How does the Identifier-First Approach work for passkeys?

The "Identifier-First Approach" is a seamless method for integrating passkeys into an authentication system by prioritizing the user's identifier (e.g., email or username) in the login process.

1. The user enters their email or username first.
2. The system checks if a passkey is available for the identifier.
   • If a passkey is available: The user is prompted to authenticate using biometrics (e.g., fingerprint or face recognition) or a PIN.
   • If no passkey is available: The user is directed to alternative login methods like passwords or multi-factor authentication (MFA).
3. After successful login, users are encouraged to create a passkey for future use.

• Seamless User Experience: Reduces steps for users with registered passkeys, enabling a smoother and quicker login process.
• Higher Passkey Usage: By integrating passkeys into the primary flow, users are more likely to adopt them.
• Cost Savings: Increased adoption reduces reliance on SMS OTPs, saving costs.

• Account Enumeration Risk: If not managed properly, it may expose whether an email or username is registered. Mitigation strategies, such as bot management and rate limiting, are crucial.
• Technical Complexity: Requires advanced logic to determine passkey availability and handle fallback scenarios.

Google employs the identifier-first approach for its login systems, offering an automatic and seamless passkey login experience where available.

This method is ideal for organizations focused on improving user experience while maximizing passkey adoption and reducing authentication costs.