Integrating Passkeys into Enterprise Stack (Enterprise Passkeys Guide 4)

Overview: Enterprise Guide#

• Introduction
• Part 1: Initial Assessment and Planning
• Part 2: Stakeholder Engagement
• Part 3: Product, Design & Strategy Development
• Part 5: Testing Passkey Implementations

1. Introduction#

Integrating passkeys into your existing systems is a crucial step in adopting this new authentication method. It involves connecting passkey functionality to various components of your current infrastructure to ensure a seamless user experience and maintain operational efficiency. When third-party systems are involved, careful planning is essential to align different technologies and processes.

In this article, we will explore the key areas where integration is necessary, posing one important question for each:

• Website and Frontend Applications: How can we effectively integrate passkeys into our website and frontend applications to enhance user experience?
• Authentication and MFA Systems: What considerations are essential when connecting passkeys to our existing authentication and multi-factor authentication systems?
• Customer Support Systems: How should customer support be integrated to assist users with passkey-related issues?
• Security, Logging, and Audit Systems: What steps are needed to enhance our security, logging, and audit systems in light of passkey integration?
• Reporting, Business Intelligence, and Data Warehouses: How can we incorporate passkey data into our reporting and analytics tools for better insights?

For each area, we'll discuss the integration challenges and explain how Corbado can assist you in seamlessly incorporating passkeys into your existing landscape.

2. Integrating Passkeys into the Website and Frontend Applications#

Let’s start by having a look at the customer-facing site of the integration: the website and frontend applications.

2.1 Understanding the Need for Website and Frontend Integration#

Integrating passkeys into your website and frontend applications is a critical step. Passkeys offer a secure and user-friendly alternative to traditional authentication methods like passwords, but their implementation requires careful planning and execution on the frontend side – a large portion of the passkey implementation also takes place in the frontend as it needs to call APIs in the browser / operating system. To leverage this improved user experience, your frontend applications must support the following high level functionalities:

• Passkey Creation Flows: Enabling users to create and register passkeys during account creation or within their account settings.
• Passkey Login Mechanisms: Allowing users to authenticate using passkeys, which may involve biometric prompts or security keys.
• Passkey Management Interfaces: Providing users with the ability to view, add, or remove passkeys associated with their accounts.

While the Web Authentication API (WebAuthn) provides the foundational methods like navigator.credentials.create() for passkey creation and navigator.credentials.get() for passkey retrieval, the real challenges lie in the surrounding processes:

1. Implementing Multi-Step Authentication Flows: Unlike traditional password authentication, passkey creation and login require multiple backend API calls and careful handling of cryptographic data.

2. Providing Fallback Options: Not all users will have devices that support passkeys, or they may encounter issues during the authentication process. Your frontend must gracefully handle these scenarios by:

   • Detecting Passkey-Readiness: Assessing whether the user's device and browser support passkeys before initiating the process.
   • Connecting Alternative Methods: Providing options like one-time passcodes (OTP) via email or SMS, or traditional password login as fallbacks.

3. Ensuring Cross-Platform, Cross-Device and Cross-Browser Compatibility: Users access your services from a variety of devices and browsers, each with different levels of support for passkeys. Your frontend should account for:

   • Platform Differences: Handling variations in passkey support across operating systems like Windows, macOS, iOS, and Android.
   • Browser Variations: Adapting to inconsistencies in how browsers like Chrome, Safari, Firefox, and Edge implement WebAuthn features.
   • Third-Party Passkey Providers: Supporting passkeys stored in third-party password managers (e.g. 1Password or Dashlane), which may affect how passkeys are accessed and used.

4. Designing Intuitive User Interfaces: A successful passkey integration requires thoughtful UI/UX design to guide users through the new authentication processes:

   • User Onboarding: Educating users about passkeys and guiding them through the setup process.
   • Clear Prompts and Error Messages: Providing informative messages during authentication to help users understand what is happening, especially if issues arise.
   • Consistent Branding and Experience: Customizing authentication prompts to align with your brand while maintaining security standards.

5. Managing Passkey Lifecycle: Users may need to manage their passkeys over time, as they may add new devices or remove old ones. Your frontend should facilitate this by:

   • Passkey Management Interfaces: Allowing users to view a list of their registered passkeys and perform actions like adding or deleting them.
   • Handling Synchronization: Addressing scenarios where passkeys are synced across devices or when a user loses access to a device.

6. Implementing Security Measures: Security is of utmost importance in authentication systems. Your frontend must ensure that:

   • Passkey Operation are in Secure Contexts: All passkey operations occur over secure connections (HTTPS) to prevent interception, as the WebAuthn protocol can only be used in HTTPS scenarios.
   • Prevention of Account Takeovers: Measures are in place to prevent unauthorized registration of passkeys to existing accounts.

7. Overcoming Implementation Challenges: Implementing passkeys on the frontend can introduce unexpected challenges:

• Complex Error Handling: Dealing with a variety of error scenarios, such as users canceling biometric prompts or devices lacking necessary hardware.
• Device and Browser Detection Limitations: Accurately detecting passkey capabilities without infringing on user privacy can be difficult due to limitations in browser APIs.
• Testing Across Environments: Ensuring consistent behavior across all combinations of devices and browsers requires extensive testing and possibly maintaining a suite of test devices. Automated tests can only rely on a WebAuthn Virtual Authenticator.

8. The Importance of Passkey Intelligence: To provide a smooth user experience, your frontend should incorporate " passkey intelligence," which involves:

• Analyzing User Behavior: Understanding how users interact with passkey prompts to optimize when and how they are presented.
• Adaptive Flows: Dynamically adjusting authentication flows based on device capabilities and user preferences and existing passkeys.
• Data-Driven Decisions: Using analytics to inform improvements in the authentication process and identify potential issues.

