Passkeys
Passkeys give your users passwordless sign-in backed by public-key cryptography. The user's device holds a private key; NamoID stores only the matching public key per credential. Sign-in is a Touch ID / Face ID / Windows Hello / security-key ceremony — no password to remember and no OTP round-trip on returning sessions.
Why passkeys
- Phishing-resistant. Credentials are bound to the origin. A look-alike domain can't use a passkey registered for your real hosted-login domain — the browser refuses to sign. This removes the entire credential-stuffing and phishing attack class for users who adopt them.
- Inherently two-factor. The authenticator is something-you-have; the biometric/PIN unlock is something-you-are. A single passkey ceremony satisfies MFA — no extra TOTP step.
- One-tap returning login without you building device-trust UX.
How it works on hosted login
- Registration. After a user authenticates (e.g. via OTP), the hosted login can prompt them to add a passkey. The browser creates a key pair; NamoID stores the public key and credential metadata against the user.
- Authentication. On a later visit, the user picks "Sign in with a passkey", the browser signs a challenge with the private key, and NamoID verifies it against the stored public key — then issues the authorization code as usual.
- Management. Users can view and remove their registered passkeys from the hosted account pages. Removing a passkey revokes that credential immediately.
Enabling passkeys
Turn passkeys on from the selected environment's Authentication tab. Once
enabled, the hosted login surfaces the passkey button and the post-sign-in "add
a passkey" nudge. Because passkeys are origin-bound, they're tied to your
environment's hosted-login domain (the <slug>.id.namoid.in subdomain or your
verified custom domain).
Relationship to other methods
Passkeys complement rather than replace your other methods. A common pattern: let users sign up with email OTP, then offer a passkey for fast, secure returning logins, keeping OTP as the fallback. Since a passkey satisfies MFA on its own, passkey users get strong authentication without additional friction.