--- url: 'https://www.corbado.com/blog/webauthn-passkey-qr-code' title: 'WebAuthn Passkey QR Codes & Bluetooth: Hybrid Transport' description: 'Explore how passkeys leverage QR codes and Bluetooth for cross-platform authentication to have seamless, secure logins across devices without passwords.' lang: 'en' author: 'Vincent Delitz' date: '2023-11-08T00:00:00.000Z' lastModified: '2026-03-25T10:00:23.185Z' keywords: 'webauthn qr code, passkey bluetooth, passkey qr code' category: 'WebAuthn Know-How' --- # WebAuthn Passkey QR Codes & Bluetooth: Hybrid Transport ## Key Facts - **Hybrid transport** (also called **caBLE**) enables cross-device passkey authentication via QR code and Bluetooth proximity check, with private keys never leaving the originating device. - **Bluetooth Low Energy** serves only as a proximity check, not a data channel. All authentication data flows over an encrypted internet tunnel between the devices and the server. - Setting **transports: \[internal]** does not reliably suppress QR code prompts. Across Chrome, Edge, Firefox and Safari on Windows, macOS and iOS, cross-platform options still appeared in testing. - When **Bluetooth is unavailable** on Windows 10, hybrid transport flows produce a dead-end modal with no actionable authentication path for users. ## 1. Introduction Passkeys are more and more replacing passwords as the de-facto standard in user authentication. Unlike traditional passwords, passkeys are bound to an ecosystem (e.g. [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain), [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager), [Windows Hello](https://www.corbado.com/glossary/windows-hello) or a [password manager](https://www.corbado.com/blog/passkeys-vs-password-managers) like [1Password](https://www.corbado.com/blog/1password-passkeys-best-practices-analysis) or [Dashlane](https://www.corbado.com/blog/dashlane-passkeys)); they are not designed to be memorized but are built to seamlessly integrate with your devices, offering great out- of-the-box user experience. Imagine you're away from your personal computer perhaps at a public terminal or a friends laptop, and you need to log into your passkey- protected account. This scenario is quite common and necessitates a secure yet convenient method of authentication but with passkeys many people dont know what to do, as their passkey is not immediately available in this situation. One of the [passkey features](https://www.corbado.com/blog/social-logins-pre-filled-passkeys-customization) to help you in such a situation is the ability to employ your passkeys across multiple devices through the facilitation of QR codes and Bluetooth technology. This process is formally known as **hybrid transport** in the [WebAuthn specification ](https://www.w3.org/TR/webauthn-3/#dom-authenticatortransport-hybrid)(in previous versions of the specification it is referred to as **cloud-assisted Bluetooth Low Energy caBLE**). The process is straightforward: you need a device that has your passkeys stored and is capable to take pictures, so most likely a smartphone or tablet. This device can open a tunnel to the new device just for that one instance of authentication. This not only maintains the integrity of your passkey but also ensures that access to your account on new devices can be given, no matter where you are or whose device you want to use to login. However, this passkeys cross-platform authentication feature is surrounded with misconceptions and confusion both in its utility and its technical implementation. This is something I noticed recently again, when I visited a local IT security meetup. Through this article, we aim to unravel the complexities and provide recommendations to implement this [cross-platform passkey](https://www.corbado.com/faq/passkeys-cross-platform) authentication (hybrid transport) flow, ensuring you can provide the best login experience for your users. ## 2. Passkeys: Synced or Only Available on a Single Device Passkeys are a form of user authentication that replaces the traditional password with a more secure and convenient cryptographic public-private-key pair. This key pair is unique to each user and is used to verify identity without the hassle of remembering complex passwords. The advantages of passkeys are numerous when compared to their password predecessors. They significantly reduce the risk of [phishing](https://www.corbado.com/glossary/phishing), as they cannot be tricked into being shared with a fake website. Moreover, they are immune to brute force and dictionary attacks, which are common methods used to crack passwords. Passkeys are also more user-friendly, eliminating the need to remember or manage a long list of passwords. Passkeys are synchronized in cloud accounts, like those managed by [Google Password](https://www.corbado.com/blog/how-to-use-google-password-manager) Manager, Apple [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain), or [Microsoft accounts](https://www.theverge.com/2024/10/10/24266780/microsoft-windows-11-passkey-redesign-windows-hello) (with [Windows Hello](https://www.corbado.com/glossary/windows-hello)), or those stored in modern passkey-ready password managers, like [1Password](https://www.corbado.com/blog/1password-passkeys-best-practices-analysis) or [Dashlane](https://www.corbado.com/blog/dashlane-passkeys). However, its essential to know that by default passkeys are bound to the ecosystem and the respective cloud account synchronization. The operating systems do not provide an interface to export the private keys and in most devices, there is a hardware component providing additional security measures to avoid any access to the private keys, e.g. the [secure enclave](https://www.corbado.com/glossary/secure-enclave) on [iOS](https://www.corbado.com/blog/webauthn-errors) devices or the trusted platform module (TPM) on Windows devices. Only the operating system provider can sync the passkeys to other devices in an encrypted way (ultimately protected by the users biometrics, passcode or PIN). The private keys can only be restored and decrypted using the passcode / PIN and will be destroyed in case there are too many unsuccessful login attempts to the cloud account (e.g. [Apple ](https://support.apple.com/en-us/102195)introduces a rate limit to prevent brute-force attacks even from a privileged position on the cloud backend; [Google ](https://security.googleblog.com/2022/10/SecurityofPasskeysintheGooglePasswordManager.html)does the same). [Watch on YouTube](https://www.youtube.com/watch?v=V1Pc4Gl0xKc) This inherent design means that if passkeys aren't synced as described, accessing your passkeys on a new device can pose a challenge. This is precisely why the hybrid transport method exists — it bridges [device-bound passkeys](https://www.corbado.com/faq/are-passkeys-device-specific) across platforms without cloud sync, as illustrated below. ## 3. Technical Setup of Cross-Platform Passkey Authentication Using [cross-platform passkey](https://www.corbado.com/faq/passkeys-cross-platform) authentication (hybrid transport) with hybrid transport helps overcome cross-device problems, when an account is purely accessed via passkeys. As not all passkeys are synchronized in cloud accounts or password managers, the necessity for a reliable method of accessing passkeys across devices becomes critical, especially when transitioning to a new device or needing access on a shared device. ### 3.1 Hardware Requirements To facilitate passkey cross-platform authentication (hybrid transport), there are the following hardware