> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about implementing passkeys as an authentication method

# Passkeys

Passkeys are a phishing-resistant alternative to traditional authentication factors (such as identifier/password) that offer an easier and more secure login experience to users. Passkeys are modeled from FIDO® W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) [specifications](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#intro)).

Passkeys reduce the friction experienced with single-device authentication methods by allowing credentials to sync across devices. Cross-device authentication eliminates the need for users to re-enroll on each of their devices. It also supports a more reliable recovery method as the stored credentials can survive the loss of an originating device. To learn more about passkeys, review the FIDO® Alliance [Passkey FAQs](https://fidoalliance.org/passkeys/#faq).

Auth0 supports passkeys as an authentication method for [database connections](/docs/authenticate/database-connections).

## User experience flows

Similar to traditional authentication factors, passkeys can support several user experience flows such as signup, login, and account recovery.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Auth0 Universal Login currently supports the signup and login user experience flows for passkeys.
</Callout>

### Signup flow

The signup flow requires the user to provide an email address, and then create a passkey on either their current device or another device through cross-device authentication.

1. Prompts the user to enter their email address.

   <Frame>
     <img src="https://mintcdn.com/docs-staging-quickstart-revamp/OF4RJhPvadaf5sdD/images/cdy7uua7fh8z/5SlpzscSseNOuJlvhOgBqr/318d95254ef48197a32e58c92be00d2b/signup-passkey_default.png?fit=max&auto=format&n=OF4RJhPvadaf5sdD&q=85&s=6c221a9b1195e5adf9b81a8f1faf47f5" alt="" width="402" height="422" data-path="images/cdy7uua7fh8z/5SlpzscSseNOuJlvhOgBqr/318d95254ef48197a32e58c92be00d2b/signup-passkey_default.png" />
   </Frame>
2. User enters their email address.

   <Frame>
     <img src="https://mintcdn.com/docs-staging-quickstart-revamp/d9I4PO9-WombE4fE/images/cdy7uua7fh8z/3r5pFsWx6SkYOHSHglRwzG/337e3569359c3431c82e80adfeceb470/signup-passkey_filled.png?fit=max&auto=format&n=d9I4PO9-WombE4fE&q=85&s=5681f7c7bbd9fdf9578a8193dcff3ebd" alt="" width="402" height="422" data-path="images/cdy7uua7fh8z/3r5pFsWx6SkYOHSHglRwzG/337e3569359c3431c82e80adfeceb470/signup-passkey_filled.png" />
   </Frame>
3. Prompts the user to create a passkey.

   <Frame>
     <img src="https://mintcdn.com/docs-staging-quickstart-revamp/jp6vZz7DhptSlPIu/images/cdy7uua7fh8z/7vZK4q4iUtxyld1Os6og4s/c6df982f684824ef9f11a7ef9a477700/Passkeys_-_UL_-_English.png?fit=max&auto=format&n=jp6vZz7DhptSlPIu&q=85&s=d72053d189cd4d7564a73eae46b0125e" alt="" width="494" height="769" data-path="images/cdy7uua7fh8z/7vZK4q4iUtxyld1Os6og4s/c6df982f684824ef9f11a7ef9a477700/Passkeys_-_UL_-_English.png" />
   </Frame>
4. If the user selects **Create a passkey**, it triggers the browser (or operating system) flow to create a passkey.

   <Frame>
     <img src="https://mintcdn.com/docs-staging-quickstart-revamp/cn1eMmAiJHX3hF4T/images/cdy7uua7fh8z/IsWmSXNHc2fvRuEgn5DpK/52b2464e21c8dc68bb06869126043ba9/Signup_-_Passkey_-_Browser_OS_Create_a_Passkey.png?fit=max&auto=format&n=cn1eMmAiJHX3hF4T&q=85&s=5d748324ea475a6d23f7bd02e079de99" alt="" width="400" height="300" data-path="images/cdy7uua7fh8z/IsWmSXNHc2fvRuEgn5DpK/52b2464e21c8dc68bb06869126043ba9/Signup_-_Passkey_-_Browser_OS_Create_a_Passkey.png" />
   </Frame>

   * If the user selects **Continue**, it prompts them to authenticate with their device’s credentials.

     <Frame>
       <img src="https://mintcdn.com/docs-staging-quickstart-revamp/0yzvW89mU3tfXF-c/images/cdy7uua7fh8z/6OJlPQrWBhgO8izXXoKbOw/a3c1af9a94aaeffc50793e3e9b88db8f/Signup_-_Passkeys_-_Chrome_Prompt_for_Device_Credentials.png?fit=max&auto=format&n=0yzvW89mU3tfXF-c&q=85&s=2593dcab23ad30b99011013f9a68cd37" alt="" width="400" height="469" data-path="images/cdy7uua7fh8z/6OJlPQrWBhgO8izXXoKbOw/a3c1af9a94aaeffc50793e3e9b88db8f/Signup_-_Passkeys_-_Chrome_Prompt_for_Device_Credentials.png" />
     </Frame>
   * If the user selects **Try another way**, it prompts them to create a passkey on another device.