Integrating passkeys into your website and frontend applications is more than just implementing new API calls; it requires a holistic approach that considers user experience, technical challenges, security, and adaptability. By thoroughly understanding these needs and planning accordingly, you can provide a secure, seamless, and modern authentication experience that meets user expectations and supports your organization's goals.

2.2 How Corbado Can Assist#

Corbado focuses on connecting the frontend of large scale consumer deployments seamlessly, therefore a considerable amount of work has been done in order to create an optimized and reliable passkeys experience.

2.2.1 Passkey Intelligence#

Corbado has the leading passkey intelligence engine that incorporates all available signals to optimize passkey experience. It is designed to optimize the user experience and increase login conversion by protecting users from confusing passkey-related situations. While protecting users, Passkey Intelligence also attempts to offer as many passkey login opportunities as possible, including cross-device logins (in case it is configured to do so). To make informed decisions, Passkey Intelligence takes into account the following input data:

• Metadata about the user’s current device: Includes details about the operating system, browser, LocalStorage availability, Bluetooth support, etc.

  • Existing passkeys: Evaluates whether passkeys are already stored, where they are saved (e.g., on a specific device, cloud synced), and if they are available for cross-device authentication.

  • Data about previous passkey operations: Tracks previous passkey operations, such as successful and failed login attempts in similar environments.

  • Optimization Goals:

    • Maximize successful passkey logins: Ensure as many successful passkey logins as possible after suggesting & starting a passkey login.

    • Minimize failed logins after allowing a passkey login: Avoid offering passkey logins where failure is likely, directly falling back to alternative authentication measures.

The system uses a dynamic decision-making process based on these inputs to decide when to offer a passkey login or fall back to other methods such as password and legacy 2FA. The data is continously updated based on new behaviours, specification and changes to browsers that can help improve authentication changes such as WebAuthn Client hints recently. It powers all products of Corbado including Corbado Complete and Corbado Connect.

2.2.2 Pre-built UI Components#

Corbado provides ready-to-use UI components for passkey creation, login, and management. These components are designed to deliver a consistent and user-friendly experience. All three UI components are designed for easy integration into any frontend framework (React, Vue, Angular, etc.). Developers can also embed them using simple HTML and JavaScript without requiring any deep knowledge of the underlying code. Each UI component automatically adapts to the environment & device (responsive design), ensuring that passkeys are only offered when supported by the user’s browser and device. Corbado provides the following UI components.

• CorbadoConnectLogin: The CorbadoConnectLogin UI component provides users with the ability to log in using their previously created passkeys. This component can automatically detect if a passkey is available for the user and prompts them to log in securely using passkeys.

  First passkey login
  

  

  After the first passkey login

  

  Passkey as second factor
  

  

  • Passkey-Based Login: Offers passkey login if one exists for the user, providing a passwordless login experience. It supports Conditional UI and One-Tap Passkey Login.
  • Second factor login: The CorbadoConnectLogin component can also operate behind passwords as a second factor in cases where regulated environments do not allow passkeys to be used as a self-contained MFA. In this setup, Passkey Intelligence helps display passkeys as a second factor when available or falls back to other authentication factors.
  • Fallback Support: If no passkeys are available or the passkey login fails, the UI component can trigger a fallback to conventional login methods (e.g., password and legacy 2FA).
  • User Interaction: Depending on the environment, the UI component can either offer passkey login directly, allow the user to switch to a fallback method, or provide a one-tap passkey login for previously used devices.
  • Fully Customizable: Developers can define what happens after a successful login, how to handle fallback scenarios, and error conditions that may occur during the login process. All component designs are fully customizable.

• CorbadoConnectAppend: The CorbadoConnectAppend UI component allows users to append a new passkey to their account. This component is typically used when a user completes an initial login with another method (e.g., password) and is given the option to add a passkey for future logins.

• Passkey Creation: Users can append a passkey to their account, improving future login security.
• Conditional Rendering: The UI component decides whether to display based on factors such as device capabilities and user eligibility (e.g., gradual rollout decisions or passkey intelligence).
• Customizable: You can adjust behaviors like skipping passkey creation or handling the completion of the passkey append process and customize the UI to match your design. Different wordings can be used based on existing examples within the industry.

• CorbadoConnectPasskeyList: The CorbadoConnectPasskeyList UI component allows users to manage their existing passkeys. This includes listing all passkeys associated with their account and providing options to delete or append new passkeys.

• Passkey Management: Users can view, append, or delete passkeys directly from their account management page. It also shows which passkey is synced in a cloud and if it can be used for cross-device authentication.
  • Cross-Platform Compatibility: The UI component ensures users can manage their passkeys across different devices or platforms (e.g., browser or mobile) including all important information. It automatically adapts to the platform specifics.
  • Customizable: This UI component is highly customizable, allowing changes in the way the passkey list is displayed, and tailoring actions based on user roles or permissions (e.g., admin vs. regular user).

In summary, Corbado’s pre-built UI components provide a smooth, secure, and customizable user experience, whether it’s for creating, managing, or using passkeys for authentication. These components are designed with flexibility in mind, making it easy for developers to embed them into existing projects.

2.2.3 Automatic Updates & Backend & Native SDKs#

Corbado not only provides pre-built UI components for seamless passkey integration in the web but also ensures that these components remain up-to-date with the latest security standards and WebAuthn standard advancements.

Automatic Updates for UI Components

• Regular Updates: The UI components provided by Corbado are continuously maintained and updated to ensure they are aligned with the evolving WebAuth standard and browser capabilities (e.g. WebAuthn Signal API). These updates are automatically applied to the UI components delivered via the Corbado CDN, reducing the burden on developers to manually maintain or upgrade the components in dedicated release processes.