requirements: - **WebAuthn Support:** The devices must support WebAuthn. This is already given on 99% of devices, according to our latest [passkey data](https://www.corbado.com/blog/passkeys-privacy) analysis. - **Camera for QR Code Scanning:** Devices will need a camera capable of scanning QR codes. Most modern smartphones are equipped with cameras that have this functionality. Moreover, the camera needs built-in QR scanning capabilities (what most devices have out-of-the-box). If your camera doesn't support, then an online [QR scanner](https://www.minifier.org/qr-code-scanner) is also a good option. Otherwise, installing a [QR code](https://www.corbado.com/blog/qr-code-login-authentication) app is fine, too. - **Bluetooth Capability:** Cloud-assisted Bluetooth Low [Energy](https://www.corbado.com/passkeys-for-energy) (caBLE) is used for establishing a proximity-based secure connection between devices. The versions to look for are Bluetooth 4.0 or higher, which enable the caBLE extension for WebAuthn. - **Internet Connection:** A stable internet connection on both devices needs to be in place, as the exchange involves opening a tunnel to perform verification steps that require real-time data transfer. ### 3.2 Software Requirements From a software standpoint, the following requirements exist: - **WebAuthn Server Configuration:** Obviously, you need to have a WebAuthn server in place that manages the public keys. This also involves enabling the users account to be linked with multiple [authenticators](https://www.corbado.com/glossary/authenticator) and setting up the server to initiate the authentication ceremony. - **Browser/Platform Support:** The browser or operating system handles cross-device discovery and the [caBLE tunnel](https://www.w3.org/TR/webauthn-3/) establishment automatically; web apps typically do not need to directly call the [Web Bluetooth API](https://www.corbado.com/blog/web-bluetooth-api-passkeys) for hybrid transport flows. - **Operating System Requirements:** Please see the following [table ](https://passkeys.dev/device-support/)about the support of Cross-Device Authentication for different operating systems as of March 2025. [Authenticator](https://www.corbado.com/glossary/authenticator) means that the device can serve as the device that holds a passkey (in our scenario the smartphone). Client means the device that creates the [QR code](https://www.corbado.com/blog/qr-code-login-authentication) and where the user tries to log in (in our scenario the desktop): ![Operating System Passkey QR Code Support](https://www.corbado.com/website-assets/operating_system_passkey_qr_code_support_298aac92f9.png)_Source: passkeys.dev_ ## 4. Passkeys: QR Code The process to use passkey cross-platform authentication (hybrid transport) via [QR code](https://www.corbado.com/blog/qr-code-login-authentication) looks as follows: ![passkeys qr code overview](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/passkeys_qr_code_overview_52c519fe2c.png) ### 4.1 Initiate the Passkey Cross-Platform Authentication The QR code for passkey cross-platform authentication (hybrid transport) is generated when a user attempts to access a service on a device where the registered passkey is not present, but the service knows that the user should have a passkey. Typically, a Scan QR code button or a similar call-to- action is provided within the authentication interface. ### 4.2 Generate the QR Code Upon user request, the device initiates the generation of a QR code. This QR code encodes a unique, time-sensitive session identifier. This identifier is tied to a session that the authenticating server temporarily maintains, awaiting completion of the authentication process. ### 4.3 Scan the QR Code The user scans this QR code with a device where their passkey is available. Security measures include: - **One-time use:** The session identifier within the QR code is valid for a single use, preventing replay attacks. - **Ephemeral handshake:** The QR code contains a [CBOR](https://www.corbado.com/glossary/cbor)-encoded handshake with ephemeral secrets that establish a secure tunnel; the QR payload itself should be treated as sensitive and not exposed, though it is not a separately encrypted container. The scanned QR code holds a specific URI with the scheme FIDO, e.g.: FIDO:/07824133892604070278923969472008301099476228966286113051476699183587 6383562063181103169246410435938367110394959927031730060360967994421 343201235185697538107096654083332 ### 4.4 Start the Data Flow and Authentication Process Scanning the QR code triggers the users second device (e.g. smartphone or tablet) to interpret the FIDO URI and communicate with the authentication server, sending a signal that the user is attempting to authenticate via a new device (e.g. the friends laptop). This action prompts the server to generate a [cryptographic challenge](https://www.corbado.com/glossary/cryptographic-challenge), unique to this authentication attempt. ### 4.5 Transmit Technical Data The challenge is sent back to the users second device (e.g. smartphone or table), where their passkey is stored. The device then creates a digital signature using the private key associated with the passkey, without the private key ever leaving the device (e.g. smartphone or tablet). The signed challenge (signature) is then sent back to the server through a secure, encrypted tunnel over the internet, verifying the integrity and origin of the authentication attempt. ### 4.6 Validate the Signature The server validates the signature using the corresponding public key already associated with the users account. Upon successful validation, the server confirms the authentication, allowing the user to access the service on the new device. Some more important privacy and security aspects to consider: - **No Bluetooth Data Exchange, Pure Internet:** It is important to note that in this QR code-based passkey cross-platform authentication (hybrid transport), Bluetooth is not involved in the data exchange. This process relies entirely on an Internet connection for the transmission of encrypted data between the devices and the server. However, Bluetooth is used for a proximity check of the two devices. - **Private Keys Don't Leave The Device:** Throughout this process, the users private keys remain securely on their device. - **No Sensitive Data Exposure:** No sensitive passkey information or private keys are transferred or exposed during the authentication process. - **Asymmetric Cryptography:** The challenge-response mechanism ensures that what is being sent are merely non-reusable, signed versions of challenges that cant be exploited for unauthorized access. By adhering to these technical and security protocols, the QR code method for passkey cross-platform authentication (hybrid transport) upholds a high standard of security while providing a convenient way for users to authenticate their identities on new devices. ## 5. Passkeys: Bluetooth (caBLE) Besides, the QR code scanning process, there is also the proximity check via Bluetooth (caBLE). Being sure that the client and [authenticator](https://www.corbado.com/glossary/authenticator) are physically close to each other is one of the major benefits of the [WebAuthn protocol](https://www.w3.org/TR/webauthn-3/#sctn-client-authenticator-proximity). More insights on the inner workings of this process are described in the following: ![passkeys bluetooth overview](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/passkeys_bluetooth_overview_2064227c37.png) ### 5.1 What is Bluetooth Low Energy (BLE) in Authentication? **Bluetooth Low Energy (BLE)** is a wireless communication technology designed for short-range data exchange. It plays a pivotal role in confirming the physical proximity of devices during the authentication process. ### 5.2 What is caBLE (Cloud-Assisted Bluetooth Low Energy)? **caBLE** is a protocol that facilitates the secure transfer of authentication information between devices using BLE. When using caBLE for passkey cross- platform authentication (hybrid transport), the device that holds the passkey confirms the proximity of the requesting device via BLE signals. Once proximity is verified, the authentication process proceeds, leveraging BLE for secure, local communication. ### 5.3 User Experience and Security with caBLE The user experience is enhanced as this method typically requires less direct user interaction; devices in close physical proximity detect each other automatically. For security, **caBLE** offers a significant advantage - it ensures that the authentication process is only carried out when the two devices are near each other, preventing remote attackers from initiating the authentication process. ### 5.4 Scenario: The QR Code vs. BLE Dilemma Imagine receiving a QR code that redirects to a malicious site. If authentication is performed through this QR code, there's a risk that the session or cookie might be hijacked. BLE circumvents this issue by not relying on a visual scan, but rather on the physical presence of devices. This proximity check minimizes the risk of man-in-the-middle attacks, as the proximity check doesn't occur over the internet or a visual medium. ### 5.5 Data Exchange and Privacy Unlike other methods, caBLE does not actually exchange authentication data like passkeys. Instead, it uses BLE as a confirmation channel to establish that the devices are physically close. This check is designed to be a part of a multi-factor authentication process where BLE proximity is one of the factors, ensuring that even if other factors are compromised, without physical proximity, access is not granted. By integrating the caBLE protocol, developers can offer a secure and user- friendly method for passkey cross-platform authentication (hybrid transport) that enhances the overall security of the authentication process. The proximity check adds an additional layer of protection that is simple for users and yet effectively safeguards against certain types of sophisticated cyber-attacks. ## 6. Benefits The following benefits of this passkey cross-platform authentication (hybrid transport) method exist: ### 6.1 Path to Good User Experience [Cross-platform passkey](https://www.corbado.com/faq/passkeys-cross-platform) authentication via QR code and Bluetooth (hybrid transport) is a way to improve the UX in cross-platform scenarios compared to not offering any possibility at all. However, the user flow is absolutely new to most users and we don't expect many non-technical users to understand what is happening when they first come across this flow. The only resemblance of introducing the QR code flow can be with login flows for e.g. [WhatsApp](https://www.corbado.com/blog/whatsapp-passkeys) Web or Discord where QR codes are employed (here the functionality is different though). So, the analyzed cross-platform passkey authentication process via QR code / Bluetooth (hybrid transport) minimizes user effort in the cross- platform scenario, as there's no need to manually enter any credentials, but still the overall flow is unknown to most users. ### 6.2 Robust Security The security of passkey cross-platform authentication (hybrid transport) is reinforced by advanced cryptographic techniques. When a QR code is scanned or a Bluetooth connection is made for authentication, cryptographic challenges and responses ensure that only the intended device can successfully complete the authentication process. Proximity checks via Bluetooth add an additional layer of security, confirming that the authentication attempt is being made by someone with physical access to the secondary device. ### 6.3 Passkey Integrity During the cross-platform authentication (hybrid transport) process, passkeys are never temporarily stored on intermediary devices or servers, which prevents the risk of passkeys being intercepted or leaked during the transfer process. The authentication happens in real-time, and the passkey remains bound to the users primary device, preserving its integrity. ### 6.4 Phishing Prevention The QR code and Bluetooth authentication methods inherently provide protection against [phishing](https://www.corbado.com/glossary/phishing). Users are less likely to be tricked into providing a passkey for a malicious site because the authentication process requires physical actions that are specific to the users trusted devices. The process of scanning a QR code or connecting via Bluetooth typically happens in a trusted environment, reducing the chance of users inadvertently compromising their credentials. Before diving into the disadvantages, the following comparison helps weigh whether hybrid transport is right for your implementation. ## 7. Disadvantages The following disadvantages of this passkey cross-platform authentication (hybrid transport) method exist: ### 7.1 User Familiarity and Adoption Introducing any new technology can lead to user confusion, especially if the users are not tech-savvy. Passkey cross-platform authentication via QR code and Bluetooth (hybrid transport) is a significant shift from traditional authentication methods, and some users might find the new process challenging to grasp, potentially leading to a slower adoption rate. However, we expect that users will eventually get used to it, so the change might be harder in the beginning and will be smoother and more accepted over time. ### 7.2 Dependence on Device Capabilities The success of passkey cross-platform authentication (hybrid transport) heavily relies on the users device having the necessary capabilities, such as a camera that can scan QR codes and Bluetooth functionality. Users with older devices that lack these features will not be able to take advantage of passkey cross-platform authentication (hybrid transport), creating a digital divide based on hardware limitations. ### 7.3 Inconsistent User Behavior User behavior can be unpredictable, and reliance on users to perform specific actions like scanning a QR code or enabling Bluetooth can introduce user errors. For instance, Bluetooth can sometimes be seen as a UX challenge due to pairing issues, discovery problems, and general user mistrust of wireless technologies for secure transactions. ### 7.4 Developer Adaptation Developers face the task of constantly updating and maintaining systems to support the latest authentication methods. Integrating passkey cross-platform authentication (hybrid transport) into existing systems requires developers to stay abreast of new standards, adopt new APIs, and ensure backward compatibility, which can be resource-intensive and time-consuming. ### 7.5 Creating New Passkeys For every new device or subsequent login request, a new passkey needs to be created if not using a synced cloud account like [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) or a [password manager](https://www.corbado.com/blog/passkeys-vs-password-managers). This could add complexity to the user experience and may create frustration if users are not familiar with the process or if it is not made intuitive. Following [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) best practices such as well-timed