For Developers: What's Beyond Identity?

2/23/2023 Jen Field

A better sign on

People have been showing up at doors and using keys to open those doors for millennia. The model is simple: select key, use key, get in.

For software, getting in has been a little more complicated. You know the drill: digging up usernames, recalling passwords, interacting with phone apps and other fun things.

Passkeys provide a better way to sign in. Like physical keys, you only need to possess them and present them to the website you are trying to access. You may have heard a lot about passkeys lately. The important thing to know about them is that they’re based on public/private key pairs, so they resist phishing and other common attacks. (Also they’re way easier to use than passwords.)

Beyond Identity provides you, the developer, with passkey-based sign on for your app. There are no more passwords, even usernames become optional, and the entire experience is better and more secure for your users.​

Adding sign-on to your app

Historically if you needed to add sign on to your app, the guidance was to add an HTML form and collect a password.

When modern authentication arrived on the scene, we could use OAuth and add social login (Apple, Google or Facebook) or use a customer identity and access management (CIAM) provider with sign up and sign on flows.

But users still needed passwords to sign in to the providers themselves. Today, authentication providers support passwordless options, but not consistently. Platforms and browsers don’t all support WebAuthn, so the providers will fall back to phone apps, OTP or SMS text.

What we do

With Beyond Identity, you can set up your web or native mobile app with phishing-resistant, passwordless sign on across platforms, browsers, and identity providers with our universal passkeys.

​What are universal passkeys? This term refers to our capability to support a consistent, secure, passkey-based authentication experience across any device, platform, and browser. We do this by abstracting the complexities from WebAuthn/FIDO2 credentials so users can authenticate using WebAuthn where it's supported. But in scenarios where the platform, browser or app does not support WebAuthn, we still enroll public/private key based credentials with our own technology based on WebCrypto and using WebAssembly from a shared library built in Rust. That means your users get phishing resistant login regardless of platform or browser. And unlike with social login providers, you can control the branding and user experience.​

The key is the key

In short, we guarantee that your app’s users can sign in with passwordless credentials based on private keys that don’t leave the device. We do this by providing you with the tools and guidance you need to build universal passkey support into your apps, including sign on, enrollment, recovery and credential management.

How it works

There are a few models by which we integrate with your app, depending on how much control you want and whether you are using a commercial identity provider (IDP).

Once you setup your Beyond Identity tenant, you can decide which model you want to use to add universal passkey based sign on to your app.

Easiest option: we host everything

When you choose our hosted authenticator model, we are your passkey sign on provider. Your app sends an OIDC request to our API and we do the rest, including serving pages or in-app browser tabs to the user and providing client and server-side code to orchestrate the passkey-based sign on. Once finished, we return an OIDC code and token to your app.

Note: with this flow, your users’ passkeys are under the origin, just as would be the case with other commercial IDPs

Embedded SDK: More control, but we still handle the details

In the self-hosted model using our SDKs, your app still sends an OIDC request to our API. What's different is that we send the passkey authentication challenge back to your app so that you can control the user experience, in particular the experience for selecting which passkey to use.

Once a passkey has been selected, your app then invokes our SDK, which talks to our backend to complete the authentication sequence with the user. Upon successful authentication, as with the Beyond Identity hosted model, we return an OIDC code and token to your app.

Note: In this model, the users’ passkeys are under your app’s origin, but we still keep user and credential information safe in your Beyond Identity tenant, so that your app does not need to store users or key information​

Using either of the above models, we integrate with the IDP you're already using

Using either of the above models, your app can have universal passkey based sign on through a third-party identity provider as well. You can configure your IDP to delegate authentication to Beyond Identity using our integration guides. This model lets you benefit from your IDP’s policies and SSO while ensuring your users can sign in with our passkey-based experience.

Next steps

You can get started right away. Regardless of which integration option you choose, the basic tools are the same: