Beyond Identity’s Universal Passkey Architecture Explained

Passkeys, based on asymmetric cryptography, that eliminate passwords have the potential to change the authentication industry once and for all. Founding engineer Nelson Melo explains how developers can deploy Beyond Identity’s Universal Passkey approach using SDKs to enable and secure the authentication for any application and make adopting the FIDO standard simpler and faster.


Hey, everybody. My name is Nelson, and today I'd like to describe how we think about the universal passkey architecture at Beyond Identity. 

So we started with a few simple primitives. Users have devices and they come in all varieties. They could be Android, iOS, you name it. They could be desktops or mobiles. And if you're thinking about how authentication typically happens today is folks know if password, a shared secret that they've given their server authentication system, whatever that may be. 

And you're thinking about replacing that with a digital key that's associated with their device, then you kind of have to start figuring out, well, what happens if I have more than one device? What happens if now that user that started their session on their desktop and has a passkey on their desktop, how do they actually move that key or use that key as a session in their new application? 

So, thinking through that problem, we kind of identified that developers can very easily build these kinds of solutions if we made available to them a set of SDKs. And these come in all varieties, iOS, Android, you name it. There's JavaScript SDK as well. 

And you can build that into your own application. Your app can be an internal app that's for your enterprise, or it could be something you're creating for your customers. And then as you create passkeys, we can help you manage the lifecycle of those keys, manage where they are stored in the machine via a directory that's sitting on our cloud. This has all the normal functions of directories that you may have worked with in the past, except we don't store shared secrets for you. 

The function for that is we put a public key that's associated with the private key for the passkey in the directory. So each user has one or more keys that are essentially associated with their account. And if you think about it, getting kind of all those pieces together, now, it's very easy with the documentation we put in place with the integrations that are built into your applications to deploy passkeys, not only on one browser or one device, but to really take advantage of all those integrations and put them on multiple devices. 

And that's what we call universal passkeys. What are folks looking for in a system like this? Well, we think they want something that's unphishable or as phishing resistant as possible. That kind of right there, if you think about how passwords are constantly exploited and 80% of known breaches based on the Verizon report are really coming from shared credentials that have been compromised. 

Removing the shared secret has a huge impact on that part of the equation. Then hopefully, something that's easy for your users to use, that's elegant, that's frictionless. And for developers, just to make it easy for you to use. 

SDKs that are well-documented, that are simple for integration into your existing stack. So, we built this system to adapt to any of your needs as a developer. We talk to folks that have been using existing authentication stacks for a while. 

They may have an IDP that they have been deploying with their applications, and we describe that. It's kind of you have existing environments, and you've been integrating with those environments using standard identity protocols like SAML or OIDC. Those may or may not support passkeys. 

If they don't, that's where we can help. Or we talk to developers who are simply starting from scratch and they're thinking about implementing authentication for their applications and they're not quite sure where to start. For those folks, we can become their primary IdP and implement authentication via passkeys and other authentication mechanisms.