Following the acquisition, Onfido is now known as Entrust.Read more
Onfido LogoOnfido Logo

Developers

Support
HomeGetting StartedProduct GuidesAPISDKs
Back to Home
Identity verification
General Guides
Support

Passkey authentication

Start here

This guide presents a technical overview of Entrust's Passkey authentication solution, available for integration through Workflow Studio.

Introduction

Passkey authentication is a security solution enabling customers to manage user enrollment and authentication without the need for passwords, by replacing them with secure, user-friendly digital credentials. Employing public-key cryptography, passkeys provide users with seamless access to online services and applications, while at the same time enhancing security by eliminating the risks associated with password theft, phishing attacks and unauthorised access.

Our passkey solution offers customers a powerful alternative to Entrust's biometric authentication, both of which are tailored to specific use cases and customer needs. Passkey authentication is effective in preventing phishing attacks and reducing credential management overhead, an ideal solution for online services, enterprise applications, and scenarios where ease of access and robust security are paramount. By contrast, biometric authentication is tailored to instances where speed and user-friendliness are essential, and particularly powerful when used on mobile devices and physical access control systems.

Passkey authentication focuses on two main use cases:

  • user enrollment, where end users create and store passkeys on their devices for future authentication
  • user authentication, where end users verify their identity using existing passkeys

Passkey authentication is designed to improve security, enhance the user experience and streamline identity verification processes for customers.

Enroll Passkey task

To enroll end users and create a passkey, a dedicated Enroll Passkey task should be added to a Studio workflow in the Workflow Builder.

The task must be configured with an application domain, which is the domain name of the web application into which applicants will be enrolling and authenticating with a passkey. The domain should be in the format 'your-domain.com'. The task takes as input a user identifier (a unique internal ID, an email address, a username etc.), data which can either be configured as workflow input or from a Profile Capture task. The user identifier input is optional. If not provided, then the applicant ID will be used to identify the user. In this case, you will need to retain this value and use the same applicant ID in the passkey authentication workflow.

Once completed, the task will have created a user profile in our system, associating it with the unique user identifier provided in the task input. The end user's passkey will have been registered, and stored against the user profile.

Enroll passkey

A simple workflow to enroll a passkey for authentication

Authenticate Passkey task

To authenticate and verify the identity of users who have already enrolled with a passkey, a dedicated Authenticate Passkey task should be added to a Studio workflow in the Workflow Builder.

For end users that are eligible and enrolled, the task proceeds to authenticate the user by verifying their identity with the passkey.

Authenticate passkey

A simple workflow to authenticate an existing passkey

Passkey authentication offers a number of Studio workflow mechanisms that account for specific error scenarios. These include:

  • The user enters an incorrect PIN: the user's password manager will notify them of the failure, allowing them to reattempt authentication. After five failed attempts, the user will be informed they have exceeded the maximum number of retries and the workflow will conclude.

  • The user cancels passkey authentication in their password manager: the user can cancel and return to the authentication flow, with the applicant remaining on the workflow task up to five attempts. Once the maximum number of retries has been exceeded (a number which is shared across flow cancellation and incorrect PIN entry), the user will be informed and the workflow will conclude.

  • The users's device does not support passkey authentication: the user will be informed if their device does not support passkey authentication. Upon acknowledging this information, the workflow will conclude.

  • An internal service error occurs: in the event of a system error, the workflow will terminate with an error notification.

Obtaining passkey authentication results

Results for passkey enrollment or authentication workflows can be found in the Results tab of your Studio Dashboard, or by making a call to our API to retrieve the workflow run (results can be found in the output property).

Table of contents
SolutionsIdentity SolutionsWorkflow StudioIdentity Verification SDKsSupported Documents
Challenges we solveComplianceCustomer acquisitionReducing cost of acquisitionFraud prevention
IndustriesFinancial ServicesGovernmentEnterpriseEducationHealthcareGaming
Our companyAbout EntrustOur PartnersCertificationsLeadershipPressBlog
Entrust logo
Contact Us
Back to top
Onfido (now part of Entrust) uses 256-bit SSL encryption 100% of the time on every device.
SOC 2 Type II compliantOnfido (now part of Entrust) is SOC 2 Type II compliant.
ISO 27001 certifiedOnfido (now part of Entrust) has been certified by BSI to ISO 27001 under certificate number IS 660122.
Service StatusPrivacy PolicySecurityWebsite Data Usage and Cookie PolicyTerms of UseAnti Modern Slavery Statement
© 2025. Entrust Corporation. All rights reserved.