# Device-bound passkeys

By default, WebAuthn handles only passkey registration and does not include any concept of device trust–that is, the ability to verify whether a device is known and enforce access policies based on it. To bind a device to a user, include device information in the registration payload. When `deviceInfo` is included in the `webauthn_encoded_result`, Mosaic associates the registering device with the user within the application. To control which device-bound passkeys are accepted at registration — for example by requiring attestation or restricting specific authenticator models — see [Passkey attestation and restrictions](/guides/user/passkey_attestation).

When the user later authenticates with a passkey, the **ID token** may include a `device_keys` claim—an array of device keys representing all devices registered for that user in the application (see the [ID token reference](/openapi/id_token_reference)).

This list includes devices registered during passkey registration (when `deviceInfo` is provided) as well as devices registered through other flows, such as the [Register device](/guides/orchestration/journeys/register_device) step. This allows you to implement device-aware authentication logic.

## Include device information during registration

- **When using mobile SDKs**
The iOS and Android SDKs automatically include `deviceInfo` in the encoded result. No additional configuration is required.
- **When using web or custom implementations**
You must construct the payload manually by combining:
  - WebAuthn attestation data returned by the `webauthn.register()` call
  - a `deviceInfo` object containing:
    - `publicKeyId` (string)
    - `publicKey` (string, typically PEM-encoded)


The device key material should be generated using the same mechanism used for [device crypto-binding](/guides/user/how_devices_work), or obtained from prior flows such as [Register device](/guides/orchestration/journeys/register_device).

## Example of decoded payload

The following shows the **decoded** payload (WebAuthn fields omitted with `...`). Encode the full object before sending it as `webauthn_encoded_result` in the `ido.submitClientResponse()` call:

```json
{
  "...": "WebAuthn attestation fields from credential creation",
  "deviceInfo": {
    "publicKeyId": "xxxyyyzzz",
    "publicKey": "-----BEGIN RSA PUBLIC KEY-----\n...\n-----END RSA PUBLIC KEY-----\n"
  }
}
```