Passkeys without Biometrics? Does this work?
Vincent
Created: December 28, 2024
Updated: December 28, 2024
Can Passkeys Work Without Biometrics?#
Yes, passkeys can work without biometrics by using local authenticators like PINs, patterns, or device passwords. These methods provide secure authentication when biometric options like fingerprint or facial recognition are unavailable. Passkeys rely on the device's local authenticator, which is set up by the user and not controlled by the relying party.
- Passkeys can work without biometrics by using local authenticators like PINs or passwords.
- Local authenticators are device-specific and set up by the user, not the relying party.
- These alternatives ensure secure authentication even without fingerprint or facial recognition.
How Passkeys Work Without Biometrics#
Passkeys are built on WebAuthn, a standard for passwordless authentication. Typically, passkeys use a local authenticator for user verification. When biometrics like fingerprint or facial recognition are unavailable, the local authenticator provides an alternative method of authentication.
What Is a Local Authenticator?#
A local authenticator is a mechanism on your device that verifies your identity. Examples include (all non-biometric):
- PIN codes - A numeric code you enter to unlock your device.
- Patterns - A swipe pattern drawn on a touchscreen.
- Device passwords - Alphanumeric passwords used for device access.
- Screen locks - Any other mechanism that restricts device access.
How Does It Work with Passkeys?#
- User Setup: The user configures their local authenticator on their device.
- Passkey Creation: The device generates a cryptographic key pair during account setup.
- The private key is securely stored on the device.
- The public key is shared with the service (relying party).
- Authentication: When the user attempts to log in:
- The relying party sends a challenge to the device.
- The device uses the private key to sign the challenge.
- The local authenticator (e.g., PIN, pattern) verifies the user's identity before signing.
Advantages of Using Passkeys Without Biometrics#
- Accessibility: Allows users without biometric-capable devices to use passkeys.
- Security: Local authenticators are tied to the device and can't be intercepted remotely.
- User Control: Users can choose the method they are most comfortable with, enhancing adoption rates.
Can Developers Influence Local Authenticators?#
No, developers and relying parties cannot directly control the type of local authenticator used. This is determined by the user’s device setup. However, developers can design user flows that clearly explain the process and guide users to set up a local authenticator if one isn’t already configured.
Why Is This Important?#
Passkeys without biometrics provide inclusivity and flexibility. Not all users have access to the latest biometric technology, but they can still benefit from the security and convenience of passwordless authentication through alternatives like PINs and patterns.
Share this article
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
