Yubico Best Practices
Contents
- Introduction
- Attestation and Authenticator Metadata
- Passkey Frequently Asked Questions
- Intended audience
- What is a passkey?
- Is ‘passkey’ the new name for FIDO and WebAuthn credentials?
- Why is the term passkey in the news a lot recently?
- How are passkeys different from YubiKeys?
- What terms will Yubico use to talk about passkeys?
- What are the security tradeoffs between copyable and device-bound passkeys?
- How can organizations tell what type of passkeys are used to authenticate to their services?
- What is Yubico’s overall guidance about passkeys?
- Can passkeys replace a password as well as another authentication factor?
- Passkey Best Practices for Service Providers
- Intended audience
- Plan for user experience challenges
- Consider how users will recover from the loss of an authenticator
- Decide when to use discoverable credentials
- Decide when to request attestation
- Consider approaches for detecting passkey support in the browser or platform
- Be cautious about requiring optional WebAuthn features
- Authenticator Enforcement Best Practices for Identity Providers
- Glossary
- Copyright