We recommend only enrolling passkeys after users have already enrolled with another authentication
factor (like email OTP, SMS, TOTP, etc.).
If you want to integrate passkeys directly into an existing login page or a native mobile app,
then using Authsignal Client SDKs is likely the
better option.
Set up a custom domain
If you’re using Authsignal’s pre-built UI with passkeys, you’ll need to set up a custom domain. This means that your users’ passkeys will be bound to your own domain rather thanmfa.authsignal.com.
Configure passkeys in the Authsignal Portal
- Navigate to the Authenticators section and click Set up Passkey.
- Add the Relying Party ID in the next step. It’s the domain where your app is hosted (e.g.
example.com). Then click Activate passkeys.
As you already have a custom domain setup in the first step, the Relying Party ID value will
default to your top-level domain. For example, if your custom domain is
auth.example.com then
your Relying Party will default to example.com.If you modify your Relying Party ID you may invalidate your existing users’ passkeys. You
should only edit your Relying Party ID before releasing passkey functionality to production, or
when testing with a separate Authsignal tenant associated with a non-production environment.
- Set the expected origins on the next screen.
Configuring expected origins in the Authsignal Portal
Local development
When using the pre-built UI you don’t need to includelocalhost in your passkey configuration even when your app is running on localhost, because all passkey interactions happen on your custom domain.
This makes local development easy because you can use the same configuration for both local and production.
Uplifting users to passkeys
To encourage your users to start using passkeys, we recommend using the pre-built UI’s built in passkey uplift prompt.
Using in-app browsers on iOS and Android apps
To deliver the best passkey UX on iOS and Android apps we recommend using our Mobile SDKs. However, if you need to launch the pre-built UI inside an app-based browser then passkeys are also supported under the following conditions:- If using Android Custom Tabs then passkeys will work in the pre-built UI with no additional steps required.
- If using SFSafariViewController or ASWebAuthenticationSession on iOS then passkeys will work in the pre-built UI with no additional steps required.
- If using an embedded webview on iOS like WKWebView then passkeys will work in the pre-built UI provided you set up an associated domain. For more information on the steps required to configure your associated domain refer to the Mobile SDK documentation.
- If using an embedded webview on Android like WebView then passkeys in the pre-built UI are not supported.