Back to all videos

Modernize authentication with passkeys, digital credentials, and more

By Chrome for Developers

User AuthenticationIdentity ManagementWeb API Development
Share:

Key Concepts

  • Identity Federation: Using a trusted third-party provider (e.g., Google) to authenticate users, eliminating the need for manual form entry.
  • Passkeys: A phishing-resistant, passwordless authentication standard based on public-key cryptography.
  • FedCM (Federated Credential Management): An API that improves privacy and user experience for federated sign-ins.
  • Digital Credentials API: A framework for verifying user attributes (like age or identity) via mobile wallets in a privacy-preserving manner.
  • Signal API: A tool to synchronize the state of passkeys between the application and the user's credential provider.
  • Conditional UI: A browser feature that integrates passkeys into standard autofill suggestions.
  • AAGUID (Authenticator Attestation GUID): A unique identifier for a specific model of authenticator, used to display provider logos.

1. Account Creation and Friction Reduction

The speakers emphasize that high-friction sign-up forms are a primary cause of user churn.

  • Identity Federation: Recommended as the default sign-up method. It allows users to authorize providers to share verified attributes (email, name), bypassing manual verification steps.
  • "Federate, then Upgrade" Pattern: A strategy where an account is created via federation, followed by an immediate prompt to create a passkey for future device-agnostic access.
  • Form Optimization: If forms are necessary, use descriptive name and id attributes with correct autocomplete values (e.g., new-password, email) to enable browser-assisted autofill.

2. User Attribute Verification

  • Email Verification Protocol: A browser-mediated, three-way handshake between the email provider, the browser, and an issuer. It eliminates the "check your inbox" friction by using a first-party authentication cookie to verify email ownership without sending emails.
  • Digital Credentials API: Used for verifying sensitive attributes (e.g., legal name, age).
    • Three-Party Model: The Issuer (signs the claim), the Holder (user's device/wallet), and the Verifier (the application).
    • Privacy: The verifier only receives the specific requested data, and the user must explicitly approve the disclosure.

3. Sign-in Best Practices (Passkeys)

  • Immediate UI Mode: Introduced in Chrome 148, this allows the browser to present available credentials (passkeys/passwords) immediately upon sign-in.
    • Implementation: Call getClientCapabilities, then get with uiMode: 'immediate'.
  • Conditional Create: Allows silent enrollment of a passkey in the background if a user's password matches one stored in their manager.
    • Case Study: Adidas saw an 8% uplift in passkey creation using this method.
  • Cross-Platform Association: Use assetlinks.json (Android) to link web origins with native apps, ensuring passkeys created on the web work in the mobile app.

4. Maintaining Credential Health (Signal API)

To prevent "stale" passkeys (where a user deletes a passkey on the site but the provider still lists it), developers should use the Signal API:

  • signalUnknownCredential: Notifies the provider when a sign-in attempt uses a non-existent credential ID.
  • signalAllAcceptedCredentials: Syncs the list of valid passkeys after every sign-in or deletion.
  • signalCurrentUserDetails: Keeps user display names in sync across the provider's UI.

5. Account Recovery

  • Synced Passkeys: Most modern providers (e.g., Google Password Manager) use end-to-end encrypted cloud backups. If a device is lost, the user can recover access by signing into their account on a new device.
  • Fallback Mechanisms: If all passkey-enabled devices are lost, applications should fall back to the original federated identity provider or the email verification protocol to restore access.

Synthesis and Conclusion

The session advocates for a shift away from legacy authentication (passwords/OTPs) toward a phishing-resistant, user-first identity layer. By implementing the "federate, then upgrade" pattern, leveraging the Digital Credentials API for verification, and maintaining credential synchronization via the Signal API, developers can significantly improve conversion rates. As noted by the speakers, industry leaders like Pixiv have achieved a 99% login success rate by adopting these modern, low-friction technologies. The core takeaway is to prioritize browser-mediated flows that minimize context switching and maximize security.

Chat with this Video

AI-Powered

Load the transcript when you're ready to chat so the initial page stays lighter.

Related Videos

Ready to summarize another video?

Summarize YouTube Video