• Backward Compatibility: Corbado ensures that updates maintain backward compatibility, so your current integration remains unaffected while receiving new passkey features and improvements.

Dedicated SDKs for Native Apps

For native mobile applications on iOS and Android, Corbado provides SDKs tailored to different platforms, enabling smooth passkey integration into native environments. These SDKs offer the same passkey management features as the web components, optimized for mobile performance.

• iOS SDK: The iOS SDK is designed to integrate seamlessly into native iOS apps. It supports passkey creation, management, and authentication, leveraging Apple’s secure ecosystem (such as Face ID and Touch ID) for a smooth user experience**.**

• Android SDK: The Android SDK provides native Android support for passkey integration, making use of platform-specific features like fingerprint and face scanning authentication. This SDK ensures a secure and consistent experience across different Android devices.

2.2.4 Gradual Rollout Support for SDKs & Components#

One of the key features of Corbado’s UI components and SDKs is their built-in support for gradual rollout, a mechanism that enables enterprises to control which users can access passkey features. Rulesets are defined within the management panel and managed by Corbado for large enterprise deployments.

Whether using the pre-built UI components or the dedicated SDKs for mobile and backend integrations, all Corbado implementations are designed to work seamlessly with gradual rollout rulesets and integrate into the overall system.

Gradual Rollout Support for UI Components

The UI components for passkey login, append, and passkey management are all capable of evaluating gradual rollout rules to decide whether to display certain options to users. For example:

• The CorbadoConnectAppend UI component will check whether the current user is eligible for appending a passkey based on predefined rules before presenting the option.
• The CorbadoConnectLogin UI component will determine if passkey login should be offered, or if the user should be redirected to fallback methods (e.g., password and legacy 2FA), depending on the rollout settings.
• The CorbadoConnectPasskeyList UI component will only show passkey management options to users who meet the criteria established by the ruleset.

These decisions are made dynamically by calling Corbado’s Frontend API, which evaluates the rules and sends back the appropriate response for the user’s current session.

Gradual Rollout for SDKs

Corbado’s SDKs for Flutter, iOS, and Android are also fully integrated with the gradual rollout feature. This means that mobile applications can implement controlled rollouts of passkey features, ensuring that only a specific subset of users – based on criteria like platform, app version, or random selection – will have access to passkey functionality at a given time.

In addition, backend SDKs and API integrations are designed to respect the gradual rollout rulesets as well. Backend processes, such as deciding whether a user can append or delete passkeys via a native app or web app, can be controlled in the same way. This ensures consistency across frontend and backend operations.

Customizable Rollout Strategy

Gradual rollout gives enterprises the flexibility to roll out passkey features in stages:

• Controlled Access: Roll out passkey features slowly to specific user segments (e.g., only iOS users or a small percentage of Android users) to monitor performance and user feedback.
• Dynamic Adjustments: As user adoption grows and the system proves stable, you can gradually expand access, eventually enabling passkey functionality for all users.

This approach minimizes risk while ensuring a smooth transition to passkey authentication for both developers and end-users.

3. Connecting to Existing Authentication and MFA Systems#

You already have an existing authentication system that needs to be updated or connected to the new passkey solution. Let’s see what implications that has.

3.1 Understanding the Need for Authentication System Integration#

Integrating passkeys into your existing authentication and Multi-Factor Authentication (MFA) systems is a critical step that requires careful consideration. It's not just about adding a new authentication method, it's about ensuring that passkeys seamlessly integrate with your current infrastructure without disrupting user experience or compromising security – this is the reason we already have created and analyzed the MFA roadmap earlier. Here are the key aspects to understand:

3.1.1 Control Over the Frontend is Essential#

One of the fundamental requirements for integrating passkeys is having control over the frontend of your application including the authentication part. This control is crucial for several reasons:

• Frontend Customization: Passkey implementation involves significant changes to the user interface (UI) and user experience (UX). You need to integrate new flows for passkey creation, authentication, and management, which require custom UI components and JavaScript-heavy operations.
• Limitations with Cloud Providers: If you're using a cloud authentication provider that also controls the UI (like certain Identity-as-a-Service platforms), you may find it challenging to implement a consumer-friendly passkey solution. These providers often offer limited customization, making it difficult to integrate the necessary passkey workflows effectively. Contact us directly in case you are having such a solution and are not happy with the passkey solution provided.
• Advantages of Self-Developed or API-Based Systems: If you have a self-developed authentication system or one that primarily operates over APIs (a backend authentication system), you have full control over the frontend. This setup allows you to customize the UI and implement passkey functionality as needed, providing a seamless experience for your users. This includes Cognito, Firebase, Keycloak or Supabase.

If you're unsure about this step, feel free to contact us so we can determine together if we can assist you in deploying passkeys. If you prefer to retain control over your frontends and not use Corbado UI Components, we can expose the API directly.

3.1.2 Deciding on the Implementation Approach#

Before integrating passkeys, you need to determine how they will fit into your authentication flows. There are a lot of ways to integrate passkeys but there are two fundamental approaches:

1. Passkeys as a Self-Contained MFA or Login Method (replacing Password + SMS OTP):

   • Session Creation: Using passkeys as a standalone authentication method means that after a user successfully authenticates with a passkey, your system must create a session for them. This requires backend logic to handle session management based on passkey authentication.
   • Custom Handlers: You may need to implement custom authentication handlers that can process the passkey credentials and establish a secure session without relying on traditional username/password checks.

