Can I do a step up authentication with WebAuthn/passkeys?

dan

Can I do a step up authentication with WebAuthn/passkeys? I want to build this into my app for protecting some sensitive data.

dan

We have an open issue to make passkeys one of the supported MFA methods.

But you can perform a step up passkey challenge using the APIs or the SDKs by doing the following:

• User tries to access a restricted resource
• Customer app sees if the user has already been granted access (via the presence of a cookie, or some other mechanism).
  • If they have, let them through.
• If the user hasn’t been granted access, perform a webauthn assertion workflow
• Call the /api/webauthn/start to get the workflow started
• Interact with the authenticator to produce the signature and whatever other information is needed. This is authenticator-specific.
• Call the /api/webauthn/assert to complete the workflow and prove possession of the authenticator
• If the workflow is successful
  • Write a cookie or whatever if you want to remember this permission
  • Let the user through
• If the workflow isn’t successful
  • Deny access

If someone doesn't have a passkey enabled, which you can check by calling the /api/webauthn?userId={userId} API, direct them to the self-service account management passkey management pages.

Here are the API docs for the webauthn API.