduce the risk of regressions, and enhance the overall quality of your authentication system.

• Simulating User Verification: Since the virtual authenticator doesn't involve real biometric inputs, you can configure it to simulate user verification success or failure. This allows you to test how your system handles both successful authentications and scenarios where user verification fails or is canceled.

• Handling Virtual Authenticator State: Be mindful that the state of the virtual authenticator may reset in certain situations (especially in Selenum 3). Ensure your tests re-initialize the virtual authenticator as needed and consider encapsulating virtual authenticator setup in reusable functions or test hooks to maintain consistency.

• Framework Selection: While Selenium and Playwright are commonly used, other automation frameworks that provide access to the browser's debugging protocols can also be used for passkey testing. Choose a framework that fits your project's needs and has adequate support for WebAuthn testing.

• Test Reliability: Since passkey authentication involves asynchronous operations and interactions with browser APIs, ensure your tests include proper waiting mechanisms to handle these asynchronous events. This can prevent flaky tests and improve reliability.

• Documentation and Examples: Refer to detailed guides and examples for setting up the virtual authenticator in your chosen framework. For instance, Playwright provides comprehensive documentation on how to use the virtual authenticator, including code snippets and best practices.

Automated testing of passkey functionality requires careful setup due to the unique challenges involved. By leveraging the virtual authenticator and utilizing frameworks that support it, you can effectively automate key aspects of passkey registration, authentication, and management. This enhances your testing strategy, ensuring that your passkey implementation is robust, reliable, and ready for deployment in an enterprise environment.

Passkey Intelligence is a critical component in delivering a seamless and user-friendly authentication experience, especially when implementing passkeys using the Identifier-First approach with automatic login. This approach relies on intelligent decision-making to determine when to prompt users for passkey authentication based on the availability of passkeys and the likelihood of successful authentication. Testing Passkey Intelligence ensures that your system accurately detects passkey availability and provides the optimal authentication method for each user scenario.

Passkey Intelligence refers to the system's ability to analyze various signals and metadata to decide when to offer passkey authentication and when to fallback to alternative methods like passwords or one-time passcodes (OTP). It enhances user experience by:

• Maximizing Successful Logins: Offering passkey authentication when it is most likely to succeed.

• Minimizing Failed Attempts: Avoiding unnecessary passkey prompts when failure is probable, thus reducing user frustration.

• Optimizing User Flow: Providing a seamless authentication process tailored to each user's environment and history.

This intelligence is particularly important in the Identifier-First approach, where after entering their username or email, users may be automatically prompted for passkey authentication without additional input. Accurate detection of passkey availability is crucial to avoid unnecessary prompts and to provide appropriate fallback options.

In contrast, the Passkey Button Approach involves users explicitly choosing to authenticate with a passkey by clicking a button. While Passkey Intelligence still enhances the experience by determining button visibility and availability, it is less critical than in the Identifier-First approach, as users are making an active choice.

Testing Passkey Intelligence involves validating that your system correctly interprets various signals and provides the appropriate authentication method. Here are the key areas to focus on:

To ensure automatic login functions correctly, your system must accurately detect whether passkeys are available for a user. Testing should cover different scenarios to validate this detection:

• Users Without Registered Passkeys: Verify that the system does not prompt for passkey authentication and provides alternative methods.

• Users with Registered Passkeys: Confirm that the system recognizes when a user has a registered passkey and prompts for passkey authentication.

• User with Registered Passkeys that are not accessible: Confirm that the system recognizes when a user has a registered passkey (e.g., on Windows) but tries to log in on their iPhone and therefore does not proceed to offer a passkey login.

• Device Capabilities: Test on devices that support passkeys and those that do not support them to ensure the system adapts appropriately to the device independent of the account.

• Passkey Synchronization: Check whether passkeys stored in the Cloud (e.g., iCloud Keychain, Google Password Manager) are detected across devices on the correct devices.

Passkey Intelligence must work effectively with various passkey providers, both first-party and third-party. Each provider may have different behaviors and capabilities, impacting how passkeys are detected and used.