     <Frame>
       <img src="https://mintcdn.com/docs-staging-quickstart-revamp/MuTsjoV4fPPSGZz9/images/cdy7uua7fh8z/2yXrkVbYLxxp6MXnrZLqVN/5f67ddf9b8003729a11604a3af3e553d/passkey-browser-cross-device.png?fit=max&auto=format&n=MuTsjoV4fPPSGZz9&q=85&s=cb13d22488090560619f2643c9fdc134" alt="" width="402" height="407" data-path="images/cdy7uua7fh8z/2yXrkVbYLxxp6MXnrZLqVN/5f67ddf9b8003729a11604a3af3e553d/passkey-browser-cross-device.png" />
     </Frame>

### Login flow

The login flow detects if the user has a passkey registered to the current device and then automatically selects it using autofill. If the user has multiple passkeys registered to the device, they can manually select one with a button.

1. Prompts the user for an email address or a passkey.

   <Frame>
     <img src="https://mintcdn.com/docs-staging-quickstart-revamp/d9I4PO9-WombE4fE/images/cdy7uua7fh8z/3qqI3Uo1z1yQhvb7boQ0cx/820f38ffdec77388331ef238ff80de88/login-passkey_default.png?fit=max&auto=format&n=d9I4PO9-WombE4fE&q=85&s=07a16b5022af8f24ea0759a6f5d29bcf" alt="" width="402" height="570" data-path="images/cdy7uua7fh8z/3qqI3Uo1z1yQhvb7boQ0cx/820f38ffdec77388331ef238ff80de88/login-passkey_default.png" />
   </Frame>
2. User can use autofill or select **Continue with a passkey**.

   <Frame>
     <img src="https://mintcdn.com/docs-staging-quickstart-revamp/R8rXfTj95YBIEuC2/images/cdy7uua7fh8z/3zvWl2rpxzJ5klloIihRYB/a311cc3cc54075b7b92aca677ced29ba/login-passkey_filled.png?fit=max&auto=format&n=R8rXfTj95YBIEuC2&q=85&s=b1de352fe48d1eebc3f7886e6dd55eb9" alt="" width="400" height="568" data-path="images/cdy7uua7fh8z/3zvWl2rpxzJ5klloIihRYB/a311cc3cc54075b7b92aca677ced29ba/login-passkey_filled.png" />
   </Frame>

   <Frame>
     <img src="https://mintcdn.com/docs-staging-quickstart-revamp/TU1OUbCB6Vk1Wu6L/images/cdy7uua7fh8z/tC4UZmYFgo7Zjt9kviP9j/690b87af58068c18a4609c8e9431e5b7/Login_-_Passkeys_-_Choose_a_passkey.png?fit=max&auto=format&n=TU1OUbCB6Vk1Wu6L&q=85&s=661b77325a6db9486a88008f7adac492" alt="" width="400" height="359" data-path="images/cdy7uua7fh8z/tC4UZmYFgo7Zjt9kviP9j/690b87af58068c18a4609c8e9431e5b7/Login_-_Passkeys_-_Choose_a_passkey.png" />
   </Frame>
3. Prompts the user to authenticate with the device’s credentials.

   <Frame>
     <img src="https://mintcdn.com/docs-staging-quickstart-revamp/0yzvW89mU3tfXF-c/images/cdy7uua7fh8z/6OJlPQrWBhgO8izXXoKbOw/a3c1af9a94aaeffc50793e3e9b88db8f/Signup_-_Passkeys_-_Chrome_Prompt_for_Device_Credentials.png?fit=max&auto=format&n=0yzvW89mU3tfXF-c&q=85&s=2593dcab23ad30b99011013f9a68cd37" alt="" width="400" height="469" data-path="images/cdy7uua7fh8z/6OJlPQrWBhgO8izXXoKbOw/a3c1af9a94aaeffc50793e3e9b88db8f/Signup_-_Passkeys_-_Chrome_Prompt_for_Device_Credentials.png" />
   </Frame>

## Account reset

If the user needs to reset their account, they can [trigger an interactive password reset flow](/docs/authenticate/database-connections/password-change#universal-login-page) through <Tooltip tip="Universal Login: Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip>.

Passkeys are implemented on the Database (Identifier/Password) connection to guarantee another factor for recovery purposes and to facilitate migration of users from passwords to passkeys.

## Passkeys with MFA enabled

If <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> is enabled, the user may be prompted to complete an MFA challenge after authenticating with a passkey based on settings and risk assessment.

The default behavior is to require the completion of an MFA challenge regardless if the authentication method used was a password or a passkey. Given the high level of security passkeys provide, you may skip MFA for users that have authenticated with a passkey in order to reduce friction. This can be achieved by using a post-login Action.

To learn more, read [Reduce friction with passkeys](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger#reduce-friction-with-passkeys) and [Multi-Factor Authentication](/docs/secure/multi-factor-authentication).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  FIDO® is a trademark (registered in numerous countries) of [FIDO Alliance, Inc](https://fidoalliance.org/).
</Callout>
