For Developers: What's Beyond Identity?

9/14/2023 Jen Field

Better sign on

Beyond Identity provides you, the developer, with passkey-based sign on for your web or native mobile app. For your users that means no more digging up passwords, chasing one time codes for each sign on, or interacting with phone apps. Even typing in their username is optional, and the entire experience is better and more secure.​

Passkeys replace passwords with phishing-resistant credentials based on public/private key pairs, where the private key never leaves the user's device. Passkeys are not only more protected from common attacks than passwords, they're also much easier to use.

You can think of a passkey as something your users have, like a physical key but protected by a biometric or device PIN*. Passkeys can only be used on the website or app they were enrolled for, which protects your users against phishing, credential stuffing, and other kinds of fraud.

The user experience is simple: just present the key by clicking a sign in button, and get in. Take a look at the example below:

*Note: A device PIN is not the same as a password: it is not useful without the device, and it does not travel across the network. This makes the device PIN much less susceptible to phishing, man in the middle, social engineering and other common attacks.

Passkey deployment challenges

Passkeys have gained significant traction with support across all major device platforms and most browsers, but developers still have implementation questions and challenges concerning the passkey lifecycle:

  • How can I enroll new passkeys for my users?
  • What if the user has a new computer or phone?
  • How can my users enroll and use passkeys on all of their devices?

While multi device passkeys are a big part of the solution, they are only synced within a platform environment. For example, your user's iPhone, iPad and Mac can share iCloud keychain passkeys, but this leaves out passkeys in the Microsoft or Google ecosystems.

What if you want to provide a common passkey enrollment, login, and recovery experience across all of your users' platforms and devices?

Enter Beyond Identity with Universal Passkeys which can be deployed via Hosted Web Authentication or embedded SDKs.

What are Universal Passkeys?

With Beyond Identity Universal Passkeys, you can enable seamless passkey enrollment for your users no matter what vendor ecosystem their device comes from.

You can also enroll passkeys on devices and browsers that don't support FIDO2 or WebAuthn, using W3C's WebCrypto which creates software-backed passkeys. Passkey enrollment happens automatically, inline with login so you don't depend on vendor-specific multi-device passkey sync. Take a look at the experience for first time enrollment and login on a new device:

 

Learn more about Beyond Identity Universal Passkeys

Hosted Web Authentication: the simplest deployment model

Hosted Web Authentication is the simplest way to deploy Beyond Identity. You add passkey enrollment and sign on using a page hosted by us, without writing any code beyond a standard OIDC call. This is the model you see in the example above.

How it works

With this model, you just make the OIDC call and we do the rest, including presenting the hosted page, enrolling the user for a passkey if required and then signing them in, presenting a passkey choice page if necessary.

We serve the pages or in-app browser tabs to the user and provide client and server-side code to orchestrate the passkey enrollment and sign on. Once finished, we return an OIDC code and token to your app.

Note: with this flow, your users’ passkeys are under the beyondidentity.com origin, just as would be the case with other commercial IDPs

Passkey Enrollment Factors

In the above example, the user enrolled via the email OTP method, so they were sent a one time enrollment passcode to complete passkey enrollment. This option is supported today, and additional enrollment factors are coming soon!

Passkey login Factors

In addition to sign on via either hardware or software passkeys, you can configure fallback to either software WebCrypto passkeys or OTP code for cases where hardware passkeys are not supported. You can configure policy on each app to determine which sign on and enrollment factors you wish to enable.

Get started with Hosted Web Authentication

Use our hosted web getting started guide to add hosted web authentication to your app right away!

Embedded SDK: more control, but we still handle the complexity

If you want to host the entire sign on experience within your app rather than using Hosted Web Authentication, you can do this using our Embedded SDKs.

How it works

In this model, your app still sends an OIDC request to Beyond Identity. What's different is that we send the passkey authentication challenge back to your app so that you can control the user experience:

  • Your code enumerates available passkeys and determines how to guide the user
  • If there is one and only one passkey available for the user and website, your code can either provide for silent authentication with no user experience, or present a confirmation or consent UI
  • When there is more than one passkey available for the user and website, your code determines the passkey selection user experience
  • When no passkeys are available, your code determines the behavior, such as an error message, initiation of passkey enrollment, or custom behavior
  • You control the styles, look and feel of the passkey enrollment and selection pages

To implement these experiences, you'll need to create `/bind` and `/bi-authenticate` routes in your app to support enrollment and authentication. Within these routes, your app invokes our SDK, which talks to our backend to complete the binding and authentication sequences with the user. Upon successful authentication, as with the Beyond Identity hosted model, we return an OIDC code and token to your app.

Note: In this model, the users’ passkeys are under your app’s origin, but we still keep user and credential information safe in your Beyond Identity tenant, so that your app does not need to store users or key information​

Get started with the Embedded SDK

Use our embedded SDK getting started guide to add embedded SDK authentication to your app.

Bonus: we integrate with the IDP you're already using

Using either of the above deployment models, your app can implement passkey based sign on through a third-party identity provider as well. You can configure your IDP to delegate authentication to Beyond Identity using our integration guides. This model lets you benefit from your IDP’s policies and SSO while ensuring your users can sign in with our passkey-based experience.

Conclusion

With Beyond Identity, you can set up your web or native mobile app with phishing-resistant, passwordless sign on across platforms, browsers, and identity providers with hardware and software passkeys. You can choose to enroll users inline with the authentication experience using our Hosted Web Enrollment and sign on. For more options, you can use our Embedded SDKs to create your own experiences.