Get started with passkeys
People need to first create a passkey then they can sign in with it. While there are many moments throughout the customer journey where passkeys can add value, these two patters create a successful foundation for every long-term passkey strategy.
Create, view, and manage
passkeys in account settings
Allow people to create, see, and manage passkeys in the account settings area of the digital service.
Sign in with a passkey
Allow people to sign in with a passkey and gracefully fall back to other methods.
Optional patterns
There are many use cases and moments throughout the customer journey to create and use passkeys. The moments where you choose to enable passkey support will vary depending on your unique business needs. Use the optionals patterns to expand and refine your implementation of passkeys over time.
Create a passkey during account recovery due to forgot password
Allow people to create a passkey instead of or in addition to a new password.
Cross-device sign-in
Allow people to sign in on a device that does not have a passkey (laptop/desktop) using a second device that does (mobile device).
Deprecate SMS OTP
Allow people to create a passkey to replace passwords plus SMS OTP authentication.
Introduce passkeys in email and other communications
Introduce and educate people about passkeys with a priming email that is clear and concise to promote adoption.
Passkey management UI: best practices for combining all passkey types
Learn how to properly setup the management UI for passkeys on devices and passkeys on security keys.
New account creation with a passkey
Allow people to create new accounts with a passkey (no password).
Remove passkeys from account settings
Allow people to remove a passkey from their account’s settings.
Use passkeys created on web to sign into mobile app
Allow people to use the same passkey to sign in to their accounts across websites and native mobile apps.
2022: Patterns for passkeys on security keys
Originally published in 2022 and prior to passkeys, these patters provides the user experience (UX) guidelines and best practices for relying parties and implementers seeking to enable multi-factor authentication (MFA) with FIDO security keys as a second factor, based on a regulated industry (e.g., banking or healthcare) use case. These guidelines aim to accelerate decision-making during FIDO implementation and specify what information and controls should be given to users. Note that these UX recommendations are optimized for browser-based sites accessed on desktop/laptop computers, rather than mobile apps or mobile web. The guidelines do not, however, include recommendations about security policies or account recovery.
Awareness of passkeys on security keys
Enroll passkeys on security keys