You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is the recommended best practice and secure implementation flow for registering additional device passkeys for a user?
The user first registers for a new account with their unique identifier (ie. their email or a username) with their biometric passkey. They now have a passkey for their device (ex. their current laptop). How would we implement the next steps of securely adding other device passkeys to the same and unique account(ex. they wish to add additional devices and passkeys for their phone, tablet, and/or desktop)?
Passkeys are to reduce and remove the less secure methods of 2FA and email sign-ins, so I'm wondering how to implement this additional device passkey registration without adding back in these additional methods. Or if it's necessary, what is the most secure and best practice way for the least exposure and risk to these previous methods?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi Matthew and the SimpleWebAuthN community,
What is the recommended best practice and secure implementation flow for registering additional device passkeys for a user?
The user first registers for a new account with their unique identifier (ie. their email or a username) with their biometric passkey. They now have a passkey for their device (ex. their current laptop). How would we implement the next steps of securely adding other device passkeys to the same and unique account(ex. they wish to add additional devices and passkeys for their phone, tablet, and/or desktop)?
Passkeys are to reduce and remove the less secure methods of 2FA and email sign-ins, so I'm wondering how to implement this additional device passkey registration without adding back in these additional methods. Or if it's necessary, what is the most secure and best practice way for the least exposure and risk to these previous methods?
Thank you in advance for your time
Beta Was this translation helpful? Give feedback.
All reactions