Passkeys are a replacement for passwords, making the login experience easier and more secure. Passkey authentication eliminates numerous attacks that use stolen passwords. It also protects users against phishing as each passkey is linked to a specific website or application.
The passkey standard is a type of passwordless authentication, promoted by the World Wide Web Consortium and the FIDO Alliance.
With the introduction in January 2024, edu-ID was an early adopter of Passkey authentication. It can be used and configured by every edu-ID user. Nevertheless, Passkey is a relatively new technology, and many potential users are not yet familiar with it. To optimize user statisfaction and reduce helpdesk requests it is necessary to offer training material and best practice quidelines to users. It is suggested to accompany the introduction of Passkeys at a university with an information campaign.
With usernameless authentication (autofill based on conditional UI) users no longer need to enter an email address as username. edu-ID fully supports usernameless authentication. Anyone who has set up a passkey as their authentication method will automatically benefit from this. With most browsers and passkey authenticators, users can directly see a pop up to use a passkey. With just one click they can achieve secure authentication equivalent to email, password, plus second factor.
Any user with an edu-ID account can enable passkey authentication. Every up-to date computer or mobile phone with the exception of the Linux platform is ready for passkeys (see device support below).
If a passkey is lost, it has to be ensured that a user can regain access to her account. Edu-ID make sure that the following recovery methods are configured:
The consequence is, that users currently who use Passkeys for edu-ID also need to configure two step login for recovery purposes.
Passkeys exist in many different types. In edu-ID, all passkeys supported by the user's platform can be used. The passkey support on the platform depends on the browser, the operating system and, if applicable, the cell phone or the USB security key.
In general Passkeys can potentially be generated, stored and managed by the following devices
A good overview of the supported devices can be found here: https://passkeys.dev/device-support/
The edu-ID passkey implementation is configured to always have the authentication quality of a 2-step login (2-factor authentication). A passkey authentication in edu-ID requires user verification, whereas simple user presence is insufficient.
Examples:
edu-ID supports cross device authentication, the synchronization of passkeys between devices. The providers of synchronization solutions claim to end-to-end encrypt the passkeys transmitted from one device to another, and not to be able to read them out.
Refer to the statements of providers for more details:
In general, no particular service configuration is required to allow the usage of passkeys. There's a caveat, however, in SAML if a service specifies an overly restrictive authentication context that enforces password authentication.
Recommendation for services: Do not specify an authentication context in services and remove a RequestedAuthnContext clause from the SP configuration.
General:
Related to Passkeys in SWITCH edu-ID: