Passkeys are implemented using the Credential Manager API and synced via Google Password Manager. Passkeys are supported only on devices running Android 9 (API 28) or higher.
To use passkeys you must setup a Digital Asset Links JSON file on your web domain.
assetlinks.jsonfile on the domain that matches your relying party:
The response JSON should look something like this:
but with the package name and SHA256 fingerprint updated to match your own app.
Ensure that you have
mavenCentral listed in your project's buildscript repositories section:
Add the following to your app's build.gradle file:
val authsignalPasskey = AuthsignalPasskey("YOUR_TENANT_ID", "YOUR_REGION_BASE_URL")
val authsignalPush = AuthsignalPush("YOUR_TENANT_ID", "YOUR_REGION_BASE_URL")
You can find your tenant ID in the Authsignal Portal.
You must specify the correct base URL for your tenant's region.
Registering a new passkey
To register a new passkey, you first need to request a token via track. If the user is new, create a record for them in your own DB and pass their ID to Authsignal server-side to get a token, which can then be passed to the Android SDK along with their username.
val result = authsignalPasskey.signUp(initialToken, userName)
// Pass this short-lived result token to your backend to validate that passkey registration succeeded
Authenticating with an existing passkey
val result = authsignalPasskey.signIn(initialToken)
// Pass this short-lived result token to your backend to validate that passkey authentication succeeded
After the user authenticates with their passkey, the SDK will return a short-lived token which should be passed to your backend to validate the result of the challenge server-side.
Adding a device credential
Adding a new credential must be authorised with a short-lived token. You can obtain this by tracking an action which will return a token in the response. This should be done at a point in your application when the user is strongly authenticated.
Removing a device credential
Getting a challenge
val challengeId = authsignalPush.getChallenge()
Updating a challenge
val approved: Boolean = true // true if the user has approved the challenge