Skip to content

Device-bound passkeys

By default, WebAuthn handles only passkey registration and does not include any concept of device trust–that is, the ability to verify whether a device is known and enforce access policies based on it. To bind a device to a user, include device information in the registration payload. When deviceInfo is included in the webauthn_encoded_result, Mosaic associates the registering device with the user within the application. To control which device-bound passkeys are accepted at registration — for example by requiring attestation or restricting specific authenticator models — see Passkey attestation and restrictions.

When the user later authenticates with a passkey, the ID token may include a device_keys claim—an array of device keys representing all devices registered for that user in the application (see the ID token reference).

This list includes devices registered during passkey registration (when deviceInfo is provided) as well as devices registered through other flows, such as the Register device step. This allows you to implement device-aware authentication logic.

Include device information during registration

  • When using mobile SDKs
    The iOS and Android SDKs automatically include deviceInfo in the encoded result. No additional configuration is required.

  • When using web or custom implementations
    You must construct the payload manually by combining:

    • WebAuthn attestation data returned by the webauthn.register() call
    • a deviceInfo object containing:
      • publicKeyId (string)
      • publicKey (string, typically PEM-encoded)

The device key material should be generated using the same mechanism used for device crypto-binding, or obtained from prior flows such as Register device.

Example of decoded payload

The following shows the decoded payload (WebAuthn fields omitted with ...). Encode the full object before sending it as webauthn_encoded_result in the ido.submitClientResponse() call:

{
  "...": "WebAuthn attestation fields from credential creation",
  "deviceInfo": {
    "publicKeyId": "xxxyyyzzz",
    "publicKey": "-----BEGIN RSA PUBLIC KEY-----\n...\n-----END RSA PUBLIC KEY-----\n"
  }
}