Android
Resources for passkeys in Android
Local Authenticator
External Authenticator
The platform authenticator in Android 9+ has the following capabilities:
Android 14 adds the following capabilities:
Android devices can be an authenticator for FIDO Cross-Device Authentication (CDA).
Android devices can be persistently linked to the browsers/platforms below:
macOS (Safari, Chromium-based browsers, and native apps), iOS (global), and iPadOS (global) do not support persistent linking.
When an authenticator is not persistently linked, a QR code must be scanned on every use.
Credential Manager is a new Android Jetpack API that supports multiple sign-in methods, including passkeys, in a single API, thus simplifying the integration for developers.
Credential Manager APIWebView is the embedded WebView (EWV) on Android. Embedded WebViews allow the calling app full control over the embedded web session, including modifying and intercepting requests, so many web platform features are limited in these contexts.
WebAuthn is currently not directly supported in embedded WebViews on Android, but adding additional code can allow you to break out of the EWV to call the platform’s Credential Manager APIs.
This is documented at Android Developer: “Integrate Credential Manager with WebView.
WebView docs @ Android DeveloperNOTE:
Embedded WebViews run in the context of the calling app, meaning only passkeys for the linked web domain (RP ID) can be created or used for sign in.
Said differently, only use EWV when sign in is handled by your own service (non-federated). When supporting multiple identity providers, System WebView should be used (see below).
Custom Tabs is the System WebView (SWV) on Android. All Web Platform features that are available in the user’s default browser, including WebAuthn, are available in a custom tab.
Sites loaded in Custom Tabs are isolated from the calling app and run in the context of the top level site, just like in a full browser. This means that sign in flows on third party domains, such as a federated identity provider, can use passkeys for signing in.
Users can configure a device PIN, pattern, and/or biometric (fingerprint or face) as their device screen lock. When a user interacts with a passkey on Android, one of these available screen unlock methods is used for user verification.
When biometrics are not configured or available, both passkey creation and authentication fall back to asking for the device PIN or pattern.
userVerification='required' and userVerification='preferred' are the same: it asks for the device PIN or pattern for both passkey creation and authentication. Since they fail locally if user verification fails, the server can always expect the UV flag to be true.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns true.userVerification='required' and userVerification='preferred' are the same:PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns false.