[Authentication] Discoverable passkey support

[Luke-Oldenburg]

Converted from discussion.

^{Originally posted by iamawatermelo March 23, 2025}

Requested feature

I'd like HCB to support WebAuthn discoverable credentials (which is what normal people call passkeys) for simpler login on mobile devices, modern laptops and people with passkeys. Discoverable credentials means that a user ID of some sort is stored inside the passkey, removing one step in the authentication process.

Currently, HCB only supports WebAuthn non-discoverable credentials, which aren't passkeys.

Current 2FA flow

I was logging in to HCB, and this is roughly the flow I had to follow:

• Enter my email address.
• Click on "Security key".
• Tap on my security key.
• Open my inbox.
• Enter a login code.
• Finally, click "Continue".

This is mildly annoying.

Ideal flow

For people with passkeys, that would all shrink down to this:

• Click on "Sign in with a passkey".
• Enter the PIN for my security key.¹
• Tap on my security key.

The two factors here are something you know (the PIN) and something you have (the security key).

For devices with biometrics, like modern phones and some modern laptops, it's even easier:

• Click on "Sign in with a passkey".
• Scan your fingerprint.¹

Again, the two factors here are something you are (your fingerprint) and something you have (your phone or laptop).

---

¹ Requires user verification