post-sign-in nudges helps guide users through this process on new devices. ### 7.6 Educating Users There is an inherent need for user education when implementing new security methods like passkey cross-platform authentication (hybrid transport). Ensuring that users understand how to use QR codes and Bluetooth securely requires clear communication and possibly extensive customer support. While passkey cross-platform authentication via QR code and Bluetooth (hybrid transport) presents a significant advancement in authentication technology, these potential disadvantages highlight the need for user-friendly design, robust support systems, and a gradual, well-communicated transition from traditional methods to innovative ones. As with any technological shift, balancing the innovations benefits with its challenges will be key to successful implementation and widespread user acceptance. ## 8. Real-Life Test: Hybrid Transport Passkey Behavior As a disclaimer: we are ignoring [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) (e.g. [YubiKeys](https://www.corbado.com/glossary/yubikey)) in the following test and only use platform [authenticators](https://www.corbado.com/glossary/authenticator) which are built into the devices (e.g. [Face ID](https://www.corbado.com/faq/is-face-id-passkey), Touch ID, [Windows Hello](https://www.corbado.com/glossary/windows-hello)). In case of [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) (e.g. [YubiKey](https://www.corbado.com/glossary/yubikey)), the values for transports would be [usb or nfc ](https://www.w3.org/TR/webauthn-2/#enum-transport)for instance. Were using the following device / browser combinations and the [Passkeys Debugger](https://www.passkeys-debugger.io) to test the behavior. Note that [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) devices [can serve as authenticators](https://developers.google.com/identity/passkeys/supported-environments) for cross-device sign-in (scanning a QR code to authenticate), though client-side behavior may vary (see table [above](#32-software-requirements)): ![](https://www.corbado.com/website-assets/656e0d50740ce2c32c21d812_overview_tests_webauthn_allowcredentials_transports_544b9b36a3.png) To test the behavior, we create for each combination a new passkeys with the following properties: - **userName:** alex muller (no influence in this test) - **authenticatorAttachment:** platform (as we want to exclude [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) like [YubiKeys](https://www.corbado.com/glossary/yubikey)) - **residentKey:** preferred (no influence in this test) - **userVerification:** preferred (no influence in this test) - **attestation:** none (no influence in this test) - **hints:** empty (see explanation below) - **usePRF:** no (no influence in this test) After the successful creation of the passkey, we then modify the input the [allowCredentials](https://www.corbado.com/glossary/allowcredentials) WebAuthn server property and initiate a login request. We want to mimic a deleted passkey on the device where we created the passkey, so that the device / browser looks for another device that can provide a passkey via QR code / Bluetooth. Therefore, we change the [credential ID](https://www.corbado.com/blog/webauthn-user-id-userhandle) and assign the value CHANGED-ID, so that a matching fails. Moreover, we change the [transports property](https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialdescriptor) of a WebAuthn credential in [allowCredentials](https://www.corbado.com/glossary/allowcredentials) and assign for each device / browser combination the following values: 1. **transports: \[internal, hybrid]:** Passkeys can be used from the platform [authenticator](https://www.corbado.com/glossary/authenticator) (e.g. [Face ID](https://www.corbado.com/faq/is-face-id-passkey), Touch ID, Windows Hello) or via cross-platform authentication 2. **transports: \[internal]:** Passkeys can be used from the [platform authenticator](https://www.corbado.com/glossary/platform-authenticator) (e.g. [Face ID](https://www.corbado.com/faq/is-face-id-passkey), Touch ID, Windows Hello) 3. **No transports property set:** default behavior which gives no restrictions In the WebAuthn testing site, there is also the new [WebAuthn Level 3](https://www.corbado.com/blog/passkeys-prf-webauthn) feature for user agents hints provided. This feature can improve the user experience if the [relying party](https://www.corbado.com/glossary/relying-party) has certain assumptions about how the login request can be completed in the most user-friendly way. In this test, we disregarded this feature as its not rolled out yet. Please have a look at the [specifications ](https://www.w3.org/TR/webauthn-3/#enumdef-publickeycredentialhints)for more details. ### 8.1 Windows 11 23H2 + Chrome 119 #### 8.1.1 transports: \[internal, hybrid] As expected, no local passkey matches, so it's suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![Windows Chrome Transports Internal Hybrid](https://www.corbado.com/website-assets/654c1f5b09bf2b7220209704_windows_chrome_transports_hybrid_internal_d9f6f6b81e.png) #### 8.1.2 transports: \[internal] Quite confusingly, the QR code is also displayed here, even if we only allow for internal credentials. We couldn't find a valid reason for this behavior. ![Windows Chrome Transports Internal](https://www.corbado.com/website-assets/654c1f6e07c2e857e5de0960_windows_chrome_transports_internal_810b5ed722.png) #### 8.1.3 No transports property set No local passkey matches, so its suggested to scan the QR code or use a hardware security key (e.g. [YubiKey](https://www.corbado.com/glossary/yubikey)) / cross-[platform authenticator](https://www.corbado.com/glossary/platform-authenticator) / roaming authenticator. For some reason, parts of the modal appears in German, which is one of the installed languages. ![Windows Chrome No Transports](https://www.corbado.com/website-assets/654c1f7c40ea851fa10a89dd_windows_chrome_no_transports_03ec5939bf.png) #### 8.1.4 Empty allowCredentials As expected, all forms of passkey authentication are allowed: via Windows Hello, via QR code, via known devices and via hardware security keys. ![Windows Chrome Empty AllowCredentials](https://www.corbado.com/website-assets/656e0de868019ba489b24512_windows_11_chrome_119_empty_allow_Credentials_68d90ba714.png) ### 8.2 Windows 11 23H2 + Edge 119 #### 8.2.1 transports: \[internal, hybrid] As expected, no local passkey matches, so it's suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![Windows Edge Transports Internal Hybrid](https://www.corbado.com/website-assets/654c1f886911a0090e885576_windows_edge_transports_hybrid_internal_a20488b2eb.png) #### 8.2.2 transports: \[internal] Quite confusingly, the QR code is also displayed here, even if we only allow for internal credentials. We couldnt find a valid reason for this behavior. ![Windows Edge Transports Internal](https://www.corbado.com/website-assets/654c1f90d40c371a2059f8ae_windows_edge_transports_internal_8bb4ce60ac.png) #### 8.2.3 No transports property set No local passkey matches, so it's suggested to scan the QR code or use a hardware security key (e.g. [YubiKey](https://www.corbado.com/glossary/yubikey)) / cross-[platform authenticator](https://www.corbado.com/glossary/platform-authenticator) / roaming authenticator. For some reason, parts of the modal appears in German, which is one of the installed languages. ![Windows Edge No Transports](https://www.corbado.com/website-assets/654c1f9f89423cbcd1c67e70_windows_edge_no_transports_c653d9bc38.png) #### 