2. Passkeys as a Second Factor after Password-Login (replacing SMS OTP):

   • Integration with Existing MFA: If you plan to use passkeys as an additional factor after the primary authentication (e.g., password), you need to integrate them into your existing MFA workflow.
   • Intercepting Second Factor Token Creation: This can be complex, as it involves intercepting the process where the second-factor token is generated or verified. Your system must be capable of handling the passkey verification before proceeding with the usual MFA steps.
   • Implementation Challenges: Depending on how your current MFA system is implemented, integrating passkeys might be difficult. Some systems may not provide the necessary hooks or APIs to insert passkey verification into the MFA process.

Depending on the approach, different parts need to be adjusted within your existing implementation. Also keep in mind that even between those two fundamental approaches there are more passkey integration options that bring different results in quality and adoption.

3.1.3 Database, WebAuthn Server and Infrastructure Considerations#

Integrating passkeys into your authentication system necessitates careful planning of your backend infrastructure, particularly concerning your database schema and the choice of a WebAuthn server library. This integration impacts how you store and manage user credentials, handle authentication processes, and maintain security and compliance.

Storing Passkey Credentials

• Credential Data: Implementing passkeys requires securely storing users' public keys, credential IDs, and other associated metadata. This data is essential for verifying authentication requests and managing user credentials.
• Database Schema Design: Designing a matching database schema is crucial to handle the diverse data formats required by the WebAuthn standard, such as cryptographic keys, challenge responses, and attestation objects. This may involve extending your existing user tables or creating new tables dedicated to passkey information.
  • Required Tables and Columns: At a minimum, you should have a credentials table to store passkey-related data, typically including fields like credential_id, user_id (as a foreign key), public_key, attestation_type, AAGUID, signature_count, and timestamps for creation and last use.
  • Relationships Between Tables: Establishing proper relationships between tables, such as foreign keys linking credentials to users, ensures data integrity and facilitates efficient queries.
  • Encoding Challenges: Be mindful of encoding and data type challenges when storing complex data like public keys and attestation objects. Ensure your database can handle binary data and that you correctly encode and decode data (e.g., Base64URL encoding) to prevent errors.

You can find more information regarding the database in our dedicated article around Passkeys & WebAuthn databases.

Passkey Intelligence Data (optional)

We already explained what Passkey Intelligence is regarding the frontend, but actually implementing it requires the information also to be stored in the database. Incorporating passkey intelligence into your authentication system enhances the user experience by optimizing when and how passkey authentication is offered. This involves collecting and analyzing data to make informed decisions about authentication flows.

This is especially important if you want to implement a system with high adoption and passkey usage rate, when you first query the user identifier and then automatically start a passkey authentication (Identifier-first approach: which we also call Automatic Passkey Login approach). To be sure when the passkey authentication should be started, additional information needs to be stored to determine passkey availability when a user logs in.

• Collecting Authenticator Metadata:

  • Authenticator Details: Store information about the authenticators used, such as the type (platform vs. roaming), AAGUIDs, and whether they support features like cloud sync or cross-device authentication.
  • Device Capabilities: Record data about the user's device, including operating system, browser version, LocalStorage availability, and support for features like Bluetooth or biometric sensors.

• Tracking Passkey Usage and Behavior:

  • Existing Passkeys: Keep track of whether users have existing passkeys registered, where they are stored, and their availability for cross-device authentication.
  • Previous Passkey Operations: Log successful and failed passkey login attempts, including the environments in which they occurred, to identify patterns and improve success rates.

• Optimization Goals:

  • Maximize Successful Logins: Use collected data to offer passkey authentication when it is most likely to succeed, enhancing user satisfaction and reducing friction.
  • Minimize Failed Attempts: Avoid presenting passkey options when failure is probable, automatically providing alternative authentication methods to prevent user frustration.

• Implementing Passkey Intelligence Engine:

  • Dynamic Decision-Making: Develop logic that uses collected data to make real-time decisions about authentication flows, such as whether to prompt for a passkey or fallback to other methods.
  • Adaptive Flows: Adjust authentication prompts based on user behavior and device capabilities, improving overall success rates and user experience.

• Security and Compliance:

  • Data Protection: Implement robust security measures to protect the additional data collected for passkey intelligence, including encryption and strict access controls.
  • Transparency: Inform users about the data being collected and how it is used to enhance their authentication experience.

Infrastructure Adjustments

• WebAuthn Server Integration: Integrate a WebAuthn server library into your backend to handle the generation and verification of WebAuthn challenges. Adjust your authentication logic to incorporate passkey authentication alongside or in place of existing methods.

  • Choosing a WebAuthn Server Library: Select a library compatible with your programming language and framework. Libraries like SimpleWebAuthn (TypeScript), fido2-net-lib (.NET), py_webauthn (Python), and others provide essential functionality for implementing passkeys.
  • Defining Server Options: Configure the WebAuthn server library according to your requirements, specifying parameters such as authenticator selection criteria, user verification policies, and supported attestation formats.

• Scalability and Performance: Passkey operations involve cryptographic computations and additional database interactions. Optimize backend processes to handle this load efficiently. Consider load balancing, caching strategies, and database indexing to improve performance.

• Testing Across Environments: Conduct extensive testing across different devices, browsers, and operating systems to ensure compatibility and consistent user experiences. This includes handling various authenticator types and adapting to platform-specific behaviors.

Challenges with WebAuthn Server Library Implementations

• Diverse Implementations: Various WebAuthn server libraries are available across different programming languages and frameworks, each with its approach to integrating WebAuthn. This diversity can complicate determining the most appropriate database schema for your application.
• Storage Repositories: Some WebAuthn server libraries explicitly define the storage repository, while others leave the storage layer entirely up to the developer. You may need to design and implement the database interactions yourself, based on the library's requirements.
• Data Formats and Encoding Challenges: The WebAuthn standard requires handling complex data formats and encodings, such as binary data, Base64URL encoding, and JSON structures. Ensure your database can store these data types correctly and that your application can encode and decode them as needed.

