Passkey and ID Federation

• Passkey: With the announcement of support for FIDO credential synchronization by major platformers and the initiation of support by Apple and Google, this “mechanism to realize a passwordless world” has garnered attention. It is expected that more services will use Passkey authentication as a Relying Party (RP) in the future.
• ID Federation: By utilizing the user information and authentication event information from Identity Providers (IdPs), Relying Parties (RPs) can simplify the process of registering new users and authentication for their services, improving usability. In addition, if the IdP provides advanced authentication features, the security of the RP can also be enhanced.

Federation IdP w/ Passkey

In ID Federation, the authentication strength of an RP depends on that of the IdP. A large-scale IdP typically supports multi-factor authentication and risk-based authentication using information such as the source of access. Adding the phishing-resistant feature of Passkey further strengthens the authentication function and enhances convenience by using local authentication like TouchID.

There are various types of IdPs, including those like Google that provide ID federation features to third parties, as well as those that serve as IdPs for services within the same company. The more RPs that use an IdP, the more those RPs can benefit from the IdP’s support for Passkey.

To take advantage of such an IdP w/ Passkey effect, it is important to promote the functionality of “conveying the use of advanced authentication methods from IdP to RP.” In OpenID Connect, there are parameters such as “Authentication Context Class Reference (acr)” and “Authentication Methods References (amr)” that allow RPs to request advanced authentication methods from IdPs and for IdPs to provide information about the user’s authentication method. Currently, most IdPs do not use these values, but additional definitions for conveying the use of phishing-resistant Passkey authentication to RPs can be found in the following specification:
https://openid.net/specs/openid-connect-eap-acr-values-1_0.html

> Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials or FIDO authenticators.

I expect that the adoption of this specification by IdPs and its use by RPs will lead to improved security and convenience through ID federation.

Federation RP w/ Passkey

On the other hand, some users may not want to use ID federation. If an RP needs to implement its own authentication method, supporting Passkey can ensure security and convenience comparable to those of large platform IdPs.

Conclusion

There are benefits to supporting Passkey for both IdPs and RPs in ID federation. In particular, when an IdP supports Passkey, it can provide information about its authentication strength and more to RPs using the extended OIDC specification.