8.2.4 Empty allowCredentials As expected, all forms of passkey authentication are allowed: via Windows Hello, via QR code, via known devices and via hardware security keys. ![Windows Edge Empty AllowCredentials](https://www.corbado.com/website-assets/656e0e0237b9a8e24c906511_windows_11_edge_119_empty_allow_Credentials_baad1ac445.png) ### 8.3 Windows 11 23H2 + Firefox 119 When creating the passkey, we received the following error (still a passkey was created): _error: TypeError: 'toJSON' called on an object that does not implement interface PublicKeyCredential._ #### 8.3.1 transports: \[internal, hybrid] As expected, no local passkey matches, so its suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![Windows Firefox Transports Internal Hybrid](https://www.corbado.com/website-assets/654c1faab48ed06061c78b6b_windows_firefox_transports_hybrid_internal_395db978cb.png) #### 8.3.2 transports: \[internal] Quite confusingly, the QR code is also displayed here, even if we only allow for internal credentials. We couldn't find a valid reason for this behavior. ![Windows Firefox Transports Internal](https://www.corbado.com/website-assets/654c1fb221d9f40ec2c98fdc_windows_firefox_transports_internal_d706bc716a.png) #### 8.3.3 No transports property set No local passkey matches, so its suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. For some reason, parts of the modal appears in German, which is one of the installed languages. ![Windows Firefox No Transports](https://www.corbado.com/website-assets/654c1fbbd7927473aed38c5f_windows_firefox_no_transports_7afb6db1ff.png) #### 8.3.4 Empty allowCredentials As expected, all forms of passkey authentication are allowed: via Windows Hello, via QR code, via known devices and via hardware security keys. ![Windows Firefox Empty AllowCredentials](https://www.corbado.com/website-assets/656e0e2a6c3ecab809ecedca_windows_11_firefox_119_empty_allow_Credentials_17189f07d7.png) ### 8.4 macOS Ventura + Chrome 119 #### 8.4.1 transports: \[internal, hybrid] As expected, no local passkey matches, so it's suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). Moreover, you can directly select one of the known devices to use a passkey from there. The modal is quite different to the pendant on Windows in Chrome 119. ![macOS Chrome Transports Internal Hybrid](https://www.corbado.com/website-assets/654c1fc5227b32dc36e6ea46_macos_chrome_transports_hybrid_internal_e4abefb558.png) #### 8.4.2 transports: \[internal] This is an expected behavior, as we only allow to use internal passkeys but cannot find an internal credential on the device (we are not allowed to use hybrid passkeys). The passkey authentication fails in this step and in real-life implementations, you would need to provide a fallback authentication method. ![macOS Chrome Transports Internal](https://www.corbado.com/website-assets/654c1fdddac09b00d0bd3b2e_macos_chrome_transports_internal_71b31d4942.png) #### 8.4.3 No transports property set No local passkey matches, so its suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. Moreover, you can directly select one of the known devices to use a passkey from there. The modal is quite different to the pendant on Windows in Chrome 119. ![macOS Chrome No Transports](https://www.corbado.com/website-assets/654c1fe730b66c728200bc32_macos_chrome_no_transports_d875932a07.png) #### 8.4.4 Empty allowCredentials As expected, all forms of passkey authentication are allowed: via Touch ID, via QR code, via known devices and via hardware security keys. ![macOS Chrome Empty AllowCredentials](https://www.corbado.com/website-assets/656e0e406ac7f571113f8cde_macos_14_1_chrome_119_empty_allow_Credentials_99a9202253.png) ### 8.5 macOS Ventura + Safari 16.6 #### 8.5.1 transports: \[internal, hybrid] As expected, no local passkey matches, so its suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![macOS Safari Transports Internal Hybrid](https://www.corbado.com/website-assets/654c1ff330b66c728200c300_macos_safari_transports_hybrid_internal_fbfcf996eb.png) #### 8.5.2 transports: \[internal] Quite confusingly, the QR code is also displayed here, even if we only allow for internal credentials. We couldn't find a valid reason for this behavior. ![macOS Safari Transports Internal](https://www.corbado.com/website-assets/654c1ffc07913779f551177a_macos_safari_transports_internal_ea68c7e5a4.png) #### 8.5.3 No transports property set No local passkey matches, so it's suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![macOS Safari No Transports](https://www.corbado.com/website-assets/654c20077178565661c7b9ae_macos_safari_no_transports_4ff6aa97f5.png) #### 8.5.4 Empty allowCredentials As expected, most forms of passkey authentication are allowed: via Touch ID, via QR code and via hardware security keys. For some reason know devices are not displayed. ![macOS Safari Empty AllowCredentials](https://www.corbado.com/website-assets/656e0e5c1ebd36d824b3f8a4_macos_14_1_safari_17_1_empty_allow_Credentials_3f548fc22a.jpg) ### 8.6 iOS 17.1 + Chrome 119 #### 8.6.1 transports: \[internal, hybrid] As expected, no local passkey matches, so it's suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![iOS Chrome Transports Internal Hybrid](https://www.corbado.com/website-assets/654c20157279c6a5b35595fe_ios_chrome_transports_hybrid_internal_25b2bc95a9.png) #### 8.6.2 transports: \[internal] Quite confusingly, the QR code is also displayed here, even if we only allow for internal credentials. We couldn't find a valid reason for this behavior. ![iOS Chrome Transports Internal](https://www.corbado.com/website-assets/654c2021b48ed06061c7da4c_ios_chrome_transports_internal_9c90430238.png) #### 8.6.3 No transports property set No local passkey matches, so it's suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![iOS Chrome No Transports](https://www.corbado.com/website-assets/654c2028347d6de2c424b8ea_ios_chrome_no_transports_800e1f28db.png) #### 8.6.4 Empty allowCredentials As expected, most forms of passkey authentication are allowed: via Face ID, via QR code and via hardware security keys. For some reason know devices are not displayed. ![iOS Chrome Empty AllowCredentials](https://www.corbado.com/website-assets/656e0e736ac7f571113fcbc3_ios_17_1_chrome_119_empty_allow_Credentials_594c94ef33.jpg) ### 8.7 iOS 17.1 + Safari 17.1 #### 8.7.1 transports: \[internal, hybrid] As expected, no local passkey matches, so it's suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![iOS Safari Transports Internal Hybrid](https://www.corbado.com/website-assets/654c2031a6f031f3de7f37c2_ios_safari_transports_hybrid_internal_962be3dc05.png) #### 8.7.2 transports: \[internal] Quite confusingly, the QR code is also displayed here, even if we only allow for internal credentials. We couldn't find a valid reason for this behavior. ![iOS Safari Transports Internal](https://www.corbado.com/website-assets/654c20398e839fca2cd27610_ios_safari_transports_internal_2a5ed1c8ef.png) #### 8.7.3 No transports property set No local passkey matches, so it's suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![iOS Safari No Transports](https://www.corbado.com/website-assets/654c20429a4ea0f5059a19d1_ios_safari_no_transports_62cc32cf45.png) #### 8.7.4 Empty allowCredentials As expected, most forms of passkey authentication are allowed: via Face ID, via QR code and via hardware security keys. For some reason know devices are not displayed. ![iOS Safari Empty AllowCredentials](https://www.corbado.com/website-assets/656e0e912483530de38bce47_ios_17_1_safari_17_1_empty_allow_Credentials_2a9f57c8f5.jpg) In