Posted by Amy Zepenfeld – Developer Relations Engineer
Passkeys are leading payment to a more secure future without passwords. Passkeys FIDO2 and WebAuthn is a new cryptographic credential to provide a phishing-resistant, user-friendly, easy-to-implement, and more secure authentication method than password-based authentication. Most major operating systems and browsers now have full passkey support. Passwords are expected to replace passwords as the primary authentication method in the not-too-distant future, and developers are encouraged to start implementing passkey-enabled authentication solutions today.
When implementing passkeys in your application or web service, take a moment to implement well-known URL endpoints.
This is a standard way to promote your support for embedded keys and improve the user experience. This well-known URL allows third-party services such as password managers, password providers, and other security tools to allow users to register and manage their passwords for the site they support. You can use app-links or deep-linking with known URLs from password-endpoints to make these pages open directly in your application.
The use of password management tools is constantly increasing, and we expect most vendors to integrate password management as well. Allowing third-party tools and services to direct your users to your passkey management page by implementing a URL that identifies the passkey points.
The best part is that in most cases you can implement this feature in two hours or less! All you need is to host a simple design on your site. Consider the following example:
- For the web service at https://example.com, it would be the known URL. https://example.com/.well-known/passkey-endpoints
- When the URL is requested, the response should use the following scheme:
{ |
Note: You can determine the exact value of the URLs for both Sign up And Manage Depending on your website configuration.
If you have a mobile app, we strongly recommend that you use a deep link so that these URLs open the corresponding screen to “register” or “set” direct passkeys for each function in your app. This will keep your users focused and able to sign up for passkeys.
And that’s it!
More details and examples can be found in the popular URL descriptor on password endpoints.