What happens under the hood
- 01User enters email (or is recognized from an existing session)
- 02Browser prompts for device authentication
- 03Device signs a challenge with the private key. It never leaves the device
- 04Signature is verified against the stored public key
- 05Session established. No secret was ever transmitted
Key tradeoffs
โ Phishing-proof by design. Private key never leaves the device
โ Device-bound: user locked out if they lose their only enrolled device
โ No shared secret. Even a Descope breach can't leak user credentials
โ Requires user education; 'passkey' is still unfamiliar to many users
โ Biometric auth feels native and fast on mobile
โ Older browsers / devices may not support WebAuthn. Need a fallback
Try it live
โ Enter your email and click Continue. If you've registered a passkey on this device, your browser will prompt for Touch ID or Face ID. First time? You'll be asked to create one.