Device-initiated authentication
Traditional passwordless sign-in methods such as email OTP are username-initiated. You enter your username (e.g. email address) and the site looks up the associated account and then initiates a challenge to verify it belongs to you.


Availability across devices
Passkeys may not be available on a given device for multiple reasons.- If the user has created a passkey on one device then switched to a new device where that passkey can’t be synced.
- If the user has created a passkey and then deleted it from their password manager.
Keeping credentials in sync
A related dead end occurs when a passkey is deleted on the server but still appears in the user’s password manager. The user selects it expecting it to work, but the server no longer recognizes it. The Web SDK reduces this by using the WebAuthn Signal API to prune stale credentials from the browser after each sign-up and sign-in. This is enabled by default via thesyncCredentials option, so in supporting browsers the user’s passkey list stays aligned with the credentials Authsignal holds without any extra work on your part.
Passkeys for sign-in
Autofill
Enabling passkey autofill is an unobtrusive way to support passkeys on your sign-in page while also maintaining a familiar experience for users who haven’t setup passkeys yet.

Sign-in button
Another approach is to include a separate passkey sign-in button which is clearly presented as an alternative sign-in option.


Immediate mediation
To avoid the QR code fallback entirely, you can use immediate mediation. The browser only shows the passkey prompt when a credential is immediately available on the device; if none is available, the prompt is skipped rather than falling back to a QR code, so the user is never led into the dead end described above. This makes immediate mediation well suited to surfacing a passkey prompt automatically on page load, without risking a confusing experience for users who don’t have a passkey on the device. To enable it, setpreferImmediatelyAvailableCredentials to true when calling signIn. See the Web SDK reference for details.
Immediate mediation depends on newer browser APIs and at the time of writing is only supported in
recent versions of Chromium-based browsers. The SDK feature-detects support and returns an
immediate_mediation_not_supported error code where it isn’t available, so always keep a backup
authentication option for users on unsupported browsers or without an available passkey.Passkeys for MFA
When using passkeys as a secondary factor, it’s important to only show passkeys for one account. If a device is shared between family members, or if a person has multiple accounts for the same site, then a device may have passkeys available for different accounts.
allowCredentials it’s important to clearly present a backup authentication option and avoid leading users into dead ends when their device doesn’t have any passkeys available.
Because it is always launched for a specific user, the Authsignal pre-built
UI always restricts passkeys via the
allowCredentials parameter. It also provides a clear way to fall back to alternate
authentication methods.Security keys for high-assurance flows
Most consumer flows should default to platform passkeys (the device’s built-in authenticator), which give the smoothest experience. For workforce or high-assurance scenarios that require a physical hardware authenticator, you can use security keys instead. To steer the browser towards a specific authenticator type, pass thehints parameter (for example ["security-key"]) when creating a passkey or security key. When you support both platform authenticators and security keys, present them as distinct options (for example “This device” versus “USB security key”) so the choice is predictable.
Creating passkeys
Increasing adoption
Transitioning your users from traditional sign in methods, like passwords, to passkeys can be a big change. To help with this transition, you can provide a prompt to encourage users to create a passkey when they sign in.Automatic passkey upgrades
You can remove the passkey creation prompt entirely for users who already rely on a password manager. After a successful password sign-in, the SDK can ask the user’s password manager to silently create a passkey in the background, with no extra step for the user. To enable this, setuseAutoRegister to true when calling signUp. See Automatic passkey upgrades in the Web SDK reference for details.
Automatic upgrades only work when the user has a saved password for your app and their browser and
password manager support conditional create. The SDK feature-detects support, and the flow fails
silently when conditions aren’t met, so it’s safe to attempt without disrupting the user.
Improving coverage across devices
Whilst many passkeys are available across devices, like ones stored in iCloud Keychain, some passkeys are device-bound. For example, a passkey created on a desktop browser may not be available on a mobile device. If a user authenticates on a device without a passkey, you can prompt them to create one in a similar way to the example above.
Handling cancellations and errors
When a passkey ceremony fails, the SDK throws aWebAuthnError. Most of these are a normal part of the user experience and should not surface a disruptive error.
The most common case is ERROR_CEREMONY_ABORTED, thrown when the user dismisses the passkey prompt. The underlying browser API deliberately does not distinguish “the user cancelled” from “no passkey was available”, so treat this as an expected outcome: quietly fall back to your backup authentication method rather than showing an error.
This ambiguity is the main reason to prefer autofill and immediate mediation where possible, since both surface passkeys only when one is actually available and avoid the dead end entirely.
See Passkey error handling in the Web SDK reference for the full list of error codes.
Displaying passkeys
As users may have multiple passkeys, it’s useful to display them in a distinct way. A passkey user authenticator contains thewebauthnCredential.aaguidMapping object. The name field will contain the name of the credential manager, e.g. iCloud Keychain, where the
passkey is stored. The svgDark/svgLight fields contain the SVG icons for the credential manager.
In the area of your application where user’s manage their authentication options, you can utilize these fields to display the user’s passkeys:

Whilst the
webauthnCredential.aaguidMapping object is available for most passkeys, it’s not
guaranteed to be present. As an alternative, you can use the webauthnCredential.parsedUserAgent
object to display details about the device the passkey was created on.
