The following recommendations are designed to help you create the best passkey experience for your users when using Authsignal’s mobile SDKs.

Ensuring a backup option exists when passkeys are unavailable

Even if users have previously created a passkey, they may be authenticating on a new device where the passkey cannot be synced - for example, when switching between an iOS and an Android device or vice versa. Additionally, it is possible a user may have deleted their existing passkey credential from Apple iCloud or Google Password Manager. One way to ensure a user always has a backup option available is to prompt the user to create a passkey only after they enroll another authentication method such as email OTP or SMS OTP. Since Authsignal supports binding multiple authentication factors together, this can easily be achieved with the mobile SDK.

Creating a passkey after completing an email OTP challenge

Optimizing sign-in UX

Now that we can be confident the user always has a backup option, we can design an optimal sign-in UX which puts passkeys front and center while also providing a safe fallback. For the happy path when a passkey is available, presenting a “Sign in” button which immediately displays the passkey prompt provides a smooth UX.

Signing in with an available passkey

If no passkey is available on the device, however, we can gracefully fall back to presenting email as a backup option. This can be implemented by handling error codes returned by the mobile SDK. 
let response = await authsignal.passkey.signIn(action: "signInWithPasskey")

if response.errorCode == "user_canceled" {
  // Present email sign-in screen
}
For a consistent experience between iOS and Android, here we treat the scenario where a user has no passkey available exactly the same as if they dismiss the passkey prompt. This is required because while Android returns a different error in either case, iOS doesn’t differentiate between these two scenarios and returns the same cancellation error in each case.

Falling back to email OTP when a passkey is unavailable

The above behavior is possible because iOS and Android both expose a preferImmediatelyAvailableCredentials parameter which will avoid showing the passkey prompt if no credentials are available on the current device. Set this value to false if you want to allow signing in via QR code with a passkey on another device.