First-Party Providers:

• Windows Hello: Microsoft's biometric authentication system integrated into Windows devices. Keep in mind that Windows Hello keys are not synchronized, but Windows has announced that this will change soon.

• Google Password Manager: Google's solution for storing and synchronizing passkeys across devices and browsers. Keep in mind that GPM is not also available on Chrome but on other platforms.

• iCloud Keychain: Apple's service for storing passkeys and synchronizing them across Apple devices.

Third-Party Providers:

• 1Password: A popular password manager that supports passkeys and can synchronize them across platforms.

• Dashlane: Another widely used password manager with passkey support.

• Others: Depending on your user-base and country focus maybe other Third-Party Providers might be more important.

Testing Steps:

• Registration and Authentication: Ensure that users can register and authenticate using passkeys from each provider.

• Cross-Platform Behavior: Verify that passkeys synchronize correctly across devices and browsers when using cloud-based providers.

• Error Handling: Test how the system handles failures or unavailability of passkeys from specific providers.

Cross-device authentication allows users to authenticate on one device using a passkey stored on another device. Testing these scenarios is essential to ensure a seamless experience.

Key Scenarios to Test:

• iPhone to Windows PC: Users attempt to log in on a Windows PC using a passkey stored on their iPhone.

• Android Phone to Mac Safari: Users authenticate on a Mac using Safari by utilizing a passkey stored on their Android device.

• Android to Windows PC: Testing authentication from an Android device to a Windows PC. Keep in mind that starting Chrome 130 users might not need to do a Cross Device Authentication anymore.

Testing Steps:

• Compatibility Checks: Ensure that cross-device authentication works across different operating systems and browsers.

• User Prompts and Instructions: Verify that users receive clear instructions during the authentication process.

• Security Validation: Confirm that the authentication process is secure and resistant to man-in-the-middle attacks.

Testing should also cover scenarios where Passkey Intelligence might face challenges:

• Unavailable Passkeys: Situations where passkeys are expected but not available due to synchronization delays or network issues.

• User Cancellations: Users cancel the passkey prompt; the system should gracefully fallback to alternative methods.

• Third-Party Extensions: Interactions with browser extensions or plugins that might interfere with passkey detection or Conditional UI.

Assess the decision-making process of your Passkey Intelligence system:

• Data Accuracy: Ensure that the metadata and signals used for decision-making are accurate and up-to-date and correctly stored in the database (BS Flags).

• Adaptive Responses: Validate that the system adapts to new information, such as newly registered passkeys or changes in device capabilities.

• Performance Impact: Check that the intelligence logic does not introduce significant delays in the authentication flow.

To thoroughly test Passkey Intelligence, consider the following methodology:

1. Create Test Accounts with Various Configurations: Set up user accounts that represent different states, such as with or without registered passkeys, and with different passkey providers.

2. Use a Comprehensive Device Matrix: Include a variety of devices, operating systems, and browsers in your testing to cover as many user scenarios as possible.

3. Simulate Different Network Conditions: Test under various network conditions to assess how synchronization delays or connectivity issues impact passkey detection.

4. Testing for Complex Scenarios: For cross-device authentication and edge cases, manual testing will be necessary to fully capture user experience nuances.

5. Analyze Logs and Metrics: Collect and analyze logs to understand how Passkey Intelligence decisions are made and identify any discrepancies or failures.

• Keep User Experience at the Forefront: Ensure that the authentication flow remains smooth and intuitive, even when Passkey Intelligence decides to fallback to alternative methods.

• Stay Updated with Provider Changes: Passkey providers may update their services, affecting how passkeys are stored or synchronized. Regularly update your testing scenarios to reflect these changes. Subscribe our Substack and Join our Slack community.

• Document Findings: Keep detailed records of test cases, outcomes, and any issues encountered to aid in troubleshooting and future testing cycles.

Testing Passkey Intelligence is vital to ensure that your authentication system provides the best possible experience for users, particularly when employing the Identifier-First approach with automatic login. By thoroughly testing the detection of passkey availability, interactions with various passkey providers, cross-device authentication scenarios, and the intelligence logic itself, you can optimize your system to deliver seamless and secure authentication across all user scenarios.