the following, for Windows 10 devices, we decided to go one level further and analyze how the behavior looks like if Bluetooth is disabled or not available at a Windows 10 machine in general. In particular for older desktop devices, this is still a very common scenarios as these devices often do not have a Bluetooth module, thus making cross-platform authentication via QR code and Bluetooth impossible. ### 8.8 Windows 10 21H2 + Chrome 119 #### 8.8.1 Bluetooth Enabled **8.8.1.1 transports: \[internal, hybrid]** As expected, no local passkey matches, so it's suggested to use the passkey on another device (as the system knows that there exists a passkey for this user - first screenshot) or choose to scan the QR code (second screenshot). ![Bluetooth Windows 10 21H2 Chrome Transports Internal Hybrid Stored Device](https://www.corbado.com/website-assets/655a41796c7b81432a8f8d0c_bluetooth_windows_10_21h2_chrome_transports_internal_hybrid_5ba8fc5778.png) ![Bluetooth Windows 10 21H2 Chrome Transports Internal Hybrid Selection](https://www.corbado.com/website-assets/655a420bfcb17d5a59e3b9b3_bluetooth_windows_10_21h2_chrome_transports_internal_hybrid_selection_cefe95683e.png) **8.8.1.2 transports: \[internal]** Quite confusingly, you are prompted to enter your Windows Hello PIN code (or fingerprint / face scan if set up on the device), even though we changed the [credential ID](https://www.corbado.com/blog/webauthn-user-id-userhandle) (so it should actually not find the credential as it's not specified in the [allowCredentials](https://www.corbado.com/glossary/allowcredentials) property). However, after submitting the Windows Hello PIN code, an error is thrown: "[NotAllowedError](https://www.corbado.com/blog/webauthn-errors): The operation either timed out or was not allowed. See: [https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations- client.](https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client)" From a user perspective, this is a rather confusing behavior but makes sense as it could provide information about the users passkeys without user consent. This is a good example of an expected outcome in hybrid flows, not always a broken implementation. For a full classification model, see [WebAuthn errors](https://www.corbado.com/blog/webauthn-errors). ![Bluetooth Windows 10 21H2 Chrome Transports Internal](https://www.corbado.com/website-assets/655a418dd296ce49e7790542_bluetooth_windows_10_21h2_chrome_transports_internal_2f821c99c4.png) **8.8.1.3 No transports property set** No local passkey matches, so it's suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![Bluetooth Windows 10 21H2 Chrome No Transports](https://www.corbado.com/website-assets/655a4198c91e9d877f8d18d2_bluetooth_windows_10_21h2_chrome_no_transports_8a81c90cb1.png) **8.8.1.4 Empty allowCredentials** As expected, all forms of passkey authentication are allowed: via Windows Hello, via QR code, via known devices and via hardware security keys. ![Bluetooth Windows 10 21H2 Chrome Empty AllowCredentials](https://www.corbado.com/website-assets/656e0ef2cb6b0e0081620646_bluetooth_windows_10_21h2_chrome_empty_allowcredentials_c9034b924b.png) #### 8.8.2 Bluetooth Disabled **8.8.2.1 transports: \[internal, hybrid]** This is a really confusing message for users, as it's not explicitly stated what they should do and how they can authenticate. The only option they have is to click on "Cancel", making this scenario a dead-end. ![No Bluetooth Windows 10 21H2 Chrome Transports Internal Hybrid](https://www.corbado.com/website-assets/655a42691f4650d9c5f048eb_no_bluetooth_windows_10_21h2_chrome_transports_internal_hybrid_fe23b5d98c.png) **8.8.2.2 transports: \[internal]** This behavior is the same to the case where Bluetooth is enabled. It's very confusing that the users is prompted to enter the Windows Hello PIN code (or fingerprint / face scan if set up on the device), even though we changed the [credential ID](https://www.corbado.com/blog/webauthn-user-id-userhandle) (so it should actually not find the credential as it's not specified in the allowCredentials property). However, after submitting the Windows Hello PIN code, an error is thrown: "[NotAllowedError](https://www.corbado.com/blog/webauthn-errors): The operation either timed out or was not allowed. See: [https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations- client.](https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client)" From a user perspective, this is a rather confusing behavior but makes sense as it could provide information about the users passkeys without user consent. ![No Bluetooth Windows 10 21H2 Chrome Transports Internal](https://www.corbado.com/website-assets/655a42782e4725cfe619d0bd_no_bluetooth_windows_10_21h2_chrome_transports_internal_2c0239090a.png) **8.8.2.3 No transports property set** No local passkey matches, so the only option you have is to use a hardware [security key](https://www.corbado.com/glossary/security-key) (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![No Bluetooth Windows 10 21H2 Chrome No Transports](https://www.corbado.com/website-assets/655a428606a44b7254f3b15b_no_bluetooth_windows_10_21h2_chrome_no_transports_10b4b7be67.png) **8.8.2.4 Empty allowCredentials** Passkey authentication is only possible via Windows Hello and hardware security keys. ![No Bluetooth Windows 10 21H2 Chrome Empty AllowCredentials](https://www.corbado.com/website-assets/656e0f12e540402d134edfe0_no_bluetooth_windows_10_21h2_chrome_empty_allowcredentials_8a51d98916.png) ### 8.9 Windows 10 21H2 + Edge 119 #### 8.9.1 Bluetooth Enabled **8.9.1.1 transports: \[internal, hybrid]** As expected, no local passkey matches, so it's suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![Bluetooth Windows 10 21H2 Edge Transports Internal Hybrid](https://www.corbado.com/website-assets/655a41d9ba4706dfb36cdc27_bluetooth_windows_10_21h2_edge_transports_internal_hybrid_ef0d00b7b7.png) **8.9.1.2 transports: \[internal]** Quite confusingly, you are prompted to enter your Windows Hello PIN code (or fingerprint / face scan if set up on the device), even though we changed the credential ID (so it should actually not find the credential as it's not specified in the allowCredentials property). However, after submitting the Windows Hello PIN code, an error is thrown: "[NotAllowedError](https://www.corbado.com/blog/webauthn-errors): The operation either timed out or was not allowed. See: [https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations- client.](https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client)" From a user perspective, this is a rather confusing behavior but makes sense as it could provide information about the users passkeys without user consent. ![Bluetooth Windows 10 21H2 Edge Transports Internal ](https://www.corbado.com/website-assets/655a41e9c91e9d877f8d69fd_bluetooth_windows_10_21h2_edge_transports_internal_a9be35d4e9.png) **8.9.1.3 No transports property set** No local passkey matches, so it's suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![Bluetooth Windows 10 21H2 Edge No Transports](https://www.corbado.com/website-assets/655a41faf4d3d4dd56d0a26c_bluetooth_windows_10_21h2_edge_no_transports_4e859da47f.png) **8.9.1.4 Empty allowCredentials** As expected, all forms of passkey authentication are allowed: via Windows Hello, via QR code and via hardware security keys. For some reason, known devices are not displayed. ![Bluetooth Windows 10 21H2 Edge Empty AllowCredentials](https://www.corbado.com/website-assets/656e0f3b6d7434294c3a1609_bluetooth_windows_10_21h2_edge_empty_allowcredentials_b809409ee2.png) #### 