What's essential when connecting passkeys to existing auth?

Integrating Passkeys into Authentication and MFA Systems#

When integrating passkeys into your existing authentication and MFA systems, it's crucial to ensure compatibility and a seamless user experience. Below are the key considerations to guide your integration process:

1. Frontend Control and Customization#

Passkey integration requires updating user interfaces to support passkey creation, authentication, and management.

2. Implementation Approach#

• Standalone Passkey Authentication: Use passkeys as a single login method, replacing traditional methods like passwords and SMS OTPs.
• Passkey as a Second Factor: Incorporate passkeys into existing MFA workflows, ensuring compatibility with current token generation and verification processes. This can be quite complex if you have different user states (e.g. dormant, blocked, deactivated, locked) and different existing MFA methods in place (e.g. SMS OTP, TOTP via authenticator apps, push notifications, email OTP).

3. Database and WebAuthn Server#

• Credential Storage: Safeguard users' public keys, credential IDs, and metadata with an optimized database schema. It's also recommended to additional device, user, passkey and meta data to improve and customize the user experience and not let the user run into deadlocks.
• WebAuthn Server: Choose a compatible library (e.g., SimpleWebAuthn, fido2-net-lib) for challenge generation and verification. Configure options like authenticator selection and user verification policies. If you work in an enterprise setting, a simple WebAuthn server is probably on 10% of the solution you need, as there are many enterprise-grade features (e.g. login observability, analytics & tracking, gradual rollout, fraud detection, scalability) that you either need to build yourself or get from an enterprise passkey platform (like Corbado Connect).

4. Fallback and Adaptability#

• Fallback Options: Provide alternative methods like OTPs for users unable to use passkeys - be it they don't want to opt into passkeys or have devices which are not passkey-ready
• Cross-Platform Compatibility: Test extensively across browsers, devices, and operating systems to ensure a consistent experience. This is important as there are many different edge cases on particular operating system versions that you often only see in production when users of these operating system and browser version try to interact with your system. It should be thoroughly tested to avoid the worst case scenario: breaking the login and locking users out.

5. Security and Compliance#

• Encryption Standards: Encrypt stored credentials and manage data securely.
• Regulatory Adherence: Ensure compliance with regulations like GDPR or SOC (and other industry-relevant regulations such as Essential Eight).

By addressing these considerations, you can successfully integrate passkeys into your authentication and MFA systems, enhancing both security and user convenience.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →