Customer Support
There are a few ways to help ensure customers are set up for success with regard to passkeys. You can use FAQ pages, a contact us option, videos, or a website.
Web based FAQ examples
The following is a list of question and answers you might want to provide for your customers. This list is not inclusive of all the needs of your customer. Therefore it is best practice to examine customer needs and add questions and answers as needed.
What is a passkey?
Passkeys provide fast, easy, and secure sign-in to websites and apps across your devices. Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets between the credential manager and the website or app.
Is my biometric information safe?
Yes. Biometric information and processing stays on your device and is never sent to any remote server. The server only sees that the biometric check was successful.
Why are passkeys better than password + second factor?
Passkeys are FIDO credentials, and stand alone as a more secure solution than the combination of either password + OTP or password + phone approval.
For years, passwords have been subject to phishing attacks and credential stuffing attacks, due to the prevalence of password reuse and database breaches. The most popular forms of second factors — such as one time passwords (OTPs) and phone approvals — are both inconvenient and insecure. They can be phished, and they are being phished at scale today.
Is it unsafe for passkeys to leave the device and be synced to other devices?
Passkey syncing is end-to-end encrypted and sync providers have strong account security protections. Phishing-resistance is achieved at sign-in whether the cryptographic keys are bound to hardware or not. With passkey only authentication, there are no passwords to steal.
What is the availability of passkeys across various OS platforms?
Availability of built-in passkeys that automatically synchronize to all of your devices is gaining in popularity.
- Apple announced support for iOS 16 in Sep 2022, and for iPadOS 16 and macOS Ventura in Oct 2022.
- Google announced support for Android starting October 2022 and plans passkey support in ChromeOS by 2023.
- Microsoft announced passkeys support for Windows Insider builds and is expected to deliver broader passkey support later in 2023 and throughout 2024.
Most platforms already support sign-in with a passkey from a nearby device such as a mobile phone or security key. These include:
- Microsoft Edge and Google Chrome on Windows
- Edge, Safari and Google Chrome on macOS
- ChromeOS
Please also see the next two questions for more information. Passkeys are accessed using the same WebAuthn API which has been available across all the platforms and browsers since 2018. The cross-device sync of passkeys is managed transparently by the OS.
How does a passkey become available across my devices?
Many devices now offer a feature to sync passkeys on your devices through your cloud account. Passkey syncing is end-to-end encrypted. When you create a passkey, you can then use the passkey on all devices where you use that account. Even if you get a new device, your passkeys will sync once you have signed in to your cloud account.
How do I sign in if a passkey for the service provider is not already available on the device?
This option varies by service provider. Options can include, using another device or security key device to log in. When you log in on a device you have not used a passkey with before, you should see a prompt to guide you as to what to do next.
What security is in place when I perform a FIDO Device On Board (FDO) sign-in on a nearby device using Bluetooth?
The FIDO Cross-Device Authentication flow, which leverages CTAP 2.2, uses Bluetooth Low Energy (BLE) to verify physical proximity, but does not depend on Bluetooth security properties for the actual security of the sign-in. The CTAP transport, named hybrid, uses an additional layer of standard cryptographic techniques — on top of standard Bluetooth security properties — to protect data.
Are passkeys considered multi-factor authentication?
Yes, authentication with passkeys embodies the core principle of multi-factor security. Passkeys are kept on a user’s devices (something the user has) and, if the service provider requests User Verification, can only be exercised by the user with a biometric or PIN (something the user is or knows).
You might be concerned that a passkey could be made available to an attacker through a single factor (say, a password) from the account platform vendor. In practice, however, this is not usually the case: platform vendors consider multiple signals beyond the user’s password, some visible to the user and some not, when authenticating users and restoring passkeys to their devices.
Note that some regulatory authorities have yet to evolve to recognize passkeys as one of the officially listed forms of multi-factor. This is an area of active engagement for the FIDO Alliance.
How can I switch to a new mobile platform as the sign-in device (for example, from android to iOS or vice versa)?
If you still have your old device (for example, iOS), you can use the passkey to sign in to the account on your new device (for example, Android). After you sign in, you can create a passkey for the new device. If you have a security key, you can use it to securely authenticate on the new device.
If you do not have the old device or a security key, you can use the account recovery steps to sign in.
Can FIDO security keys support passkeys?
Yes. FIDO Security Keys support single-device passkeys. All client platforms and browsers have native support to exercise security keys.
Contact us option
Provide a way for customers to get help with passkeys via email, chat, or phone.