By thoroughly planning your database schema – including considerations for passkey intelligence data – selecting an appropriate WebAuthn server library, and adjusting your infrastructure, you can successfully integrate passkeys into your authentication system. This integration will enhance security, provide a modern and user-friendly authentication experience, and maintain compliance with security standards and regulations.

3.1.4 Additional Considerations for Integration#

When integrating passkeys into your existing authentication system, consider the following:

• User Experience Design:

  • Intuitive Flows: Design user flows that make passkey registration and authentication straightforward.
  • Education: Provide users with information about what passkeys are and how to use them to encourage adoption.

• Fallback Mechanisms:

  • Alternative Authentication Methods: Not all users will have devices that support passkeys. Ensure you have fallback options like passwords, OTPs, or security questions.
  • Adaptive Authentication: Implement logic to detect when passkeys are not available and automatically offer alternative methods.

• Cross-Platform Compatibility:

  • Device and Browser Support: Passkeys rely on WebAuthn and FIDO2 standards, which may not be uniformly supported across all devices and browsers.
  • Testing: Conduct extensive testing across different environments to ensure compatibility.

• Security Enhancements:

  • Risk-Based Authentication: Use passkey intelligence data to make informed decisions about authentication risk levels.
  • Anomaly Detection: Monitor for unusual authentication patterns that may indicate fraudulent activities.

• Logging and Monitoring:

  • Audit Trails: Keep detailed logs of passkey registrations and authentications for compliance and security auditing.
  • Real-Time Monitoring: Integrate with your Security Information and Event Management (SIEM) systems to monitor authentication events in real-time.

• Scalability and Performance:

  • Load Handling: Ensure that your system can handle the additional load from passkey operations without degrading performance.
  • Efficient Processing: Optimize backend processes to handle cryptographic operations efficiently.

• Development and Maintenance Effort:

  • Resource Allocation: Be prepared for the development effort required to implement and maintain passkey integration.
  • Expertise: Ensure your development team has the necessary expertise in WebAuthn, cryptography, and security best practices.

By thoroughly considering these factors and leveraging expertise where needed, you can successfully integrate passkeys, providing a modern, secure authentication experience for your users.

3.2 How Corbado Can Assist#

Corbado specializes in seamlessly integrating passkeys into any existing authentication and MFA systems, regardless of their complexity or architecture. We focus on providing flexible solutions that adapt to your current infrastructure, ensuring a smooth transition to passkey authentication without disrupting your existing processes. Here's how Corbado can assist in this critical integration phase:

Integration with Any Authentication System

• Universal Compatibility: Corbado's platform is designed to integrate with any form of authentication system, whether it's a self-developed solution or standard platforms like Amazon Cognito, Firebase, Keycloak, and others.
• Custom Implementation: We offer tailored implementations for each client. Our team can adjust and fine-tune the integration process to meet the specific needs of your authentication infrastructure.
• Backend-Centric Design: Our solutions are built to ensure that your backend authentication system remains the primary store of user credentials and session information. Passkeys are integrated in a way that complements your existing system rather than replacing it. No PII relevant data is stored, we only connect to your unique account or user UUID.
• Embedded WebAuthn Server: Corbado’s platform includes an embedded WebAuthn server with the appropriate options pre-configured, streamlining the integration process. This server comes with a matching database system optimized for storing and managing WebAuthn credentials, reducing the complexity of setup and ensuring compatibility with various authentication flows. By leveraging this embedded solution, enterprises can quickly and securely deploy passkey functionality without needing to configure a separate WebAuthn server.

Customizable Handlers and Components

• Flexible Handlers: Corbado provides components with handlers that can be integrated and customized according to your requirements. These handlers allow you to define how passkey authentication interacts with your system, ensuring seamless integration.
• Event Handling: Customize the way your system responds to various authentication events, such as successful passkey registrations, logins, or errors. This flexibility enables you to maintain control over the authentication flow and user experience.

MFA Status Management

• Dynamic MFA Control: Corbado's handlers include functionality to change MFA status in your primary authentication system based on passkey authentication. For example, if a user successfully logs in with a passkey, your system can recognize this as a strong authentication factor and adjust MFA requirements accordingly.
• Policy Enforcement: Implement security policies that dictate when additional authentication factors are needed. Corbado's integration allows you to enforce these policies seamlessly within your authentication flow.

Maintaining Backend as the Primary Store

• Data Sovereignty: We design the integration to keep all critical authentication data within your backend systems. This ensures that you retain full control over user credentials, session data, and authentication logs. We only store all metadata relevant for passkey intelligence in addition to logs.
• Compliance and Security: By keeping the primary data store in your backend, you can maintain compliance with internal policies and regulatory requirements. Corbado's integration respects your data governance standards, ensuring that passkey data is handled securely.
• Minimal Disruption: Our approach minimizes changes to your backend infrastructure. We work with your existing data structures and authentication logic, reducing the need for significant overhauls or migrations.

Streamlined Integration Process

• Expert Support: Corbado provides dedicated support to guide you through the integration process. Our team works closely with your developers to ensure a smooth implementation.
• Comprehensive Documentation: We offer detailed documentation, code samples, and best practices to assist your development team in integrating passkeys effectively.
• Testing and Validation: Corbado assists in testing the integration to ensure that passkeys function correctly within your authentication flows and meet all security requirements.

Adaptable Solutions for Complex Scenarios

• Legacy Systems Integration: For organizations using legacy authentication systems, Corbado can provide custom connectors or middleware to enable passkey integration without requiring a complete system overhaul.
• Hybrid Authentication Models: Support for hybrid models where passkeys are used alongside traditional authentication methods (passwords, OTPs) allows for gradual adoption and user transition.

