What is CDA (Cross-Device Authentication) in WebAuthn?

What is CDA (Cross-Device Authentication)?#

CDA (Cross-Device Authentication) allows users to use a passkey from one device for authentication on another, facilitating seamless access across diverse platforms. This innovative approach is underpinned by the FIDO Client-to-Authenticator Protocol (CTAP), which employs a "hybrid" transport mechanism. CTAP is integral to the CDA process, being implemented by authenticators and client platforms rather than relying parties, ensuring a secure and efficient authentication experience.

Become part of our Passkeys Community for updates and support.

Join

You can also read a detailed report on Cross-Device Authentication in this blog post.

Key Takeaways#

CDA enhances user convenience by allowing the use of a passkey across different devices and platforms.
CDA is different from syncing passkeys across devices via cloud accounts.
It leverages FIDO's CTAP with a "hybrid" transport mechanism for secure authentication.
CDA makes use of QR codes scanning to pair devices and Bluetooth for proximity checks.

CDA enhances user convenience by allowing the use of a passkey across different devices and platforms.

CDA (Cross-Device Authentication) is important for providing users with a frictionless experience when accessing services across multiple devices. It revolves around two key components: the CDA Client and the CDA Authenticator.

CDA Client is the device where the service is accessed (e.g. a laptop, desktop, or smartphone).
CDA Authenticator is the device providing the passkey and generating the FIDO assertion (usually a smartphone or tablet). This duality ensures that authentication flows remain secure and user-friendly.

Deep Dive into CDA Mechanisms#

Cross-Device Authentication (CDA) integrates QR codes and Bluetooth to provide a versatile and secure authentication mechanism. QR codes facilitate easy, user-initiated authentication processes by enabling quick scanning to establish authentication requests. Bluetooth adds a layer of security by ensuring physical proximity between the involved devices. This dual approach combines the ease of use with robust security measures, catering to various user environments and scenarios.

QR Code Authentication#

Initiation: A unique QR code is generated on the device needing authentication, encoded with a session identifier.
Process: Users scan the QR code with a device that stores their passkey, triggering a secure authentication process via an encrypted internet connection.
Security Features: The QR code is designed for one-time use and encrypts all data to safeguard against unauthorized access.

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Bluetooth Authentication (caBLE)#

Role: Confirms physical proximity between the authenticating devices, adding an extra layer of security.
Proximity Checks: Ensures that the authentication process is only carried out when devices are near each other, minimizing the risk of remote attacks.
Privacy and Security: Does not involve the exchange of sensitive authentication data, focusing instead on confirming proximity as a factor in multi-factor authentication.

Tunnel Connection through the Internet#

Activation: Activated upon scanning a QR code or establishing a Bluetooth connection.
Purpose: Facilitates secure transmission of authentication data, including cryptographic challenges and responses.
Security: Ensures all communication through the tunnel is encrypted, enhancing security across multiple devices.

Synced Passkeys vs. Cross-Device Authentication#

Passkeys are typically synchronized across devices through cloud accounts (e.g. Apple's iCloud Keychain), ensuring they are readily available for authentication regardless of the device used. This synchronization is secured by advanced encryption and is protected by biometric data or PINs, with mechanisms in place to prevent unauthorized access, such as rate limiting for login attempts.

While synced passkeys offer convenience, they may not always be accessible on new or non-primary devices. Cross-Device Authentication addresses this challenge by providing a secure bridge for passkeys between devices without the need for cloud account synchronization. This method leverages QR codes for initiating authentication and Bluetooth for verifying the proximity of devices, ensuring a secure and user-friendly experience. A use case for cross-device authentication is e.g. logging into an account on a friend’s device, where it’s not possible to use synced passkeys.

Availability on Operating Systems#

You can use this table to see the current support of Cross-Device Authentication for different operating systems. Authenticator means that the device can serve as the device that holds a passkey (usually the smartphone). Client means the device that creates the QR code and where the user tries to login (usually the desktop).

Want to experiment with passkey flows? Try our Passkeys Debugger.

Try for Free

Behavior on Different Devices#

It's important to consider different behaviors of devices in the context of CDA. The authentication experience can vary based on a device's hardware capabilities, such as the presence of a camera for QR code scanning or Bluetooth for proximity checks. Additionally, operating systems may implement CDA differently, affecting how users initiate and complete the authentication process. Developers implementing CDA must account for these variabilities, ensuring a smooth and secure user experience across all devices. See a detailed report on the different device behaviors in this blog post.

Cross-Device Authentication (CDA) FAQs#

Is it safe for passkeys to be shared across devices?#

Passkey sharing employs robust security measures to protect data. This approach is essential for replacing passwords with a more secure and user-friendly alternative, aligning with FIDO's mission to enhance sign-in processes across speed, convenience, and security dimensions.

What is the availability of CDA across various OS platforms?#

Cross-Device Authentication (CDA) is rapidly becoming available across a wide range of operating systems and browsers, as support for passkeys is introduced. An overview of the availability can be found on this website.

How do passkeys become available across a user's devices?#

Passkeys are synced across devices through end-to-end encrypted mechanisms tied to the user's platform account (e.g., Apple ID, Google account). This ensures that passkeys created on one device are readily available on all other devices signed into the same account, facilitating easy and secure access across the user's digital ecosystem.

CDA vs. Synced Passkeys - What's the difference?#

Hybrid transport allows for secure authentication across devices without needing passkeys to be synced through a cloud account, offering flexibility, and maintaining the integrity of passkeys solely with the user.

Ben Gould

Head of Engineering

I’ve built hundreds of integrations in my time, including quite a few with identity providers and I’ve never been so impressed with a developer experience as I have been with Corbado.

3,000+ devs trust Corbado & make the Internet safer with passkeys. Got questions? We’ve written 150+ blog posts on passkeys.

Join Passkeys Community

Why does CDA use both QR codes and Bluetooth?#

CDA employs QR codes and Bluetooth to enhance security and convenience. QR codes simplify the initiation of authentication, while Bluetooth ensures the physical proximity of devices, adding an extra layer of security.

Can CDA work without an internet connection?#

While CDA requires an internet connection for the initial setup and authentication process, the Bluetooth proximity check for authentication does not rely on an internet connection, enhancing its versatility.

What are the hardware requirements for using CDA?#

Devices must support WebAuthn, have a camera for QR code scanning, support Bluetooth 4.0 or higher for caBLE, and maintain a stable internet connection to facilitate the CDA process effectively.