Overview#
Phishing-resistant passwordless authentication built on FIDO2 passkeys and WebAuthn, covering platform biometrics, hardware security keys, and cross-device sign-in.
A classified operations centre cannot afford phishing-susceptible credentials. Whenever an operator types a password into a browser, there is some risk that the credential is intercepted or reused somewhere less secure. FIDO2 passkeys remove that attack surface: the private key never leaves the device, the credential is bound to the platform's origin, and no shared secret is stored on the server. An attacker who steals the server-side credential store obtains only public keys.
The platform implements WebAuthn with support for platform authenticators (Face ID, Touch ID, Windows Hello, Android biometrics), cross-platform authenticators (USB security keys, NFC tokens), and hardware tokens (YubiKey, Google Titan).
Open Standards#
- W3C Web Authentication (WebAuthn): The platform implements WebAuthn credential registration and assertion ceremonies, including origin binding, challenge and response flows, and attestation verification.
- FIDO2 / CTAP2 (FIDO Alliance): Client-to-Authenticator Protocol 2 is supported for cross-platform authenticators, enabling USB, NFC, and Bluetooth security keys to participate in both registration and authentication ceremonies.
- FIDO Alliance Metadata Service (AAGUID attestation): Authenticator Attestation GUIDs are recorded and can be verified against the FIDO Metadata Service to confirm the provenance and certification level of registered hardware tokens.
- NIST SP 800-63B: Credential management and authentication assurance follow the NIST Digital Identity Guidelines for phishing-resistant, verifier-impersonation-resistant authentication; deployments using hardware-bound authenticators can target Authenticator Assurance Level 3.
- CBOR Object Signing and Encryption (COSE, RFC 8152): Public keys and attestation objects exchanged during WebAuthn ceremonies are encoded in COSE format as required by the WebAuthn specification.
- OAuth 2.0 / OpenID Connect (RFC 6749 / OpenID Connect Core 1.0): Successful WebAuthn authentication ceremonies result in JWT session tokens issued through an OIDC-compliant token pipeline, with integration to Zitadel and Keycloak identity providers.
- SAML 2.0 (OASIS): The capability operates alongside SAML 2.0 federation, allowing passkey-authenticated sessions to be asserted into SAML-based relying parties in mixed-IdP enterprise deployments.
Key Features#
Passkey Registration and Management#
Register passkeys in a short guided flow using biometric sensors or hardware tokens. Multiple credentials per user support backup access and multi-device workflows. The management interface lets users rename, delete, and prioritise registered passkeys.
Biometric Authentication#
Native platform biometric integration with Face ID, Touch ID, Windows Hello, and Android biometric APIs. Platform-level liveness detection and secure enclave storage ensure private keys never leave the device, and a single local gesture completes authentication.
Hardware Token Support#
Support for FIDO2 security keys including YubiKey, Google Titan, Feitian, and Thetis devices. Hardware tokens provide physical-presence authentication for high-security environments and serve as backup credentials.
Cross-Platform Passkeys#
Authenticate on desktop using passkeys stored on mobile devices via FIDO2 cross-device authentication with QR code and Bluetooth pairing. Works across Chrome, Safari, and Edge on Windows, macOS, iOS, and Android.
WebAuthn Timeout Management#
An adaptive timeout calculation adds a safety buffer to the server-specified timeout while enforcing a maximum ceiling. Stalled credential requests are cancelled automatically when the timeout expires. Separate loading states for password and passkey methods ensure one in-flight authentication does not affect the other.
Account Recovery#
Multiple recovery methods without security questions or email resets: backup passkeys, synced credentials via iCloud Keychain or Google Password Manager, admin-assisted recovery with multi-factor identity verification, and offline recovery passkeys for complete device loss.
Phishing Resistance#
Public-key cryptography with origin binding defeats credential phishing and replay attacks. Private keys are generated and stored by the device authenticator, typically in dedicated secure hardware, and are never transmitted to the server.
Strict Verification and Host Scoping#
Passkeys used for offline unlock are scoped to the exact serving host, and user verification is required by default and locked against downgrade. Passkey sign-in fails closed whenever the central authentication service returns an incomplete response: no partial acceptance, no session.
Protected Credential Removal#
Removing a passkey requires a verified fresh password proof, and a rejected or failed verification aborts the change rather than falling through. Because the step-up check is fail-closed, a stolen but expired session cannot be used to quietly strip a credential from an account.
Consistent Mobile Enforcement#
Accounts mandated to use a passkey cannot satisfy multi-factor sign-in with a one-time code on the native mobile flow: the same phishing-resistant requirement the web flow enforces applies everywhere, and mobile sign-in advertises only the factors an account is actually allowed to use. Passkey assertions submitted from mobile devices are structurally validated before being sent for verification, so a malformed assertion fails cleanly instead of being partially accepted, and repeated failed attempts are progressively slowed on the device in addition to server-side rate limiting.
Use Cases#
- Enterprise Authentication: Replace password-based login with phishing-resistant biometric authentication in line with NIST SP 800-63B guidance for classified and sensitive environments
- High-Security Operations: Hardware token enforcement for administrative access, financial transactions, and classified information handling in military and intelligence contexts
- Multi-Device Workers: Seamless authentication across personal and work devices using synced passkeys or cross-platform QR code flows for field staff and analysts
- Shared Field Devices: Progressive on-device throttling of failed passkey attempts and enumeration-resistant sign-in protect shared responder devices from opportunistic credential guessing when left unattended
Integration#
Available through the authentication API with registration and verification operations. Works with FIDO2-certified authenticators and supports deployments aligned with NIST SP 800-63B phishing-resistant authentication guidance. Audit logging covers passkey actions, with configurable retention policies. Works alongside SAML 2.0 federation, Zitadel IAM, and Keycloak in mixed-IdP deployments.
Last Reviewed: 2026-07-16 Last Updated: 2026-07-16