Ongoing Support and Updates

• Continuous Improvement: Corbado keeps its platform and components up to date with the latest security standards and technological advancements, ensuring your authentication system remains current.
• Dedicated Support Services: We offer ongoing support, including troubleshooting, updates, and enhancements, to ensure long-term success with passkey integration.

Overall Corbado can help you add passkeys to your existing authentication stack without having the pressure migrate and adjust your complete authentication stack.

4. Integrating with Customer Support Systems#

4.1 Understanding the Need for Customer Support Integration#

Integrating customer support into the process of implementing passkeys is crucial because authentication and Multi-Factor Authentication (MFA) are critical components of user security and experience. As passkeys become a primary method of authentication, users may encounter issues that require assistance. Here's why and how customer support integration is essential:

Importance of Customer Support in Authentication

• Complexity of Authentication Issues: Users may face challenges such as forgotten passkeys, device changes, or difficulties in setting up passkeys on new devices. These issues can prevent access to their accounts, making efficient support vital.
• Security Sensitivity: Handling authentication and MFA involves sensitive security considerations. Support interactions must maintain high security standards to prevent unauthorized access.
• User Trust and Confidence: Effective support reinforces user trust in your platform's security measures, encouraging adoption of passkeys and adherence to security best practices.

Functional Requirements of a Good Customer Support Solution

To effectively support users with passkey-related issues, a customer support solution should provide:

1. Detailed MFA Status and Passkey Information:

   • MFA Status Listing: Display the current MFA status for each user, indicating whether MFA is enabled or disabled.
   • Existing Passkeys Overview: Provide a list of all passkeys associated with a user's account, including details about each passkey (when it was created and last used).
   • Authenticator Details: Show information about which authenticators the passkeys reside on (e.g., device type, operating system, browser).

2. Passkey & MFA Management Capabilities:

   • MFA Modification Options: Allow support agents to change MFA settings, such as enabling or disabling MFA for a user.
   • Passkey Revocation and Reset Functions: Enable agents to revoke or reset passkeys when necessary, such as when a device is lost or compromise.

3. Hierarchical Support Structure: Support does not only include phone support, but it should also be a complete strategy.

   • Level 0 - Self-Help Resources:

     • Comprehensive Documentation: Provide users with accessible guides, FAQs, and tutorials on setting up and managing passkeys.
     • Interactive Troubleshooting: Offer tools like step-by-step wizards or chatbots to help users resolve common issues independently.

   • First Level - Customer Support Agents:

     • Accessible Support Channels: Ensure users can easily reach support via email, phone, or live chat when self-help resources are insufficient.
     • Efficient Issue Resolution: Train agents to handle passkey-related inquiries, such as assisting with passkey setup, resetting MFA, or addressing login difficulties.

   • Second Level - Technical Support for Customer Support Systems:

     • Advanced Diagnostic Information: Provide technical support teams with detailed logs and data about authentication failures, including error codes, device types, and timestamps.
     • Collaboration Tools: Enable seamless communication between support tiers to escalate and resolve complex issues effectively.

Key Considerations for Implementation

• Role-Based Access Control: Ensure that support agents have appropriate access levels, with sensitive actions like passkey revocation restricted to authorized personnel.

• Data Privacy Compliance: Handle user data in accordance with privacy regulations, ensuring that sensitive information is protected during support interactions.

• Training and Knowledge Management:

  • Support Staff Training: Provide comprehensive training on passkey technology, common issues, and resolution procedures.
  • Knowledge Base Maintenance: Keep self-help resources and internal knowledge bases up to date with the latest information.

• Integration with Support Tools:

  • System Compatibility: Integrate passkey management capabilities into existing customer support platforms ( e.g., Zendesk, Salesforce Service Cloud).
  • Automation Opportunities: Utilize automation for routine tasks like sending passkey reset links or updating MFA settings.

Integrating customer support into the passkey authentication process is essential for providing users with the assistance they need while maintaining high security standards. By offering a structured support system that includes self-help resources, knowledgeable support agents, and technical escalation paths, you ensure that users can navigate passkey-related challenges effectively. This integration not only enhances the user experience but also reinforces the security and reliability of your authentication system.

4.2 How Corbado Can Assist#

Corbado is dedicated to empowering your customer support teams at every level to ensure a seamless and secure passkey authentication experience for your users:

Level 0 - Self-Help Resources

• Comprehensive Documentation and FAQs: Drawing from our extensive operational experience, Corbado provides detailed, user-friendly guides, FAQs, and tutorials tailored to your current implementation. These resources help users understand how to set up and manage passkeys effectively, reducing the need for direct support.

• Interactive Troubleshooting Tools: We offer interactive tools like the passkey-debugger.io that assist users in resolving common passkey-related issues independently. These tools enhance the self-service capabilities of your platform, improving user satisfaction.

First Level - Customer Support Agents

• Tailored Support Documentation: Corbado supplies in-depth documentation specifically designed for your customer support agents. This includes procedures for assisting users with passkey setup, resetting MFA, and troubleshooting login difficulties, ensuring consistent and accurate support.

• Training and Knowledge Transfer: We provide comprehensive training programs for your support staff, equipping them with the knowledge and skills needed to handle passkey-related inquiries effectively. Our training covers common issues, resolution procedures, and best practices in passkey authentication.

