Passkey Authentication

Passkeys are a safer and more convenient way to verify users because they resist phishing attacks. In LoginRadius, passkeys can be used as a Multi-Factor Authentication (MFA) method, adding an extra layer of security.

Note: Passkeys provide a secure, passwordless authentication method, enabling users to register and sign in directly using a passkey without creating or entering a traditional password. For more information, refer to the passkey documentation.

Benefits of Using Passkeys for MFA

Integrating MFA Passkey APIs provides several advantages:

Benefit	Description
Enhanced Security	Resistant to phishing and unauthorized access.
Improved User Experience	Fast and seamless logins without needing passwords.
Reduced Credential Theft Risk	Eliminates password-related vulnerabilities.
Future-Proof Authentication	Aligned with modern security standards like FIDO2 and WebAuthn.

Passkey Workflow

1. Enable MFA Passkey from the Console and configure the necessary settings.

2. When end-users log in and MFA is triggered:

   • If the Passkey is not registered, users can register one via a browser or device prompt.
   • If the Passkey is already registered, users must verify it to complete login.

3. After registration, users can manage the MFA Passkey (view or delete) via their account settings.

4. On every subsequent login, users must verify their registered passkey during MFA.

Note: Passkey MFA is an extension of the core Passkey feature. To use Passkeys as MFA, customers must first enable Passkeys under Authentication > Passkeys at the LoginRadius Console.

In the SecondFactorAuthentication object of API responses, the key used for this authenticator will be:

json
"IsPasskeyAuthenticatorVerified": true/false

MFA Passkey Configuration

1. You can enable Passkey as an MFA option via the LoginRadius Console by navigating to the Security-> MFA Factors→ Passkeys.
2. Enable Passkeys globally for authentication.
3. Enable MFA Passkey and configure:
   1. Registration Settings
   2. Verification Settings
   3. Optional/Required MFA settings
4. Save all related Passkey configurations.

Once completed, the Passkey can be part of the MFA flow.

Passkey API Implementation

Follow the steps below to implement MFA via our MFA API, which uses a mix of front-end and back-end API calls.

Note: If an API call requires an API Secret, it should be called from the back end. Otherwise, the API call can also be used on the front end.

Passkey MFA APIs Flow

Stage	API	Purpose
Register Begin	POST /account/2fa/passkey/register/begin	Start passkey setup
Register Finish	POST /account/2fa/passkey/register/finish	Complete passkey registration
Verify Begin	POST /login/2fa/passkey/verify/begin	Start passkey login verification
Verify Finish	POST /login/2fa/passkey/verify/finish	Complete passkey authentication
Reset by Access Token	DELETE /auth/account/2fa/passkey/reset	User-initiated reset
Reset by UID	DELETE /manage/account/2fa/passkey/reset/{uid}	Admin-initiated reset

Passkey MFA Registration Flow

You can register a passkey for MFA in two ways, based on what token is available:

A. Using Access Token

Begin Registration

GET /identity/v2/auth/login/2fa/register/passkey/begin
Query Params:
  apikey=<API_KEY>
  secondfactorauthenticationtoken=<2FA_TOKEN>

Finish Registration

POST /identity/v2/auth/account/2fa/register/passkey/finish
Query Params:
  apikey=<API_KEY>
  access_token=<ACCESS_TOKEN>
Body:
  {
    "PasskeyCredential": {
      // Client-generated passkey credential object
    },
    "Email": [
      {
        "Type": "Primary",
        "Value": "user@example.com"
      }
    ]
  }

B. Using SecondFactorAuthenticationToken

Begin Registration

GET /identity/v2/auth/login/2fa/register/passkey/begin
Query Params:
  apikey=<API_KEY>
  secondfactorauthenticationtoken=<2FA_TOKEN>

Finish Registration

POST /identity/v2/auth/login/2fa/register/passkey/finish
Query Params:
  apikey=<API_KEY>
  secondfactorauthenticationtoken=<2FA_TOKEN>
Body:
  {
    "PasskeyCredential": {
      // Client-generated passkey credential object
    }
  }

Passkey MFA Verification Flow

Used when a user is authenticating with a registered passkey after primary authentication.

Begin Verification

GET /identity/v2/auth/login/2fa/passkey/begin
Query Params:
  apikey=<API_KEY>
  secondfactorauthenticationtoken=<2FA_TOKEN>

Finish Verification

POST /identity/v2/auth/login/2fa/passkey/finish
Query Params:
  apikey=<API_KEY>
  secondfactorauthenticationtoken=<2FA_TOKEN>
Body:
  {
    "PasskeyCredential": {
      // Client-generated passkey response
    }
  }

Reset Passkey Authenticator

Used when a user wants to remove/reset their registered passkey.

• Admin-Initiated Reset (using UID)

DELETE /identity/v2/auth/account/2fa/authenticator/passkey
Query Params:
  apikey=<API_KEY>
  apisecret=<API_SECRET>
  uid=<USER_UID>

• User-Initiated Reset (using Access Token)

DELETE /identity/v2/auth/account/2fa/authenticator/passkey
Query Params:
  apikey=<API_KEY>
Headers:
  Authorization: Bearer <ACCESS_TOKEN>

Related Resources

• MFA Overview Documentation
• LoginRadius SDKs
• Risk-Based Authentication