Knogin
[Developers]

Authentication: Passwordless Passkeys and WebAuthn

A classified operations centre cannot afford phishing-susceptible credentials. When an operator at a NATO exercise types a password into a browser, there is always some risk that credential is intercepted or reused somew

Back to All Modules
Category: ModulesLast Updated: Apr 2, 2026
modulescomplianceblockchain

Overview#

A classified operations centre cannot afford phishing-susceptible credentials. When an operator at a NATO exercise types a password into a browser, there is always some risk that credential is intercepted or reused somewhere less secure. FIDO2 passkeys remove that attack surface entirely: the private key never leaves the device, the credential is bound to the platform's origin, and no server-side secret is involved. An attacker who compromises the authentication server gains nothing useful.

The platform implements WebAuthn with full support for platform authenticators (Face ID, Touch ID, Windows Hello, Android biometrics), cross-platform authenticators (USB security keys, NFC tokens), and hardware tokens (YubiKey, Google Titan). Sub-second authentication from credential presentation to session establishment.

Open Standards#

  • W3C Web Authentication (WebAuthn) Level 3: The platform implements the full WebAuthn specification for credential registration and assertion ceremonies, including origin binding, challenge/response flows, and attestation verification.
  • FIDO2 / CTAP2 (FIDO Alliance): Client-to-Authenticator Protocol 2 is supported for cross-platform authenticators, enabling USB, NFC, and Bluetooth security keys to participate in both registration and authentication ceremonies.
  • FIDO Alliance Metadata Service (AAGUID attestation): Authenticator Attestation GUIDs are recorded and verified against the FIDO Metadata Service to confirm the provenance and certification level of registered hardware tokens.
  • NIST SP 800-63B (AAL3): Credential management and authentication assurance are aligned with NIST Digital Identity Guidelines at Authenticator Assurance Level 3, satisfying requirements for phishing-resistant, verifier-impersonation-resistant authentication.
  • CBOR Object Signing and Encryption (COSE, RFC 8152): Public keys and attestation objects exchanged during WebAuthn ceremonies are encoded in COSE format as required by the WebAuthn specification.
  • OAuth 2.0 / OpenID Connect (RFC 6749 / OpenID Connect Core 1.0): Successful WebAuthn authentication ceremonies result in JWT session tokens issued through an OIDC-compliant token pipeline, with integration to Zitadel and Keycloak identity providers.
  • SAML 2.0 (OASIS): The capability operates alongside SAML 2.0 federation, allowing passkey-authenticated sessions to be asserted into SAML-based relying parties in mixed-IdP enterprise deployments.

Last Reviewed: 2026-04-02 Last Updated: 2026-04-14

Key Features#

Passkey Registration and Management#

Register passkeys in under 30 seconds using biometric sensors or hardware tokens. Multiple credentials per user support backup access and multi-device workflows. The management interface lets users rename, delete, and prioritise registered passkeys.

Biometric Authentication#

Native platform biometric integration with Face ID, Touch ID, Windows Hello, and Android biometric APIs. Platform-level liveness detection and secure enclave storage ensure private keys never leave the device. Authentication completes in under a second from credential presentation.

Hardware Token Support#

Full support for FIDO2 security keys including all YubiKey models, Google Titan, Feitian, and Thetis devices. Hardware tokens provide physical-presence authentication for high-security environments and serve as backup credentials.

Cross-Platform Passkeys#

Authenticate on desktop using passkeys stored on mobile devices via FIDO2 cross-device authentication with QR code and Bluetooth pairing. Works across Chrome, Safari, and Edge on Windows, macOS, iOS, and Android.

WebAuthn Timeout Management#

An adaptive timeout calculation adds a safety buffer to the server-specified timeout while enforcing a maximum ceiling. An AbortController terminates stalled credential requests when the timeout expires. Separate loading states for password and passkey methods ensure one in-flight authentication does not affect the UI state of the other.

Account Recovery#

Multiple recovery methods without security questions or email resets: backup passkeys, synced credentials via iCloud Keychain or Google Password Manager, admin-assisted recovery with multi-factor identity verification, and offline recovery passkeys for complete device loss.

Zero Phishing Risk#

Public-key cryptography with origin binding prevents credential theft and replay attacks. Private keys are generated and stored in device hardware security modules and never transmitted to the server under any circumstances.

Use Cases#

  • Enterprise Authentication: Replace password-based login with phishing-resistant biometric authentication while maintaining NIST 800-63B AAL3 compliance for classified and sensitive environments
  • High-Security Operations: Hardware token enforcement for administrative access, financial transactions, and classified information handling in military and intelligence contexts
  • Multi-Device Workers: Seamless authentication across personal and work devices using synced passkeys or cross-platform QR code flows for field staff and analysts

Integration#

Available through the authentication API with registration and verification operations. Supports FIDO2 Level 2 certification, NIST 800-63B AAL3, and PCI DSS SCA compliance. Complete audit logs for every passkey action with configurable retention policies. Works alongside SAML 2.0 federation, Zitadel IAM, and Keycloak in mixed-IdP deployments.

Ready to Build?

Get started with our APIs or contact our integration team for support.