Second Level - Technical Support

• Advanced Management Panel: For technical support teams, Corbado offers a secure management panel that provides detailed authentication logs, error codes, device types, and timestamps. This tool enables advanced diagnostics and efficient resolution of complex authentication issues. The following screen is an advanced view to debug passkey logins:

• Debugging Assistance: We assist your technical teams in utilizing the management panel for debugging purposes. Our experts are available to brief, train, and guide your staff in navigating the system, ensuring they can address and resolve escalated issues swiftly.

Seamless Integration with Existing Support Systems

• Backend API Integration: Corbado's solutions are designed for seamless integration into your existing customer support systems via our backend APIs. This allows you to embed passkey management functions directly into your tools, displaying information consistently with our CorbadoPasskeyList format. Support agents can access all necessary passkey data within their familiar interfaces, enhancing efficiency.

• Role-Based Access Control: Our platform incorporates robust role-based access control mechanisms. We ensure that only authorized support personnel have access to sensitive passkey information and functionalities, such as passkey revocation and MFA modifications, maintaining compliance with your security policies.

Ongoing Support and Training

• Training Across All Support Levels: Corbado is committed to providing training and resources for all levels of your support hierarchy. From customer-facing agents to technical support teams, we offer continuous education to keep your staff updated on the latest developments in passkey technology and security best practices.

• Knowledge Base Maintenance: We assist in maintaining and updating your internal knowledge bases and self-help resources, ensuring that both your users and support teams have access to the most current information.

By partnering with Corbado, you not only provide top-tier support for your users but also reinforce the security and reliability of your authentication system. Our solutions help build user trust and confidence in your platform's security measures, encouraging widespread adoption of passkeys and adherence to best practices.

5. Enhancing Security, Logging, and Audit Systems#

5.1 Understanding the Need for Security Integration#

Maintaining Integrating passkeys into your authentication system significantly enhances security by leveraging strong cryptographic methods and reducing reliance on traditional passwords. However, the introduction of passkeys also necessitates a thorough integration with your existing security, logging, and audit systems to maintain a robust security posture. This integration is essential for several reasons:

Real-Time Monitoring of Authentication Activities

• Event Visibility: Capturing detailed authentication events allows for real-time visibility into user activities, enabling prompt detection of suspicious behavior.
• Threat Detection: Monitoring passkey-related events helps identify potential security threats, such as unauthorized access attempts, credential misuse, or anomalies in authentication patterns.
• Incident Response: Immediate access to authentication data accelerates incident response times, allowing security teams to mitigate risks more effectively.

Integration with Security Infrastructure

• Event Streaming: Continuous streaming of authentication events into your security systems ensures up-to-date information is available for analysis.
• SIEM Integration: Feeding authentication data into Security Information and Event Management (SIEM) systems facilitates comprehensive threat detection by correlating passkey events with other security logs.
• Fraud Detection Systems: Integrating passkey data with fraud detection platforms enhances their ability to identify and prevent fraudulent activities.

Compliance and Regulatory Requirements

• Audit Trails: Maintaining detailed logs of authentication events is critical for compliance with regulations like GDPR, SOC, Essential Eight and HIPAA.
• Data Retention Policies: Proper integration ensures that authentication data is stored and managed according to legal and organizational data retention requirements.
• Transparency and Accountability: Comprehensive logging and auditing support transparency, demonstrating your organization's commitment to security best practices.

By thoroughly integrating passkey authentication events into your security, logging, and audit systems, you enhance your organization's ability to detect and respond to threats, maintain compliance, and uphold a strong security posture.

5.2 How Corbado Can Assist#

Corbado offers comprehensive solutions to enhance your security, logging, and audit systems when integrating passkeys into your authentication infrastructure.

Real-Time Monitoring of Authentication Activities

• Customizable Event Streaming: Corbado provides a flexible event streaming capability that allows you to receive important authentication events in real-time. This enables immediate visibility into user activities and supports prompt detection of suspicious behavior.
• Live Event Streaming: Our platform can stream critical events live to your security systems, ensuring that your security team can respond swiftly to potential threats.
• Incident Response Support: By providing detailed event data, Corbado facilitates faster incident response times, allowing your security teams to mitigate risks more effectively.

Integration with Security Infrastructure

• SIEM Compatibility: Corbado supports integration with popular Security Information and Event Management (SIEM) solutions. This compatibility allows for seamless ingestion of authentication data into your existing security monitoring tools.
• Customizable Logging: We offer a customizable local logging system that can be adjusted to meet your organization's specific needs. Logs can be configured to capture the necessary level of detail and are purged according to your data retention policies.
• Fraud Detection Enhancement: By integrating passkey data with your fraud detection platforms, Corbado enhances their ability to identify and prevent fraudulent activities. Detailed authentication events help in correlating anomalies and unusual patterns.

Compliance and Regulatory Requirements

• Audit Trails and Reporting: Corbado maintains detailed logs of authentication events, which are essential for compliance with regulations such as GDPR, SOC, Essential Eight, and HIPAA. Our logging system ensures that all necessary information is captured and retained appropriately.
• Data Retention Policies: We understand the importance of data governance. Corbado's logging and event storage systems can be customized to align with your legal and organizational data retention requirements. Logs can be purged after a specified period as dictated by your policies.
• AWS Config Reports: For dedicated instances, Corbado provides AWS Config reports, offering regular audits of configuration settings for internal review. This helps in maintaining transparency and accountability within your infrastructure.

Expert Support and Collaboration

• Integration Assistance: Corbado's team of experts will work closely with your IT and security teams to integrate our event streaming and logging capabilities into your existing infrastructure.
• Customization Guidance: We provide guidance on customizing logging levels, data retention settings, and integration with your SIEM or other security tools, ensuring that the solution fits seamlessly into your operations.
• Ongoing Support: Our support doesn't end after implementation. Corbado offers continuous assistance to ensure that your security, logging, and audit systems remain effective and up-to-date.

