Yubico Best Practices

Contents

• Introduction
  • Audiences
  • Passkeys
  • Updates
• Passkey Best Practices for Service Providers
  • Intended audience
  • Plan for user experience challenges
  • Consider how users will recover from the loss of an authenticator
  • Decide when to use discoverable credentials
  • Decide when to request attestation
  • Consider approaches for detecting passkey support in the browser or platform
  • Be cautious about requiring optional WebAuthn features
• Passkey Frequently Asked Questions
  • What is a Passkey?
  • Is ‘passkey’ the new name for FIDO and WebAuthn credentials?
  • Why is the term passkey in the news a lot recently?
  • How are passkeys different from YubiKeys?
  • What terms will Yubico use to talk about passkeys?
  • What are the security tradeoffs between copyable and device-bound passkeys?
  • How can organizations tell what type of passkeys are used to authenticate to their services?
  • What is Yubico’s overall guidance about passkeys?
  • Can passkeys replace a password as well as another authentication factor?
• Copyright
  • Trademarks
  • Disclaimer
  • Contact Information
  • Document Updated