For Developers: What's Beyond Identity?
A better sign on
People have been showing up at doors and using keys to open those doors for millennia. The model is simple: select key, use key, get in.
For software, getting in has been a little more complicated. You know the drill: digging up usernames, recalling passwords, interacting with phone apps and other fun things.
Passkeys provide a better way to sign in. Like physical keys, you only need to possess them and present them to the website you are trying to access. You may have heard a lot about passkeys lately. The important thing to know about them is that they’re based on public/private key pairs, so they resist phishing and other common attacks. (Also they’re way easier to use than passwords.)
Beyond Identity provides you, the developer, with passkey-based sign on for your app. There are no more passwords, even usernames become optional, and the entire experience is better and more secure for your users.
Adding sign-on to your app
Historically if you needed to add sign on to your app, the guidance was to add an HTML form and collect a password.
When modern authentication arrived on the scene, we could use OAuth and add social login (Apple, Google or Facebook) or use a customer identity and access management (CIAM) provider with sign up and sign on flows.
But users still needed passwords to sign in to the providers themselves. Today, authentication providers support passwordless options, but not consistently. Platforms and browsers don’t all support WebAuthn, so the providers will fall back to phone apps, OTP or SMS text.
What we do
With Beyond Identity, you can set up your web or native mobile app with phishing-resistant, passwordless sign on across platforms, browsers, and identity providers with our universal passkeys.
What are universal passkeys? This term refers to our capability to support a consistent, secure, passkey-based authentication experience across any device, platform, and browser. We do this by abstracting the complexities from WebAuthn/FIDO2 credentials so users can authenticate using WebAuthn where it's supported. But in scenarios where the platform, browser or app does not support WebAuthn, we still enroll public/private key based credentials with our own technology based on WebCrypto and using WebAssembly from a shared library built in Rust. That means your users get phishing resistant login regardless of platform or browser. And unlike with social login providers, you can control the branding and user experience.
The key is the key
In short, we guarantee that your app’s users can sign in with passwordless credentials based on private keys that don’t leave the device. We do this by providing you with the tools and guidance you need to build universal passkey support into your apps, including sign on, enrollment, recovery and credential management.
How it works
There are a few models by which we integrate with your app, depending on how much control you want and whether you are using a commercial identity provider (IDP).
Once you setup your Beyond Identity tenant, you can decide which model you want to use to add universal passkey based sign on to your app.
Easiest option: we host everything
When you choose our hosted authenticator model, we are your passkey sign on provider. Your app sends an OIDC request to our API and we do the rest, including serving pages or in-app browser tabs to the user and providing client and server-side code to orchestrate the passkey-based sign on. Once finished, we return an OIDC code and token to your app.
Note: with this flow, your users’ passkeys are under the beyondidentity.com origin, just as would be the case with other commercial IDPs
Embedded SDK: More control, but we still handle the details
In the self-hosted model using our SDKs, your app still sends an OIDC request to our API. What's different is that we send the passkey authentication challenge back to your app so that you can control the user experience, in particular the experience for selecting which passkey to use.
Once a passkey has been selected, your app then invokes our SDK, which talks to our backend to complete the authentication sequence with the user. Upon successful authentication, as with the Beyond Identity hosted model, we return an OIDC code and token to your app.
Note: In this model, the users’ passkeys are under your app’s origin, but we still keep user and credential information safe in your Beyond Identity tenant, so that your app does not need to store users or key information
Using either of the above models, we integrate with the IDP you're already using
Using either of the above models, your app can have universal passkey based sign on through a third-party identity provider as well. You can configure your IDP to delegate authentication to Beyond Identity using our integration guides. This model lets you benefit from your IDP’s policies and SSO while ensuring your users can sign in with our passkey-based experience.
You can get started right away. Regardless of which integration option you choose, the basic tools are the same:
- Sign up for a developer account and configure your Beyond Identity tenant
- Follow our getting started guide to download and setup a sample app that already has the Beyond Identity SDK baked in