By integrating Corbado's advanced security features, you ensure that your passkey authentication system not only enhances user experience but also strengthens your overall security infrastructure. Our solutions provide the tools and support necessary to maintain a secure, compliant, and efficient authentication environment.

6. Integrating Reporting, BI, and Data Warehouses#

6.1 Understanding the Need for Reporting and Analytics Integration#

Integrating reporting and analytics into your passkey implementation is essential for monitoring performance, understanding user behavior, and making strategic decisions. Key Performance Indicators (KPIs) play a crucial role in assessing the effectiveness of passkey adoption and usage within your system. Depending on which part of the system you are focusing on, different KPIs are important:

• Passkey Adoption Rate: This KPI measures the percentage of users who create a passkey when presented with the opportunity. Specifically, you should track whether users on compatible systems proceed to create a passkey when prompted. A high adoption rate indicates that users are willing to embrace passkeys as a secure authentication method and the messaging is clear.
• Passkey Login Rate: This KPI monitors the number of suggested passkey login prompts (for users with passkeys) that result in a successful login. It reflects how effectively users are able to use passkeys for authentication and whether the passkey login process is intuitive and reliable. In addition the duration and possible aborts can be measured.

By combining the Passkey Adoption Rate and Passkey Login Rate, you can estimate the total number of saved SMS messages or other traditional authentication methods over a period of 12 to 36 months. This calculation acknowledges that the uptake of passkeys across your entire user base takes time, and long-term tracking provides a clearer picture of the overall impact on your authentication system.

Monitoring these KPIs helps you:

• Identify Trends: Understand how passkey adoption and usage evolve over time.
• Optimize User Experience: Detect and address issues that may hinder users from creating or using passkeys.
• Measure Cost Savings: Quantify the reduction in costs associated with decreased reliance on SMS messages or other less secure authentication methods.

Use data-driven insights to guide future investments in authentication technologies and user education initiatives.

6.2 How Corbado Can Assist#

Corbado provides robust tools and features to help you monitor, analyze, and optimize the performance of your passkey implementation:

• Detailed KPI Reporting: Corbado calculates both the Passkey Adoption Rate and Passkey Login Rate per device and operating system. This granular reporting allows you to identify and address problems specific to certain platforms or devices, ensuring a consistent user experience across all environments.

• Funnel Analytics: By generating a funnel that shows the total KPIs for passkey creation and login, Corbado enables you to visualize the user journey and pinpoint where users may drop off or encounter difficulties. This insight is crucial for optimizing the authentication flow and improving overall adoption rates.

• A/B Testing Support: Corbado is equipped to facilitate A/B tests of different versions of your authentication processes. All relevant information can be segmented based on these tests, allowing you to compare the effectiveness of various approaches and implement the most successful strategies.

• Data Export for BI and Data Warehouses: All collected data can be exported for use in your Business Intelligence tools or data warehouses/lakes. This integration ensures that passkey analytics can be combined with other business data for comprehensive analysis and reporting.

• Custom Reports for Enterprise Deployments: For larger organizations with specific reporting needs, Corbado offers custom report generation. These reports can be tailored to focus on the KPIs and metrics that are most important to your enterprise, providing deeper insights into your passkey implementation's performance.

By leveraging Corbado's analytics and reporting capabilities, you can continuously monitor and improve your passkey system, ensuring it delivers maximum security benefits while providing a seamless user experience.

7. Conclusion#

Integrating passkeys into your existing systems is a multifaceted process that requires careful planning. Let's revisit the key questions posed in the introduction and summarize how they can be addressed:

• Website and Frontend Applications: By implementing passkeys thoughtfully in your frontend, you can provide a secure and seamless authentication experience. This involves using Passkey Intelligence to optimize when and how passkey prompts are presented, employing pre-built UI components for ease of integration, and ensuring cross-platform compatibility through automatic updates and native SDKs. Gradual rollout minimizes risks.

• Authentication and MFA Systems: Successful integration requires control over the frontend, deciding on the appropriate implementation approach (whether as a standalone login method or a second factor), and adjusting your database schema and infrastructure to handle passkey data securely. By selecting suitable WebAuthn server libraries and considering factors like scalability and performance, you can seamlessly incorporate passkeys without overhauling your entire authentication stack.

• Customer Support Systems: Integrating customer support involves providing self-help resources, training support agents, and offering advanced tools for technical support teams. By supplying comprehensive documentation, interactive troubleshooting tools, and a secure management panel, you empower your support teams to assist users effectively, fostering trust and encouraging passkey adoption.

• Security, Logging, and Audit Systems: Enhancing security involves real-time monitoring of authentication activities, integrating passkey events into your security infrastructure, and ensuring compliance with regulatory requirements. Customizable event streaming, SIEM compatibility, and robust logging practices enable prompt threat detection and incident response, maintaining a strong security posture.

• Reporting, Business Intelligence, and Data Warehouses: By calculating key performance indicators like Passkey Adoption Rate and Passkey Login Rate, you gain valuable insights into user behavior and system performance. Corbado's tools facilitate detailed KPI reporting, funnel analytics, A/B testing, and data export capabilities, allowing you to optimize the authentication flow and make data-driven strategic decisions.

By addressing these critical integration points, you ensure that the introduction of passkeys not only strengthens your security but also enhances user experience without disrupting operational efficiency. Corbado specializes in facilitating this complex integration process. Our comprehensive solutions are tailored to meet your organization's specific needs, making the adoption of passkeys a manageable and efficient endeavor. With Corbado's expertise and support, integrating passkeys into your large-scale consumer deployment becomes a streamlined process. We help you navigate technical challenges, optimize user adoption, and fully leverage the enhanced security and convenience that passkeys offer.