---
url: 'https://www.corbado.com/faq/backend-changes-passkey-login'
title: 'What changes are required in the backend to use passkeys?'
description: 'Understand the backend changes needed for supporting passkey-based login, including WebAuthn server updates and secure credential storage.'
lang: 'en'
keywords: 'backend changes for passkeys'
---

# What changes are required in the backend to use passkeys?

## What Changes Are Required in Backend Logic to Accommodate Passkey-Based Login?

Implementing passkey-based login involves significant updates to backend logic to ensure
secure and seamless authentication. Here’s what needs to be done:

### 1. Integrate a WebAuthn-Compliant Server

- Add a backend component to handle WebAuthn operations for passkey registration and
  authentication.
- Use compatible libraries or frameworks, such as:
    - [Node.js](https://www.corbado.com/blog/nodejs-passkeys) (e.g., `@simplewebauthn/server`)
    - Java (e.g., `webauthn-server-core`)
    - .NET (e.g., `Fido2NetLib`)

### 2. Update Authentication Flows

- Modify the authentication logic to:
    - Validate passkey credentials during login using the WebAuthn protocol.
    - Differentiate between passkey-based login and other authentication methods.
- Implement fallback options for users without passkeys (e.g., passwords or OTPs).

### 3. Secure Credential Storage

- Store the public key, [credential ID](https://www.corbado.com/blog/webauthn-user-id-userhandle), and
  [user handle](https://www.corbado.com/blog/webauthn-user-id-userhandle) securely in your database.
- Ensure compliance with data protection regulations, such as GDPR or CCPA.

### 4. Enhance Database Schema

- Extend the user table to include passkey-related fields, such as:
    - Public key
    - [Credential ID](https://www.corbado.com/blog/webauthn-user-id-userhandle)
    - [User handle](https://www.corbado.com/blog/webauthn-user-id-userhandle)
    - [Attestation](https://www.corbado.com/glossary/attestation) data (optional)

### 5. Implement Cross-Device Compatibility

- Support cross-device authentication by ensuring passkey credentials are not device-bound
  unless explicitly required.
- Enable cross-platform syncing for passkeys stored in
  [platform authenticator](https://www.corbado.com/glossary/platform-authenticator) clouds (e.g.,
  [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain),
  [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager)).

### 6. Test for Robustness

Validate backend functionality with various scenarios:

- [Passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices)
- Authentication
- Error handling (e.g., invalid credentials or missing keys)

These backend changes ensure a secure and scalable implementation of passkey-based login,
aligning with WebAuthn standards and best practices.

## Read the full article