Skip to main content

Prerequisites

Before you can enable passkeys for a database connection, you must complete the following prerequisites. On your tenant, you must: On your database connection, you must: Database connections with passkeys enabled must also still have passwords enabled. This ensures users can continue to access their accounts from browsers and older devices that may not yet support passkeys.

Early Access Use your own database without user import enabled

Passkey authentication now supports using your own database without user import enabled. This lets you offer passkey authentication on custom database connections while continuing to authenticate users against your external user store. As a prerequisite, you must update the Get User and Create database action scripts to support user handling by both identifier and user_id.
Passkey support for using your own database without user import enabled is currently in Early Access. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages.
  1. First, confirm that user import is disabled for your database connection.
  2. Enable context object support. This makes the context parameter available in your database action scripts, which is necessary to support both identifier and user_id lookups.
  3. The Get User script must support both lookup by identifier (context.identifierType is not set) and lookup by user-id (context.identifierType is set to user_id). Update your Get User database action script from getByEmail to the provided getUser function:
    Example Get User script changes with email attribute enabled
    function getByEmail(email, callback) { 
function getUser(identifierValue, context, callback) { 
    const axios = require('axios');

    // Retrieve the user identifier from context
    const identifierType = context.identifierType || 'email'; 

    // Replace with your external user retrieval endpoint 
    const url = configuration.baseAPIUrl
                + `/get_user/${email}?type=email`; 
                + `/get_user/${identifierValue}?type=${identifierType}`; 

    axios.get(url)
        .then(response => {
            // Return the user object if found
            const user = response.data; 
            return callback(null, {
                user_id: user.user_id,
                email: user.email
                // Optionally include other user attributes 
            });
        })
        .catch(error => {
            // Handle error response 
            return callback(null);
        });
}
  4. The Create script must return a valid user profile. When attributes are enabled, the returned user profile must follow the same validation as the Login and Get User scripts. When attributes are not enabled, the returned user profile must include the user_id value. Update your Create database action script to return a valid user profile:
    Example Create script changes with email attribute enabled
    function create(user, callback) {
    const axios = require('axios');

    // Replace with your external user creation endpoint
    const url = 'https://example.com/api/create'; 

    const payload = {
        email: user.email
        // Add other user properties as needed
    };

    axios.post(url, payload)
        .then(response => {
            // Return the user object if found 
            const createdUser = response.data; 

            return callback(null, {
                user_id: createdUser.user_id,
                email:createdUser.email
                // Optionally include other user attributes
            });
        })
        .catch(error => {
            // Handle error response 
            return callback(error);
        }); 
}

Configure passkeys

Once you complete the prerequisites, you can use the Auth0 Dashboard to enable and configure passkeys.
1

Open passkey configuration

Go to Authentication > Database and select the name of the database connection you want to edit.Select the Authentication Methods tab. Then, in the Passkey section, select Configure to open the Passkey panel.If it isn’t already checked, check Enable passkeys.
2

Choose passkey authentication UI

The passkey authentication UI determines how users can trigger passkey authentication during login and sign-up.In the Passkey Authentication UI section, choose one of the three options:
Passkey authentication UIDescription
Passkey button & autofillUsers can authenticate with passkeys using autofill or the passkey button.
AutofillUsers must log in with their browser’s autofill feature to use passkeys. Autofill allows users to select a saved account from a dropdown menu instead of manually entering their credentials.
Passkey buttonUsers must select the Continue with a passkey button on the login prompt.
If autofill is not available in the user’s browser, users can log in using the passkey button (if enabled) or using password credentials.
3

Enable progressive enrollment (optional)

Progressive enrollment prompts users to create a passkey (if they have not done so already) after logging in with an identifier and password. This step is not required and users can choose to delay this action every 30 days.Progressive enrollment can be useful when migrating users to passkeys to help them transition between authentication methods.
When creating an account through an Organization invitation email, users cannot choose passkey authentication. You can enable progressive enrollment so these users can create passkeys after logging in with a password.
The Progressive Enrollment checkbox is checked by default, but you can uncheck it to disable it.
4

Enable local enrollment (optional)

When a passkey user logs in to a new device using a cross-device passkey, local enrollment prompts them to create a local passkey on the new device. This is not required, so users can choose to skip creating a local passkey.The Local Enrollment checkbox is checked by default, but you can uncheck it to disable it.
5

Save settings

Click Save to save your configuration changes.If the save button is disabled, use the Passkey Authentication Prerequisites section at the top of the Passkey panel to confirm that your tenant and database connection are configured correctly.

Next steps

To ensure the best experience for end users when using passkeys, you may want to consider the following additional steps.

Configure a custom domain

When a user enrolls a passkey, it associates with the domain. If the domain name changes, any passkeys associated with the old domain become invalid. Consider configuring a custom domain for your tenant prior to enabling passkeys to avoid any interruptions for end-users.
If you have Multiple Custom Domains enabled on your tenant, Auth0 maintains a one-to-one relationship between a domain and the passkey for that domain.Users can enroll a passkey for only one domain (the first one they enroll with) of the multiple custom domains on the tenant. For passwordless login, the selected custom domain should be reflected in the Magic Link for the passwordless login flow.

Bypass multi-factor authentication

If you have multi-factor authentication enabled, the default behavior is to require the completion of an MFA challenge regardless of whether the authentication method was a password or a passkey. Given the high level of security that passkeys provide, you can skip MFA for passkey authentication using a post-login Action.