Skip to main content

Overview

📦 Since v25.10.0

What is PasskeyID?​

PasskeyID links real-world identity to a passkey.

It allows identity to be verified at passkey creation, with the option to re-verify during authentication or step-up events, and records the verification result as an immutable audit record securely associated with the passkey. The result is a passkey whose use can be correlated with verifiable identity assurance.

PasskeyID provides the following benefits:

  • No PII or identity data storage
    Identity data is verified, hashed, and discarded. Only non-reversible proofs are retained.

  • Auditable
    All bindings and signatures are executed in secure hardware and recorded in tamper-proof audit logs.

  • Works with existing identity providers
    Works with multiple identity sources without changing your current providers.

  • Transparent to normal passkey authentication
    Regular passkey authentication works the same and identity assurance is added only when required.

In short, PasskeyID turns passkeys into identity-aware credentials that can be audited and trusted.

How PasskeyID Works​

PasskeyID verifies a user’s identity before passkey creation and records the verification result as an immutable audit record within a secure environment. The bound identity proof can later be referenced during authentication, step-up events, or audits.

High-Level Flow​

High-Level Flow
  1. A client begins a LoginID MFA session and provides a traceId that uniquely identifies the transaction.
  2. PasskeyID determines whether identity verification is required and whether an identity provider and/or verification webhook is configured.
  3. Identity verification occurs before passkey creation. PasskeyID supports two integration models:
    • Provider-Based Identity Verification (identity provider configured with LoginID)
      • PasskeyID orchestrates identity verification with the configured identity provider.
      • Provider result may be implicit or explicit, depending on the provider.
      • PasskeyID normalizes the provider result and sends it to the client’s secure webhook.
      • The webhook verifies, signs, and may approve or reject the identity result.
    • Webhook-Based Identity Witnessing (no identity provider configured)
      • PasskeyID does not perform identity proofing.
      • A minimal identity result is generated internally.
      • PasskeyID sends this result to the client’s configured secure webhook.
      • The webhook verifies, signs, and returns a policy decision.
      • The webhook’s response is authoritative.
  4. The normalized identity result is hashed and cryptographically signed as part of the webhook request.
  5. The final verification outcome is logged as an auditable, signed verification event associated with the passkey.
info

LoginID does not perform identity proofing logic or make identity trust decisions itself. It orchestrates identity evaluation using configured providers and/or verification webhooks, and records cryptographically verifiable audit results.

Identity Verification Modes​

Identity Verification Modes (Implicit vs Explicit)

PasskeyID supports both implicit and explicit identity verification depending on the client’s chosen identity provider(s). Both produce the same outcome a passkey with a strong associated identity audit. The difference lies in how the identity proof is obtained.

Implicit​

In the implicit model, identity verification happens automatically without asking the user to do anything. This is common when the identity provider can verify the user based on certain signals, such as:

  • Phone number + carrier-backed identity (e.g., Silent Network Authentication / SNA)
  • Device or SIM-based identity

User experience:
No additional screens or checks. The passkey creation experience is identical to normal passkey flows.

Explicit​

In the explicit model, identity verification requires the user to actively complete a proofing step during the MFA session. This is typically the case when using identity providers like:

  • CLEAR
  • Alice
  • iProov
  • Other liveness / document-scanning providers

User experience:
An identity verification flow appears and will be completed before the passkey is created within the same LoginID session. This will differ depending on which identity provider(s) are currently configured.

Webhook-Based Identity Approval​

When PasskeyID performs identity verification, it may invoke a server-to-server webhook to verify and attest to the identity result.

This webhook can be used with or without an external identity provider.

  • Identity data is normalized and bundled with a traceId.
  • The bundle is hashed and cryptographically signed (JWS) by PasskeyID within a secure environment.
  • The signed identity bundle is sent to the application’s configured verification webhook.
  • The webhook programmatically verifies and approves or rejects the identity result.
  • Based on the webhook response:
    • Approval allows passkey creation and identity binding to proceed.
    • Rejection results in identity failure and aborts the flow.

No PII is stored by PasskeyID. Identity data is discarded after verification and webhook processing completes.

Current Supported Identity Providers​

You configure your identity provider(s) at the application level in the Developer Dashboard. Once enabled, LoginID will invoke the provider during the passkey creation step of an MFA session.

Currently supported list:

  • Prove - including support for Silent Network Authentication (SNA)

The next section walks through configuring your identity provider and setting up the required secure webhook used for identity approval and binding.