Troubleshoot Education for End Users
This page offers troubleshooting tips for end user education challenges related to the implementation of support for passkeys.
Educate people on what to do if their device is lost or stolen
Passkeys are new and some people might not know what to do if they lose a device that contains their passkeys. Passkeys are new and some people might not know what to do if they lose a device that contains their passkeys.
Steps to reproduce
- Create passkeys on a security key, phone, or laptop computer.
- Imagine the security key, phone, or laptop with the passkey has been lost or stolen.
Guidance
Possible end user concerns about lost or stolen devices:
- How to regain access to the service.
- How to prevent unauthorized use of the passkeys that have been lost or stolen.
When using passkeys on security keys, the policy for lost or stolen security keys is defined by the relying party and their account recovery process. Yubico is one of many security key manufacturers. Their article Losing Your YubiKey is a helpful resource on this topic.
When using passkeys on security keys, the policy for lost or stolen security keys is defined by the relying party and their account recovery process. Yubico is one of many security key manufacturers. Their article Losing Your YubiKey is a helpful resource on this topic.
When using synced passkeys on a phone or laptop, the end user needs to have or regain access to their credential provider to regain access to the service. When using synced passkeys on a phone or laptop, the end user needs to have or regain access to their credential provider to regain access to the service.
For both synced and device-bound passkeys, end users can prevent unauthorized use of the passkey on the lost or stolen device by removing the passkeys from the service provider. Refer to the design pattern Remove Passkey From Service Provider Account Settings design pattern for more information. For both synced and device-bound passkeys, end users can prevent unauthorized use of the passkey on the lost or stolen device by removing the passkeys from the service provider. Refer to the design pattern Remove Passkey From Service Provider Account Settings design pattern for more information.
Related resources
- Yubico: Losing your security key
- Apple passkey: Recovery security
- FIDO Alliance: Remove Passkey From Service Provider Account Settings
- FIDO Alliance: Remove Passkey From Service Provider Account Settings
How multiple passkeys work with a single account might create confusion
End users can create multiple passkeys for a single account but with passwords, you can only have one password per account. This difference might confuse for some end users.
Steps to reproduce
- Create a passkey using iOS for a service.
- Create another passkey using Android for the same service.
- Create another passkey using Windows for the same service.
- Create another passkey using a third party passkey provider for the same service.
- Create a passkey using iOS for a service.
- Create another passkey using Android for the same service.
- Create another passkey using Windows for the same service.
- Create another passkey using a third party passkey provider for the same service.
Guidance
End users might see multiple passkeys listed for the same account in two places:
- when signing in
- in account settings after signing in End users might see multiple passkeys listed for the same account in two places:
- when signing in
- in account settings after signing in
When signing in to a service, end users will see the most recently used passkey as the default passkey for the service. If other passkeys are available to use, the browser and credential provider interfaces allow end users to select a different passkey. In the context of signing in, there is nothing the relying party needs to actively manage to ensure people can view and use their passkeys. When signing in to a service, end users will see the most recently used passkey as the default passkey for the service. If other passkeys are available to use, the browser and credential provider interfaces allow end users to select a different passkey. In the context of signing in, there is nothing the relying party needs to actively manage to ensure people can view and use their passkeys.
For viewing passkeys in the relying party's account settings interface, relying parties should use and display the data using passkey cards, which are defined in the design pattern: Create, View, and Manage Passkeys in Account Settings. User experience research by the FIDO Alliance shows that passkey cards are intuitive and useful. They allow end users to proactively learn about, manage, and update their authentication settings. For viewing passkeys in the relying party's account settings interface, relying parties should use and display the data using passkey cards, which are defined in the design pattern: Create, View, and Manage Passkeys in Account Settings. User experience research by the FIDO Alliance shows that passkey cards are intuitive and useful. They allow end users to proactively learn about, manage, and update their authentication settings.
Related resources
- FIDO Alliance design pattern: Create, View, and Manage Passkeys in Account Settings
- FIDO's Figma UI Kits
Passkeys managed by some credential providers are not available on all operating systems
Credential providers manage synced passkeys. Some credential providers make synced passkeys available on multiple operating systems and some do not. The following table lists several credential providers who sync across operating systems. The parent companies of these providers are members of the FIDO Alliance.
Credential manager | Included with the operating system | Third party add-on | Synced passkeys across operating systems |
---|---|---|---|
1Password | No | Yes | Yes |
Apple Passwords | Yes | No | No |
BitWarden | No | Yes | Yes |
Dashlane | No | Yes | Yes |
Google Password Manager | Yes | No | Yes |
Keeper | No | Yes | Yes |
LastPass | No | Yes | Yes |
Steps to reproduce
- Create a synced passkey on operating system "A"
- Notice if this synced passkey is available for use on operating system "B"
- Notice if this synced passkey is available for use on operating system "B"
Guidance
The emphasis here is on your understanding of the ecosystem and end user education is not necessary. The emphasis here is on your understanding of the ecosystem and end user education is not necessary.
Some people believe, incorrectly, that biometrics are sent to the relying party
Some end users believe biometrics, when used with passkeys, are sent to the relying party. Biometrics are never sent over the internet and relying parties have no access to biometric data. Some end users believe biometrics, when used with passkeys, are sent to the relying party. Biometrics are never sent over the internet and relying parties have no access to biometric data.
Steps to reproduce
- Sign in with a passkey.
- Notice that biometrics are likely used. A PIN, passcode, or other device unlock method can also be used.
- Biometrics never leave the end user's device and the relying party never accesses or stores biometrics.
- Sign in with a passkey.
- Notice that biometrics are likely used. A PIN, passcode, or other device unlock method can also be used.
- Biometrics never leave the end user's device and the relying party never accesses or stores biometrics.
Guidance
The design pattern Create, View, and Manage Passkeys in Account Settings provides several messages you can use to introduce end users to passkeys. These messages have been rigorously tested through user experience research. The design pattern Create, View, and Manage Passkeys in Account Settings provides several messages you can use to introduce end users to passkeys. These messages have been rigorously tested through user experience research.
You can build upon the messaging used in this pattern as needed, by adding a message that biometrics never leave your device. This message can be included in Account Settings or in customer support help articles along with other passkey information. You can build upon the messaging used in this pattern as needed, by adding a message that biometrics never leave your device. This message can be included in Account Settings or in customer support help articles along with other passkey information.
Related resources
- How Passkeys Work
- Create, View, and Manage Passkeys in Account Settings design pattern
- How Passkeys Work
- Create, View, and Manage Passkeys in Account Settings design pattern
Use of near-field communication (NFC) might be unfamiliar
Synced passkeys generally use the internal transport but it is also possible to use any of the transports in the following list. Synced passkeys generally use the internal transport but it is also possible to use any of the transports in the following list.
- USB (universal serial bus)
- NFC (near-field communication)
- BLE (Bluetooth low energy)
- Internal
Steps to reproduce
- Navigate to a service that supports passkeys and uses autofill
- Instead of using the passkey autofill populates to sign in, select other sign in options or use a different phone, tablet, or security key. Different credential managers use different calls to action.
- Notice that the options use different transports.
- Navigate to a service that supports passkeys and uses autofill
- Instead of using the passkey autofill populates to sign in, select other sign in options or use a different phone, tablet, or security key. Different credential managers use different calls to action.
- Notice that the options use different transports.
BLE is only used to verify that the authenticator is within physical proximity of the client. No key material is communicated over Bluetooth.
Guidance
The NFC transport is rarely used in consumer deployments of passkeys.