Implementing and testing passkey functionality, including Passkey Intelligence, can be complex and resource intensive. Corbado offers comprehensive solutions that simplify this process, ensuring a robust, user-friendly authentication experience for your enterprise.

Corbado provides pre-built UI components and SDKs that are thoroughly tested across a wide range of devices, operating systems, and browsers—including both recent and older versions that support JavaScript. This extensive testing ensures that your passkey implementation functions consistently for all users, reducing the risk of device-specific issues and enhancing user satisfaction.

• Cross-Browser Compatibility: Our components work seamlessly on major browsers like Chrome, Safari, Firefox, and Edge, providing a consistent experience regardless of the user's browser choice.

• Device Versatility: We support both passkey-enabled and passkey-disabled devices, allowing for seamless fallback mechanisms when necessary.

• Responsive Design: Components are designed to adapt to different screen sizes and resolutions, ensuring optimal usability on desktops, tablets, and mobile devices.

• Error States: All Components have extensively be tested to work under all network conditions and have precise error messages and fallback handles to deal with users aborting ceremonies.

Recognizing the challenges in automating passkey testing, Corbado has developed automated testing solutions integrated into our component’s development and CI/CD Pipelines. Our components are not only thoroughly tested internally but also come with automated test suites we can apply to Enterprise Installations.

• Automated Test Suites: We have comprehensive automated tests covering key functionalities such as passkey registration, authentication, and management. These tests are designed to fully test our components.

• Managed Automated Testing Services: For enterprise clients, Corbado offers managed automated testing as part of our Enterprise package. We handle the complexities of setting up and maintaining automated tests for passkeys, including the use of virtual authenticators, ensuring that your authentication system remains robust over time.

A comprehensive overview how we test our components can be found in a separate blog entry here.

Corbado's Passkey Intelligence engine is extensively tested solution that optimizes the authentication experience. By leveraging advanced algorithms and real-time data, our Passkey Intelligence accurately detects passkey availability and determines the optimal authentication method for each user scenario.

• No Additional Testing Required: Since Passkey Intelligence is completely covered, tested, and extended by Corbado, you can rely on its effectiveness without the need for extensive in-house testing.

• Adaptive Decision-Making: Our engine adapts to changes in device capabilities, user behavior, and passkey provider updates, ensuring that authentication prompts are timely and relevant.

• Maximized Success Rates: By intelligently deciding when to offer passkey authentication, we help maximize successful login attempts and minimize user frustration from failed attempts.

• Customization: In case you want to customize Passkey Intelligence to be more defensive or proactive you can configure and customize the rulesets at any time.

For enterprise clients, Corbado provides additional support to streamline your passkey implementation and testing process.

• Managed Automated Testing: We offer comprehensive testing services that include setting up automated tests, monitoring their performance, and updating them as needed. This service relieves your team from the burden of maintaining complex test environments.

• Expert Consultation On-Site: Our team of experts is available to assist with any challenges you may face during implementation or testing, providing guidance and solutions tailored to your specific needs. Large deployments come with On-Site consultation including help testing on your side.

• Customized Solutions: We can adjust and fine-tune our components and services to align with your enterprise's specific requirements, corporate CI and other standards.

• Reduced Development Effort: By utilizing our pre-built and well-tested components, you save significant development time and resources.

• Enhanced Reliability: Our rigorous testing practices ensure that your passkey implementation is reliable and performs well under various conditions.

• Optimized User Experience: With Passkey Intelligence, users enjoy a seamless authentication process, increasing satisfaction and adoption rates.

• Futureproofing: We continuously update our components to align with the latest advancements in passkey technology and standard, ensuring long-term compatibility and compliance.

By partnering with Corbado, you gain access to a suite of components, tools and services that simplify the testing and implementation of passkeys. Our well-tested components, comprehensive Passkey Intelligence, and enterprise-level support ensure that your authentication system is robust, reliable, and ready for deployment in an enterprise environment. This collaboration allows your team to focus on delivering value to your users while we handle the complexities of passkey technology.

