Android Developers Blog
The latest Android and Google Play news for app and game developers.
🔍
Android Developers
Jetpack Kotlin Docs News
Platform Android Studio Google Play Jetpack Kotlin Docs News
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on Twitter
Google Play Site Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on Twitter
Platform Android Studio Google Play Jetpack Kotlin Docs News More
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on Twitter
|
Google Play Site Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on Twitter

26 October 2023

Make the passkey endpoints well-known URL part of your passkey implementation

Share on Twitter Share on Facebook Share on LinkedIn Share in mail Copy link
Link copied to clipboard
Posted by Amy Zeppenfeld – Developer Relations Engineer

Passkeys are leading the charge towards a more secure future without passwords. Passkeys are a new type of cryptographic credential that leverages FIDO2 and WebAuthn to provide an authentication mechanism that is phishing-resistant, user friendly, simple to implement, and more secure than password-based authentication. Most major operating systems and browsers now feature full passkey support. Passkeys are expected to replace passwords as the predominant authentication mechanism in the not-too-distant future, and developers are advised to begin implementing passkey-enabled authentication solutions today.

As you implement passkeys in your app or web service, take a moment to implement a passkey endpoints well-known URL.

This is a standardized way to advertise your support for passkeys and optimize user experience. This well-known URL will allow third party services like password managers, passkey providers, and other security tools to direct users to enroll and manage their passkeys for any site that supports them. You can use app-links or deep linking with the passkey-endpoints well-known URL to allow these pages to open directly in your app.

Password management tool usage has been steadily rising, and we expect most providers will integrate passkey management as well. You can allow third party tools and services to direct your users to your dedicated passkey management page by implementing the passkey-endpoints well-known URL.

The best part is that in most cases you can implement this feature in two hours or less! All you need to do is host a simple schema on your site. Check out the example below:

  1. For a web service at https://example.com, the well-known URLwould be https://example.com/.well-known/passkey-endpoints
  2. When the URL is queried, the response should use the following schema:
{
 "enroll": "https://example.com/account/manage/passkeys/create",
  "manage": "https://example.com/account/manage/passkeys"
}

Note: You can decide the exact value of the URLs for both enroll and manage based on your website’s own configuration.

If you have a mobile app, we strongly recommend utilizing deep linking to have these URLs open the corresponding screen for each activity directly in your app to “enroll” or “manage” passkeys. This will keep your users focused and on track to enroll into passkeys.

And that’s it!

Further details and examples can be found in the passkey endpoints well-known URL explainer.

Best Practices Learn mobile Privacy Security Web

Google developers blog

Google Developers Blog

Connect

Android Developers
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on Twitter
Google Play Site Google Play
Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on Twitter

Subscribe