Automatic Passkey Upgrades for Passwordless Accounts

My team is very interested in integrating the new automatic passkey upgrade functionality into our app. Our app does not currently use passwords, but instead to log in utilizes phone number and SMS code verification (along with email code verification if the device is unknown). While watching the session on automatic passkey upgrades, it is noted that the system/credential manager checks to ensure that a password was just autofilled for the same account before allowing an automatic passkey upgrade. Since our app does not use passwords, does this mean we are ineligible for taking advantage of automatic passkey upgrades? Or, is there something else we can do to ensure the upgrade goes through?

Answered by Systems Engineer in 791187022

I'm glad to hear you're excited! Unfortunately it sounds like you won't be able to use automatic passkey upgrades.

Having recently used AutoFill to fill a credential from a credential manager is an important part of the consent story when allowing the registration to be automatic. By performing that filling, the user has indicated to us that they're comfortable having a credential for this specific account stored in this specific credential manager and accessible in this specific context. The passkey in that scenario is an augmentation of data they already have saved and are actively using. For other types of sign in, we don't have that kind of strong indication of expectations and consent to allow it to be completely automatic.

All of that said, even in the modal case it's just a single tap to create a passkey. More sites are adopting passkeys every day, and people are getting more used to the concept of passkeys as being the fastest and easiest way to sign in.

Accepted Answer

I'm glad to hear you're excited! Unfortunately it sounds like you won't be able to use automatic passkey upgrades.

Having recently used AutoFill to fill a credential from a credential manager is an important part of the consent story when allowing the registration to be automatic. By performing that filling, the user has indicated to us that they're comfortable having a credential for this specific account stored in this specific credential manager and accessible in this specific context. The passkey in that scenario is an augmentation of data they already have saved and are actively using. For other types of sign in, we don't have that kind of strong indication of expectations and consent to allow it to be completely automatic.

All of that said, even in the modal case it's just a single tap to create a passkey. More sites are adopting passkeys every day, and people are getting more used to the concept of passkeys as being the fastest and easiest way to sign in.

Automatic Passkey Upgrades for Passwordless Accounts
 
 
Q