We recommend only enrolling passkeys after users have already enrolled with another authentication factor (like email OTP, SMS, TOTP, etc.).
First, set up the pre-built UI in your app if you haven’t yet. Once configured, enabling passkeys is straightforward.
If you want to integrate passkeys directly into an existing login page or a native mobile app, then using Authsignal Client SDKs is likely the better option.

Set up a custom domain

If you’re using Authsignal’s pre-built UI with passkeys, you’ll need to set up a custom domain. This means that your users’ passkeys will be bound to your own domain rather than mfa.authsignal.com.

Configure passkeys in the Authsignal Portal

  1. Navigate to the Authenticators section and click Set up Passkey.
  2. Add the Relying Party ID in the next step. It’s the domain where your app is hosted (e.g. example.com). Then click Activate passkeys.
Define relying party ID
As you already have a custom domain setup in the first step, the Relying Party ID value will default to your top-level domain. For example, if your custom domain is auth.example.com then your Relying Party will default to example.com.
If you modify your Relying Party ID you may invalidate your existing users’ passkeys. You should only edit your Relying Party ID before releasing passkey functionality to production, or when testing with a separate Authsignal tenant associated with a non-production environment.
  1. Set the expected origins on the next screen.
Expected origins

Configuring expected origins in the Authsignal Portal

That’s it! You have now enabled passkeys in pre-built UI. Now, your users will also get the option for passkeys along with other auth methods.

Local development

When using the pre-built UI you don’t need to include localhost in your passkey configuration even when your app is running on localhost, because all passkey interactions happen on your custom domain. This makes local development easy because you can use the same configuration for both local and production.

Uplifting users to passkeys

To encourage your users to start using passkeys, we recommend using the pre-built UI’s built in passkey uplift prompt.
Passkey uplift prompt

Passkeys vs security keys

Passkeys are designed to work seamlessly across your devices and are typically synced through password managers like iCloud Keychain or Google Password Manager. Security keys are physical hardware devices (like YubiKeys) that require manual insertion or proximity to authenticate. While both use similar underlying technology, passkeys provide a more convenient user experience for most applications.