8.9.2 Bluetooth Disabled **8.9.2.1 transports: \[internal, hybrid]** This is a really confusing message for users, as it's not explicitly stated what they should do and how they can authenticate. The only option they have is to click on "Cancel", making this scenario a dead-end. ![No Bluetooth Windows 10 21H2 Edge Transports Internal Hybrid](https://www.corbado.com/website-assets/655a429627bb0b39f6ce94c8_no_bluetooth_windows_10_21h2_edge_transports_internal_hybrid_e2ae87605f.png) **8.9.2.2 transports: \[internal]** This behavior is the same to the case where Bluetooth is enabled. It's very confusing that the users is prompted to enter the Windows Hello PIN code (or fingerprint / face scan if set up on the device), even though we changed the credential ID (so it should actually not find the credential as it's not specified in the allowCredentials property). However, after submitting the Windows Hello PIN code, an error is thrown: "NotAllowedError: The operation either timed out or was not allowed. See: [https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations- client.](https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client)" From a user perspective, this is a rather confusing behavior but makes sense as it could provide information about the users passkeys without user consent. ![No Bluetooth Windows 10 21H2 Edge Transports Internal](https://www.corbado.com/website-assets/655a42a263c9530593b69e9d_no_bluetooth_windows_10_21h2_edge_transports_internal_d125e7e90b.png) **8.9.2.3 No transports property set** No local passkey matches, so the only option you have is to use a hardware [security key](https://www.corbado.com/glossary/security-key) (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![No Bluetooth Windows 10 21H2 Edge No Transports](https://www.corbado.com/website-assets/655a42ae341c12df9fc8d407_no_bluetooth_windows_10_21h2_edge_no_transports_3eea0c1f8c.png) **8.9.2.4 Empty allowCredentials** Passkey authentication is only possible via Windows Hello and hardware security keys. ![No Bluetooth Windows 10 21H2 Edge Empty AllowCredentials](https://www.corbado.com/website-assets/656e0f571d60cb40e25cf67b_no_bluetooth_windows_10_21h2_edge_empty_allowcredentials_9e62a2cb74.png) ### 8.10 Windows 10 22H2 + Chrome 119 #### 8.10.1 Bluetooth Enabled **8.10.1.1 transports: \[internal, hybrid]** As expected, no local passkey matches, so it's suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![Bluetooth Windows 10 22H2 Chrome Transports Internal Hybrid](https://www.corbado.com/website-assets/655a42cf056f1bc183bd3de9_bluetooth_windows_10_22h2_chrome_transports_internal_hybrid_7233c3d8c3.png) **8.10.1.2 transports: \[internal]** Quite confusingly, you are prompted to enter your Windows Hello PIN code (or fingerprint / face scan if set up on the device), even though we changed the credential ID (so it should actually not find the credential as it's not specified in the allowCredentials property). However, after submitting the Windows Hello PIN code, an error is thrown: "NotAllowedError: The operation either timed out or was not allowed. See: [https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations- client.](https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client)" From a user perspective, this is a rather confusing behavior but makes sense as it could provide information about the users passkeys without user consent. ![Bluetooth Windows 10 22H2 Chrome Transports Internal ](https://www.corbado.com/website-assets/655a42e631cdcff15a6b0005_bluetooth_windows_10_22h2_chrome_transports_internal_70cb5c42ca.png) **8.10.1.3 No transports property set** No local passkey matches, so it's suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![Bluetooth Windows 10 22H2 Chrome No Transports](https://www.corbado.com/website-assets/655a42f5341c12df9fc94321_bluetooth_windows_10_22h2_chrome_no_transports_a1c084933a.png) **8.10.1.4 Empty allowCredentials** As expected, all forms of passkey authentication are allowed: via Windows Hello, via QR code and via hardware security keys. For some reason, known devices are not displayed. ![Bluetooth Windows 10 22H2 Chrome Empy AllowCredentials](https://www.corbado.com/website-assets/656e0f6d1df07c2e45039298_bluetooth_windows_10_22h2_chrome_empty_allowcredentials_d14bf6b868.png) #### 8.10.2 Bluetooth Disabled **8.10.2.1 transports: \[internal, hybrid]** This is a really confusing message for users, as it's not explicitly stated what they should do and how they can authenticate. The only option they have is to click on "Cancel", making this scenario a dead-end. For some reason, parts of the Windows Security modal are also displayed in German (a second language installed on this device). ![No Bluetooth Windows 10 22H2 Chrome Transports Internal Hybrid](https://www.corbado.com/website-assets/655a4361fcb17d5a59e49689_no_bluetooth_windows_10_22h2_chrome_transports_internal_hybrid_46e4dd0f06.png) **8.10.2.2 transports: \[internal]** This behavior is the same to the case where Bluetooth is enabled. It's very confusing that the users is prompted to enter the Windows Hello PIN code (or fingerprint / face scan if set up on the device), even though we changed the credential ID (so it should actually not find the credential as it's not specified in the allowCredentials property). However, after submitting the Windows Hello PIN code, an error is thrown: "NotAllowedError: The operation either timed out or was not allowed. See: [https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations- client.](https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client)" From a user perspective, this is a rather confusing behavior but makes sense as it could provide information about the users passkeys without user consent. ![No Bluetooth Windows 10 22H2 Chrome Transports Internal ](https://www.corbado.com/website-assets/655a43754f327a0ea96c0f2f_no_bluetooth_windows_10_22h2_chrome_transports_internal_522e8d235f.png) **8.10.2.3 No transports property set** No local passkey matches, so the only option you have is to use a hardware [security key](https://www.corbado.com/glossary/security-key) (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![No Bluetooth Windows 10 22H2 Chrome No Transports ](https://www.corbado.com/website-assets/655a439c6c7b81432a90cd09_no_bluetooth_windows_10_22h2_chrome_no_transports_64de3d513a.png) **8.10.2.4 Empty allowCredentials** Passkey authentication is only possible via Windows Hello and hardware security keys. ![No Bluetooth Windows 10 22H2 Chrome Empy AllowCredentials](https://www.corbado.com/website-assets/656e0f96d01b45cb7af49bd0_no_bluetooth_windows_10_22h2_chrome_empty_allowcredentials_3e15754828.png) ### 8.11 Windows 10 22H2 + Edge 119 #### 8.11.1 Bluetooth Enabled **8.11.1.1 transports: \[internal, hybrid]** As expected, no local passkey matches, so it's suggested to scan the QR code and use the passkey on another device (as the system knows that there exists a passkey for this user). ![Bluetooth Windows 10 22H2 Edge Transports Internal Hybrid](https://www.corbado.com/website-assets/655a4304fcb17d5a59e4440a_bluetooth_windows_22h2_edge_transports_internal_hybrid_bda614e4bf.png) **8.11.1.2 transports: \[internal]** Quite confusingly, you are prompted to enter your Windows Hello PIN code (or fingerprint / face scan if set up on the device), even though we changed the credential ID (so it should actually not find the credential as it's not specified in the allowCredentials property). However, after submitting the Windows Hello PIN code, an