What is CDA (Cross-Device Authentication) in WebAuthn?

What is CDA (Cross-Device Authentication)?#

CDA (Cross-Device Authentication) allows users to use a passkey from one device for authentication on another, facilitating seamless access across diverse platforms. This innovative approach is underpinned by the FIDO Client-to-Authenticator Protocol (CTAP), which employs a "hybrid" transport mechanism. CTAP is integral to the CDA process, being implemented by authenticators and client platforms rather than relying parties, ensuring a secure and efficient authentication experience.

You can also read a detailed report on Cross-Device Authentication in this blog post.

Key Takeaways#

---

CDA (Cross-Device Authentication) is important for providing users with a frictionless experience when accessing services across multiple devices. It revolves around two key components: the CDA Client and the CDA Authenticator.

• CDA Client is the device where the service is accessed (e.g. a laptop, desktop, or smartphone).
• CDA Authenticator is the device providing the passkey and generating the FIDO assertion (usually a smartphone or tablet). This duality ensures that authentication flows remain secure and user-friendly.

Deep Dive into CDA Mechanisms#

Cross-Device Authentication (CDA) integrates QR codes and Bluetooth to provide a versatile and secure authentication mechanism. QR codes facilitate easy, user-initiated authentication processes by enabling quick scanning to establish authentication requests. Bluetooth adds a layer of security by ensuring physical proximity between the involved devices. This dual approach combines the ease of use with robust security measures, catering to various user environments and scenarios.

QR Code Authentication#

• Initiation: A unique QR code is generated on the device needing authentication, encoded with a session identifier.
• Process: Users scan the QR code with a device that stores their passkey, triggering a secure authentication process via an encrypted internet connection.
• Security Features: The QR code is designed for one-time use and encrypts all data to safeguard against unauthorized access.

Bluetooth Authentication (caBLE)#

• Role: Confirms physical proximity between the authenticating devices, adding an extra layer of security.
• Proximity Checks: Ensures that the authentication process is only carried out when devices are near each other, minimizing the risk of remote attacks.
• Privacy and Security: Does not involve the exchange of sensitive authentication data, focusing instead on confirming proximity as a factor in multi-factor authentication.

Tunnel Connection through the Internet#

• Activation: Activated upon scanning a QR code or establishing a Bluetooth connection.
• Purpose: Facilitates secure transmission of authentication data, including cryptographic challenges and responses.
• Security: Ensures all communication through the tunnel is encrypted, enhancing security across multiple devices.

Synced Passkeys vs. Cross-Device Authentication#

Passkeys are typically synchronized across devices through cloud accounts (e.g. Apple's iCloud Keychain), ensuring they are readily available for authentication regardless of the device used. This synchronization is secured by advanced encryption and is protected by biometric data or PINs, with mechanisms in place to prevent unauthorized access, such as rate limiting for login attempts.

While synced passkeys offer convenience, they may not always be accessible on new or non-primary devices. Cross-Device Authentication addresses this challenge by providing a secure bridge for passkeys between devices without the need for cloud account synchronization. This method leverages QR codes for initiating authentication and Bluetooth for verifying the proximity of devices, ensuring a secure and user-friendly experience. A use case for cross-device authentication is e.g. logging into an account on a friend’s device, where it’s not possible to use synced passkeys.

Availability on Operating Systems#

You can use this table to see the current support of Cross-Device Authentication for different operating systems. Authenticator means that the device can serve as the device that holds a passkey (usually the smartphone). Client means the device that creates the QR code and where the user tries to login (usually the desktop).

Behavior on Different Devices#

It's important to consider different behaviors of devices in the context of CDA. The authentication experience can vary based on a device's hardware capabilities, such as the presence of a camera for QR code scanning or Bluetooth for proximity checks. Additionally, operating systems may implement CDA differently, affecting how users initiate and complete the authentication process. Developers implementing CDA must account for these variabilities, ensuring a smooth and secure user experience across all devices. See a detailed report on the different device behaviors in this blog post.

---

Cross-Device Authentication (CDA) FAQs#

Is it safe for passkeys to be shared across devices?#

Passkey sharing employs robust security measures to protect data. This approach is essential for replacing passwords with a more secure and user-friendly alternative, aligning with FIDO's mission to enhance sign-in processes across speed, convenience, and security dimensions.

What is the availability of CDA across various OS platforms?#

Cross-Device Authentication (CDA) is rapidly becoming available across a wide range of operating systems and browsers, as support for passkeys is introduced. An overview of the availability can be found on this website.

How do passkeys become available across a user's devices?#

Passkeys are synced across devices through end-to-end encrypted mechanisms tied to the user's platform account (e.g., Apple ID, Google account). This ensures that passkeys created on one device are readily available on all other devices signed into the same account, facilitating easy and secure access across the user's digital ecosystem.

CDA vs. Synced Passkeys - What's the difference?#

Hybrid transport allows for secure authentication across devices without needing passkeys to be synced through a cloud account, offering flexibility, and maintaining the integrity of passkeys solely with the user.

Why does CDA use both QR codes and Bluetooth?#

CDA employs QR codes and Bluetooth to enhance security and convenience. QR codes simplify the initiation of authentication, while Bluetooth ensures the physical proximity of devices, adding an extra layer of security.

Can CDA work without an internet connection?#

While CDA requires an internet connection for the initial setup and authentication process, the Bluetooth proximity check for authentication does not rely on an internet connection, enhancing its versatility.

What are the hardware requirements for using CDA?#

Devices must support WebAuthn, have a camera for QR code scanning, support Bluetooth 4.0 or higher for caBLE, and maintain a stable internet connection to facilitate the CDA process effectively.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →