Passkeys (WebAuthn)

Customize your WebAuthn authentication flow from the Descope console (Settings > Authentication Methods > Passkeys).

Biometrics within the context of WebAuthn lets you authenticate end users using the strong authenticators that are now often built right into devices, including biometrics (fingerprint, facial, or iris recognition) and secure hardware keys (passkeys) like those provided by Yubico, CryptoTrust, or Thedis.

Settings Summary

All Settings

SettingDetails
Top Level DomainThe domain (and all it's subdomains) in which end users can add biometric authentication
Enable method in API and SDKThis toggle switch enables or disables the authentication method from being available for use within API and SDK

Additional Details

This section describes additional details about the configuration options available.

Top Level Domain

The top level domain for Biometrics (WebAuthn) restricts access to login via this method. This configured domain applies to the top level domain and all subdomains. By default, Descope parses the top level domain from the origin.

When you change the top level domain within the Descope UI for Biometrics (WebAuthn), you may invalidate previously created users if the updated domain does not match the domain the users were created. Users who have signed up via biometrics (WebAuthn) and have no other verified auth methods will no longer be allowed to log in. The affected users need to be deleted and recreated to remediate this issue. Users with other validated auth methods will still be able to sign up through those auth methods; however, when signing in via Webauthn, there may be a new Webauthn added.

Domain Specific Passkeys

Descope's passkey implementation is domain-specific, which means that passkeys are tied to the domain where they were created. In scenarios where you have multiple applications on multiple different domains using the same Descope project, you can utilize the user.webAuthn key in a flow condition to prompt for passkeys. Descope will check whether a valid passkey has been created for the specific domain the user is on. If true, it means that a passkey has been stored for the current domain only.

passkey domain specific

Physical Keys

Implementing passkeys allows using physical keys, also known as "passkeys", to read more click here.

Was this helpful?

On this page