While functional testing ensures that the passkey implementation meets all required features and provides a consistent user experience, it does not address how well the system performs under real-world conditions or how resilient it is against various forms of stress. Non-functional testing focuses on these aspects. It evaluates how the system behaves when handling high loads, how quickly it responds to user requests, how stable it remains under peak usage, and how secure it is against potential attacks. For enterprise deployments of passkeys, non-functional testing is essential because:

• High User Volumes: Large user bases and frequently accessed authentication flows mean that even slight performance issues can have a significant impact on user satisfaction and business outcome.

• Reliability Under Stress: Enterprise systems must remain stable and performant during peak login times, device registration campaigns, and large-scale adoption waves.

• Security Assurance: Beyond functionality, ensuring that no vulnerabilities exist in the WebAuthn and passkey workflows is critical to maintain trust and compliance.

• Other Non-Functional Tests: Other non-functional testing types are also important depending on the enterprise, but for the sake of focus, we will concentrate on the most critical ones for large enterprises—especially in security-sensitive areas like governmental, regulated, or healthcare industries.

By conducting rigorous non-functional tests, enterprises can confidently roll out passkey solutions that are both robust and secure, ensuring a seamless experience for all users under all conditions.

Performance and load testing aim to verify that the passkey implementation can handle the expected (and sometimes unexpected) authentication volumes without degradation. Although passkey operations—such as generating and verifying WebAuthn challenges—are generally not very resource-intensive thorough performance testing remains crucial for enterprise-scale deployments.

Key Considerations for Performance and Load Testing:

1. Establishing a Realistic Baseline:
   Begin by analyzing historical authentication data to identify your peak usage patterns. For example, review the last 12 months of login statistics and pinpoint the hour with the highest authentication load. Use this peak hour as your baseline to calculate successfully completed authentications per second and multiply its volume by a factor of three (3x). This approach:

   • Accounts for Growth and Spikes: By tripling your strongest historical load, you build a healthy performance margin that accommodates unexpected surges (e.g., large-scale onboarding, simultaneous logins during product launches, or security resets).

   • Sets Clear Targets: This realistic but conservative baseline ensures your system can comfortably meet current demand while remaining stable under higher-than-anticipated conditions.

2. Understanding the Authentication Flow’s Complexity:
   With passkeys, the authentication flow may involve generating challenges on-demand, handling conditional UI prompts, and interacting with backend services to validate credentials or manage MFA states. These steps can introduce unique load patterns, especially if login prompts or challenges are generated frequently.

3. Load Balancing and Scalability:
   As you shift from passwords to passkeys, the number of operations may increase. Employ load balancing, caching, and database optimization strategies to handle potentially higher request rates and maintain consistent response times.

4. Impact of Conditional UI:
   Conditional UI might trigger continuous challenge generation if login fields are visible or rendered at the top of the page, which might result in unexpected load. Test these patterns to ensure challenges can be served quickly and reliably without causing delays or timeouts.

5. Concurrent Authorizations and Passkey Creations:
   Consider scenarios where many users simultaneously create passkeys or attempt to authenticate. This can occur during onboarding sessions or after broad communication campaigns. Your tests should simulate these concurrency spikes to confirm the system remains robust.

6. Testing Tools and Approaches:
   Standard load testing tools may not fully replicate the complexity of WebAuthn flows and be able to complete a WebAuthn ceremony. Look out for plugins for popular performance measuring frameworks like Jmeter or K6 (at use by Corbado).

7. Monitoring and Metrics:
   Track key metrics such as response times, throughput, api calls per second, completed transactions/authentications per second, error rates, and resource utilization. Use these insights to identify bottlenecks and guide optimization efforts.

8. Iterative Testing and Tuning:
   Performance testing is an iterative process. Identify issues, implement improvements, and retest to validate that changes increase capacity and reliability. Integrate these tests into your CI/CD pipeline to ensure performance remains stable over time.

