Passkey Credential Information

Enterprise Deployment

This feature is available for Enterprise deployments only. If you’d like to get started, please contact support@loginid.io for further details.

When an MFA flow is completed using a passkey, the resulting MfaSessionResult may include a passkeyCredential object.

This feature is available in the LoginID MFA and Wallet Checkout SDKs and provides additional information about the passkey involved in the completed authentication step.

This object provides information about the passkey involved in the completed MFA step, including passkey metadata and the WebAuthn authenticator assertion or authenticator attestation result.

Enterprise customers can use this information for auditing, custom device analysis and reporting.

Passkey Credential

The passkeyCredential field is only present when the completed MFA step involved a passkey.

const result = await lid.performAction("passkey:auth");

if (result.isComplete) {
  console.log(result.passkeyCredential);
}

Data Availability

The information returned in passkeyCredential depends on the browser, operating system, authenticator, and passkey provider used during authentication.

Some fields may be unavailable and omitted from the response even when a passkey authentication or creation succeeds.

Passkey Authentication Example

When a passkey is used for authentication, assertionResult is populated.

{
  "isComplete": true,
  "accessToken": "<access-token>",
  "passkeyCredential": {
    "passkeyId": "5JQA0AK985CO0782LP8CLE43",
    "aaguid": "ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4",
    "publicKey": "wDUH6JkyU7SMswFPjyqEvhMB5GlhtqzS1VtfM/91Y...",
    "assertionResult": {
      "clientDataJSON": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
      "authenticatorData": "ix523n3XniH01jM4CIuOn1z0Jw6QbRATXYOsCUyQN...",
      "credentialId": "2aChi2dALRLdVP5i/zKr7yvMrP8FIy7MK4lbyUsjO...",
      "signature": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
    }
  }
}

Passkey Creation Example

When a new passkey is created during MFA, creationResult is populated.

{
  "isComplete": true,
  "accessToken": "<access-token>",
  "passkeyCredential": {
    "passkeyId": "5JQA0AK985CO0782LP8CLE43",
    "aaguid": "ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4",
    "publicKey": "wDUH6JkyU7SMswFPjyqEvhMB5GlhtqzS1VtfM/91Y...",
    "creationResult": {
      "attestationObject": "5lvuZBkX1w7/0+XKcldttzA7vTwilEq3qnnXSq/a0...",
      "clientDataJSON": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
      "credentialId": "2aChi2dALRLdVP5i/zKr7yvMrP8FIy7MK4lbyUsjO...",
      "publicKey": "wDUH6JkyU7SMswFPjyqEvhMB5GlhtqzS1VtfM/91Y...",
      "publicKeyAlgorithm": -8,
      "transports": ["internal"]
    }
  }
}

Access Token Claims

When Passkey Credential Information is enabled, LoginID can also include passkey-related information as claims in the generated LoginID access token.

Enterprise customers can decode and validate the access token to retrieve information about the passkey used during registration or authentication.

Data Availability

The information returned in passkeyCredential depends on the browser, operating system, authenticator, and passkey provider used during authentication.

Some fields may be unavailable and omitted from the response even when a passkey authentication or creation succeeds.

Available Claims

Claim	Description
`publicKey`	Base64URL-encoded WebAuthn credential public key associated with the passkey.
`deviceId`	LoginID device identifier associated with the credential, when available.
`attestationData`	Base64URL-encoded JSON representation of the WebAuthn attestation result generated during passkey creation.
`assertionData`	Base64URL-encoded JSON representation of the WebAuthn assertion result generated during passkey authentication.

Authentication Example

When a user authenticates using a passkey, the access token may contain the following claims:

{
  "sub": "PFEPLBWCX0BF3GVO9S6JBIMV1",
  "passkeyID": "5JQA0AK985CO0782LP8CLE43",
  "publicKey": "wDUH6JkyU7SMswFPjyqEvhMB5GlhtqzS1VtfM_91Y...",
  "deviceId": "01JV4Y9YX1J9A2F4MWY8QK2K8D",
  "assertionData": "eyJjbGllbnREYXRhSlNPTiI6IlV4YXluc0NZZH..."
}

The assertionData claim contains a Base64URL-encoded JSON representation of the authenticator assertion result.

After decoding the value, the payload resembles:

{
  "clientDataJSON": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
  "authenticatorData": "ix523n3XniH01jM4CIuOn1z0Jw6QbRATXYOsCUyQN...",
  "credentialId": "2aChi2dALRLdVP5i_zKr7yvMrP8FIy7MK4lbyUsjO...",
  "signature": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

Registration Example

When a new passkey is created, the access token may contain attestation information.

{
  "sub": "PFEPLBWCX0BF3GVO9S6JBIMV1",
  "passkeyID": "5JQA0AK985CO0782LP8CLE43",
  "publicKey": "wDUH6JkyU7SMswFPjyqEvhMB5GlhtqzS1VtfM_91Y...",
  "deviceId": "01JV4Y9YX1J9A2F4MWY8QK2K8D",
  "attestationData": "eyJhdHRlc3RhdGlvbk9iamVjdCI6IjVsdnVaQmtY..."
}

The attestationData claim contains a Base64URL-encoded JSON representation of the authenticator attestation result.

After decoding the value, the payload resembles:

{
  "attestationObject": "5lvuZBkX1w7_0-XKcldttzA7vTwilEq3qnnXSq_a0...",
  "clientDataJSON": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
  "credentialId": "2aChi2dALRLdVP5i_zKr7yvMrP8FIy7MK4lbyUsjO...",
  "publicKey": "wDUH6JkyU7SMswFPjyqEvhMB5GlhtqzS1VtfM_91Y...",
  "publicKeyAlgorithm": -8,
  "transports": ["internal"]
}

Passkey Credential​

Passkey Authentication Example​

Passkey Creation Example​

Access Token Claims​

Available Claims​

Authentication Example​

Registration Example​