error is thrown: "NotAllowedError: The operation either timed out or was not allowed. See: [https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations- client.](https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client)" From a user perspective, this is a rather confusing behavior but makes sense as it could provide information about the users passkeys without user consent. ![Bluetooth Windows 10 22H2 Edge Transports Internal ](https://www.corbado.com/website-assets/655a43410ef35b5c92083b17_bluetooth_windows_10_22h2_edge_transports_internal_38d6fb5bcd.png) **8.11.1.3 No transports property set** No local passkey matches, so it's suggested to scan the QR code or use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![Bluetooth Windows 10 22H2 Edge No Transports ](https://www.corbado.com/website-assets/655a4351056f1bc183bd7dad_bluetooth_windows_10_22h2_edge_no_transports_3c0dc6ae7d.png) **8.11.1.4 Empty allowCredentials** As expected, all forms of passkey authentication are allowed: via Windows Hello, via QR code and via hardware security keys. For some reason, known devices are not displayed. ![Bluetooth Windows 10 22H2 Edge Empty AllowCredentials](https://www.corbado.com/website-assets/656e0fab2483530de38c9c73_bluetooth_windows_10_22h2_edge_empty_allowcredentials_6f687e0ba4.png) #### 8.11.2 Bluetooth Disabled **8.11.2.1 transports: \[internal, hybrid]** This is a really confusing message for users, as it's not explicitly stated what they should do and how they can authenticate. The only option they have is to click on "Cancel", making this scenario a dead-end. ![No Bluetooth Windows 10 22H2 Edge Transports Internal Hybrid](https://www.corbado.com/website-assets/655a43bb58ede3292022c780_no_bluetooth_windows_10_22h2_edge_transports_internal_hybrid_fde74a565b.png) **8.11.2.2 transports: \[internal]** This behavior is the same to the case where Bluetooth is enabled. It's very confusing that the users is prompted to enter the Windows Hello PIN code (or fingerprint / face scan if set up on the device), even though we changed the credential ID (so it should actually not find the credential as it's not specified in the allowCredentials property). However, after submitting the Windows Hello PIN code, an error is thrown: "NotAllowedError: The operation either timed out or was not allowed. See: [https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations- client.](https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client)" From a user perspective, this is a rather confusing behavior but makes sense as it could provide information about the users passkeys without user consent. ![No Bluetooth Windows 10 22H2 Edge Transports Internal](https://www.corbado.com/website-assets/655a43c99e315820aa7f52dd_no_bluetooth_windows_10_22h2_edge_transports_internal_8b67007e33.png) **8.11.2.3 No transports property set** No local passkey matches, so the only option you have is to use a hardware security key (e.g. YubiKey) / cross-platform authenticator / roaming authenticator. ![No Bluetooth Windows 10 22H2 Edge No Transports ](https://www.corbado.com/website-assets/655a43d487a5a72a403ed731_no_bluetooth_windows_10_22h2_edge_no_transports_68b9f0f7a2.png) **8.11.2.4 Empty allowCredentials** Passkey authentication is only possible via Windows Hello and hardware security keys. ![No Bluetooth Windows 10 22H2 Edge Empty AllowCredentials](https://www.corbado.com/website-assets/656e0fc8ebf49396fbbf5852_no_bluetooth_windows_10_22h2_edge_empty_allowcredentials_deaa7e2395.png) ## 9. Recommendations for Developers ### 9.1 Implementation Tips - Use libraries and frameworks that abstract some of the complexities of the pure WebAuthn API. - Consider cross-platform authentication scenarios from the start to ensure a broad user base can benefit from your passkey implementation. Optimizing your [passkey login](https://www.corbado.com/blog/passkey-login-best-practices) flow reduces reliance on QR-code-based cross-device flows. Depending on your design choices, you can also offer [alternative login methods](https://www.corbado.com/faq/passkeys-fallback-options) in these scenarios. - Develop fallback mechanisms for scenarios where passkey cross-platform authentication (hybrid transport) might not be possible due to device limitations. - The biggest design decision is to decide if you want to promote cross-platform passkey authentication via QR code / Bluetooth (hybrid transport) and make it a prominent method for passkey authentication or use hints to not promote it actively. In the latter case, its always tried to immediately use the internally stored passkeys and only if no internal passkey is found, a QR code for cross-platform authentication (hybrid transport) is displayed. This needs to be defined in your [WebAuthn server options](https://www.corbado.com/blog/webauthn-server-options-overview) in the [excludeCredentials](https://www.corbado.com/glossary/excludecredentials) and allowCredentials properties. In the [excludeCredentials](https://www.corbado.com/glossary/excludecredentials) property of your WebAuthn server, you can see transport information about already created credentials. In the allowCredentials property, you can specify the behavior in the login process (see tests [above](#8-real-life-test-hybrid-transport-passkey-behavior)). - Moreover, you cannot prevent cross-platform passkey authentication (hybrid transport) entirely (see the tests above with transports: \[internal]), so you need to be prepared that your users will find this method and will have questions. The occurrence of this cross-platform authentication (hybrid transport) will occur in particular if users start to [delete passkeys](https://www.corbado.com/blog/webauthn-signal-api) locally. ### 9.2 Educational Strategies - Create comprehensive guides and tutorials that walk users through the passkey cross-platform authentication (hybrid transport) process. - Use in-app tooltips and contextual help sections to guide users during their first passkey cross-platform authentication (hybrid transport) experience. - Provide [FAQs](https://www.corbado.com/faq) and [troubleshooting](https://www.corbado.com/blog/passkey-troubleshooting-solutions) sections on your website or within the application. ### 9.3 Temporary Access Considerations - Implement time-bound sessions for passkey logins via QR code or Bluetooth to ensure that access is only temporary and secure. - Ensure that passkey cross-platform authentication (hybrid transport) doesnt undermine any existing security protocols, maintaining the integrity of user data. - Consider the privacy implications and ensure that any temporary access granted via passkey cross-platform authentication (hybrid transport) is logged and monitored according to security best practices. ## 10. Conclusion: QR Code / Bluetooth Passkeys Passkey cross-platform authentication via QR code / Bluetooth (hybrid transport) offers a balance between security and UX. However, its an entirely new process for most users and could cause many confusing situations, so need to think carefully if you want to promote it. We hope that we could shade some light on the topic of passkey cross-platform authentication (hybrid transport) via QR code / Bluetooth, explain how to set up things and how the behavior on different device / browser combinations looks like. If you have any questions, feel to reach out to us via our [passkeys community](https://bit.ly/passkeys-community) or subscribe to our [passkeys Substack](https://passkeys.substack.com/). Lets make the Internet a safer place by spreading passkeys.