By establishing a realistic baseline from historical data, tripling that capacity for safety, and comprehensively testing across various scenarios, enterprises can ensure their passkey implementation remains efficient, stable, and responsive—even under demanding conditions.

Security testing is a critical component in ensuring that your passkey implementation not only functions correctly but also maintains the highest levels of trust and integrity. While passkeys simplify and strengthen the authentication experience, it is important to validate that your WebAuthn and passkey workflows are protected against common attack vectors, configuration flaws, and vulnerabilities specific to hardware-based authentication.

Key Objectives:

• Validate that all WebAuthn operations (challenge generation, attestation, assertion) are implemented correctly and securely.

• Ensure that compromised, tampered, or deleted passkeys cannot be used for authentication.

• Confirm that user verification, if required, is strictly enforced and checked on every login.

• Validate integration with existing MFA logic, confirming that passkeys uphold or improve the overall security posture rather than weakening it.

Suggested Testing Areas and Approaches:

1. WebAuthn Challenge Consumption:

   • Challenge Uniqueness and Freshness: Verify that each challenge is unique and valid only for a single authentication attempt. This ensures that replayed challenges cannot result in successful authentication.

   • Double-Consume Protections: Attempt to reuse challenges or attestation responses from previous append (registration) or login (assertion) ceremonies. Confirm that the system rejects these attempts with appropriate error handling.

2. Deleted, Unknown, or Tampered Passkeys:

   • Deleted Passkeys: Attempt to log in using credentials associated with passkeys that have been removed. The system should reject these attempts and return an error.

   • Unknown Credentials: Present credentials never registered with the system (e.g., a different private key or unknown credential ID). Ensure the system cannot be tricked into validating these credentials.

   • Tampered Signatures: Modify the cryptographic signature or authenticator data in the WebAuthn assertion. The system should fail the verification step and respond with an error, preventing unauthorized access.

3. User Verification Enforcement (UV):

   • Mandatory User Verification: If user verification is set to required (indicating a 2FA-equivalent scenario), confirm that all authentication attempts without a UV flag result in denial. A biometric or PIN-based verification check must not be bypassable (user presence only).

   • Tampering with UV Flags: Attempt to force a scenario where the authenticator claims the user is verified, but no actual user verification took place. Confirm that the system rejects such attempts.

4. Integration with Existing MFA or Security Controls:

   • MFA State Alignment: Check that adding or removing passkeys does not circumvent existing MFA policies. For example, if passkeys are intended to replace passwords or serve as a second factor, the system should not allow a user with a compromised passkey to bypass higher-level MFA controls.

   • Fallback Mechanisms: Validate that fallback methods (e.g., passwords, OTPs) are invoked only when passkeys are legitimately unavailable or unsupported. Attackers must not be able to downgrade a secure flow to a weaker one.

5. Ensuring Up-To-Date, Standards-Compliant Implementations:

   • Latest WebAuthn Specs: Confirm that your WebAuthn server and components are updated to the latest standards, patching any known vulnerabilities. Regularly review vendor advisories and apply security updates.

   • OWASP Top 10: Align your testing with recognized security standards. Typical areas include input validation, session management, and secure communication channels (TLS). Check that all endpoints handling WebAuthn data are protected, do not leak sensitive information, and enforce proper security headers.

6. Pentesting Against Common Attack Vectors:

   • Replay Attacks: Attempt to reuse known valid signatures or stale challenges. Confirm that the server rejects them.

   • Man-in-the-Middle (MitM) Attacks: Test if an attacker intercepting WebAuthn requests can alter the challenge or signatures. Ensure that the authentication process relies on cryptographic verifications tied to the client’s private key, making MitM attacks infeasible.

   • Fuzzing and Negative Testing: Introduce malformed, missing, or random data for attestation and assertion requests. The server should gracefully handle these invalid inputs without crashing or leaking sensitive data.

7. Additional Considerations for Passkey-Specific Threats:

   • Cross-Device Authentication: Test cross-device authentication scenarios to ensure that a passkey stored on another device cannot be misused. The server must verify the authenticity of cross-device requests, ensuring no impersonation occurs.

