Libraries

Selection criteria#

Companies that want to own passwordless authentication internally, or are looking to implement a turnkey solution for passkeys, will likely look for libraries or vendors. When selecting a library to implement passkeys, what should Relying Party developers keep an eye on?

Note: A small set of these criteria are not specific to passkeys, but are useful to keep in mind when selecting an open-source solution.

WebAuthn versions and capabilities#

• Version: Check which version of the spec the library supports (Level 2, Level 3…)
• Features and capabilities: Check whether the library includes key features and capabilities for your use case.
  • Does the library help with generating registration and authentication options? Does it help with verification of the registration and authentication response? From a Relying Party perspective, these are the key steps of your implementation; make sure the library you select provides useful functions for these steps.
  • If you’re thinking of using attestation features:
    • Does the library help leverage FIDO MDS in some way?
    • Can it verify all attestation statement formats?

Verification steps#

Check whether the library follows the necessary verification steps:

• During registration
• During authentication

UX#

If you’re looking for a library offering UI elements:

• Visual consistency: Check that the solution uses standardized icons.
• Clear language: Instructions using plain language are critical for broader user understanding. Prioritize solutions aligned with the FIDO UX guidelines.

More UX/UI guidelines can be found on Google Identity: Communicating passkeys to users and Passkeys user interface design.

Developer experience#

• Full-stack coverage: A library that offers tightly-integrated frontend and backend components, like in SimpleWebAuthn, can streamline your integration.
• Developer documentation: Check that the library has a maintained docs website to ease the integration process.

Developer involvement and maintenance#

• Open-source maintenance: For open-source options, investigate their community activity. A few active issues, or many issues with up-to-date labels (assuming these require manual assignment), and comments by contributors, are all signals of an active community.
• Note that standards can be slow-moving! As a result, WebAuthn/passkey libraries can go a long time between updates if there aren’t any real issues with it—but it doesn’t mean they’re unmaintained.

Licensing#

Review the solution’s licensing model (e.g., MIT, Apache, commercial) in the context of your project.

Updated for passkeys#

Rust#

• webauthn_rs: WebAuthn for Rust Server Applications (William Brown)

TypeScript#

• SimpleWebAuthn (Matthew Miller)

Java#

• java-webauthn-server (Yubico)

Other FIDO2/WebAuthn libraries#

The “Awesome WebAuthn” GitHub repo is also regularly updated with libraries from the community.

.NET#

• FIDO2 .NET Library (Anders Åberg, Alex Seigler)

Go#

• Go WebAuthn Library (Fork of Duo Labs library)

Java#

• WebAuthn4J (Yoshikazu Nojima)

Python#

• py_webauthn (Duo Labs)

Ruby#

• webauthn-ruby (Cedarcode)
• devise-passkeys (Ruby Passkeys, wrapper around webauthn-ruby)
• warden-webauthn (Ruby Passkeys, wrapper around webauthn-ruby)