Troubleshoot Passkey Management and Removing Passkeys
This page offers troubleshooting tips for passkey management and removing passkeys in relation to implementation of support for passkeys.
Access to passkeys after death or serious injury
Access to passkeys after death or serious injury is possible and is a task that the provider of the credential manager should handle.
Steps to reproduce
- Access to the passkeys requires contacting the provider of the credential manager used by the injured or deceased person.
Guidance
Credential managers store passkeys and should provide ways to allow family members or people with legal documentation to recover the account of a deceased user.
Related resources
- Apple How to request access to a deceased family member's Apple account — Google Submit a request regarding a deceased user's account
Removing passkeys from the relying party can create multiple issues
Passkeys use a private key which stays with the end user and a public key which stays with the relying party.
When the public key is removed from the relying party's service, the passkey will no longer work. The relying party has no knowledge of why the authentication failed and therefore cannot provide helpful next steps for the end user.
Steps to reproduce
- Create a passkey for a service.
- Visit the service's Account Settings and remove the passkey.
- Sign out.
- Attempt to sign in using the passkey suggested by the credential manager.
- Notice that the sign in fails and no explanation is given for the failure.
Guidance
Follow the guidance in the FIDO Alliance design pattern: Remove Passkeys from Account Settings
Related resources
- FIDO Alliance design pattern: Remove Passkeys from Account Settings
Security key protocols might limit the number of accounts they can be associated with
Security keys can use a range of various protocols. Some protocols limit the number of accounts they can be associated with.
Steps to reproduce
- Use your security key for multiple services.
- Notice at some point the security key might become full.
Guidance
Research various security key provider websites to learn about the number of accounts that various protocols and/or hardware place on security keys. Ensure your customer support articles account for this and ensure your customer support staff is aware of these parameters so they can help your end users when applicable.
Related resources
- Feitian: FODP Security keys: Frequently Asked Questions
- Yubico: How many accounts can I register my YubiKey with?
Technical implementation of design guidelines is not documented
The FIDO Alliance design guidelines are for consumer use cases of passkeys. The FIDO Alliance UX Working Group conducts rigorous usability research each year to support these guidelines. Use the Design Guidelines in conjunction with the Passkey Roll-Out Guides during your implementation of passkeys.
Steps to reproduce
- Review the FIDO Alliance Design Guidelines.
- Notice that no code samples accompany the guidelines.
Guidance
Reference the links in Developer Documents for engineering guidance and questions.