   • Revocation and Recovery: Ensure that if a user or customer support agent recovers their account or revokes a passkey, it is instantly invalidated and cannot be used in subsequent login attempts.

Practical Examples and Tests:

• Tampered User Verification Test: Attempt to authenticate with a passkey when user verification=required but force the authenticator to present uv=false. Confirm that the server rejects the request.

• Challenge Replay Test: Reuse a previously used challenge for login. The server must reject the attempt, preventing replay attacks.

• Invalid Signature Test: Replace the valid signature with a random or incorrect one. Ensure that the server returns an error.

Maintaining Ongoing Security Assurance:

• Periodically conduct third-party penetration tests to identify new or missed vulnerabilities.

• Stay informed of emerging threats, WebAuthn specification updates, and vendor patches for hardware authenticators and client-side software.

By incorporating the above testing techniques and focusing on the unique aspects of passkey-based authentication, you can ensure that your enterprise passkey implementation remains secure, robust, and trustworthy. Regular reviews, updates, and penetration tests will help maintain a hardened security posture and continuous compliance with industry standards.

Corbado’s enterprise offering not only delivers robust passkey solutions but also includes comprehensive non-functional testing services—encompassing both performance testing and security assessments or the final integration—to ensure your passkey deployment can meet the most stringent enterprise requirements.

Corbado goes beyond traditional, generic load testing tools by leveraging advanced end-to-end performance tests using K6 and a virtual authenticator environment. This approach simulates actual passkey authentication flows via our components (CorbadoConnectLogin), including the generation and management of hundreds or even thousands of passkeys in parallel (CorbadoConnectAppend) and passkey management functionality (CorbadoConnectPasskeyList). Unlike standard load tests that may only measure API endpoints, our methodology emulates the full WebAuthn ceremony end-to-end, making the tests much more representative of real-world conditions. We also conduct sophisticated concurrency testing to ensure that your system can handle peak loads—such as large-scale onboarding campaigns or sudden authentication spikes—without degradation in responsiveness or user experience.

Corbado is committed to delivering a secure authentication environment. We undergo regular penetration tests by trusted third-party specialists who understand the unique intricacies of passkey technology. In addition, our team maintains specialized security-focused unit tests designed to prevent scenarios like tampered or deleted passkeys being reintroduced into the system. These tests and periodic pentests safeguard against evolving threats and ensure that the integrity of your passkey ecosystem is maintained at all times.

Both the advanced performance testing and rigorous security testing regimes are part of our Enterprise package. By partnering with Corbado, you gain access to tested and proven methodologies that ensure your passkey implementation stands up to the demands of high-scale, mission-critical enterprise environments—delivering not only a seamless user experience but also robust protection against potential vulnerabilities.

In large scale enterprise passkeys deployments, the successful implementation of passkeys depends not only on integrating the technology but also on thoroughly testing it to ensure performance, security, and reliability. As we have seen, a comprehensive approach to testing—from functional verification through to non-functional performance and security assessments—is crucial to delivering a robust, user-friendly authentication experience. With this article we have answered the questions posed at the beginning of the article:

• How to Functional Test Passkeys? We identified essential functional tests that focus on verifying passkey registration, authentication, user interface consistency, and appropriate error handling. Through both manual user acceptance testing and automated approaches, these tests confirm that the passkey workflows are intuitive, reliable, and aligned with user expectations.

• How to Pen-Test and Performance Test Passkeys? We explored strategies for ensuring your passkey implementation meets stringent performance and security standards. This includes load testing to handle peak authentication volumes, resilience testing under stress, and rigorous security validations—such as verifying that challenges cannot be replayed, tampered passkeys are rejected, and user verification is strictly enforced.

By integrating both functional and non-functional testing practices, you can confidently roll out passkeys, maintaining the highest standards of quality and security. In our next part we will be covering the next step: A gradual, phased launch of passkeys across different user segments and how Corbado can help you there.