diff --git a/docs/passkeys/introduction.md b/docs/passkeys/introduction.md index dc2b402..70ed9da 100644 --- a/docs/passkeys/introduction.md +++ b/docs/passkeys/introduction.md @@ -36,6 +36,12 @@ Synchronization and recovery are both supported natively by Apple and Google: - With Apple, Passkeys created on one device are synced through [iCloud Keychain](https://support.apple.com/en-us/HT204085) as long as the user is logged in with their Apple ID. Apple covers both syncing and recovery in ["About the security of passkeys"](https://support.apple.com/en-us/102195). For some additional detail, see [this Q&A with the passkey team](https://developer.apple.com/news/?id=21mnmxow). Apple's account recovery process is documented in [this support page](https://support.apple.com/en-us/HT204921). - With Google, [Google Password Manager](https://passwords.google/) syncs passkeys across devices seamlessly. Google has plans to support syncing more broadly across different operating systems, see [this support summary](https://developers.google.com/identity/passkeys/supported-environments#chrome-passkey-support-summary). Recovery is covered in [this FAQ ("What happens if a user loses their device?")](https://developers.google.com/identity/passkeys/faq#what_happens_if_a_user_loses_their_device): it relies on Google's overall [account recovery process](https://support.google.com/accounts/answer/7682439?hl=en) because passkeys are attached to Google accounts. +## OS and browser support + +Modern browsers have great support for passkeys with the exception of Firefox, which only supports security keys. See [caniuse](https://caniuse.com/passkeys) for detailed information. + +Support also varies by operating system: [this matrix](https://passkeys.dev/device-support/#matrix) has detailed information about OS-level support. + ## Betting on Webauthn and Passkeys We believe **it's time to move away from passwords** so we've built Turnkey without them. When you authenticate to Turnkey you'll be prompted to create a new passkey: diff --git a/docs/passkeys/options.md b/docs/passkeys/options.md index 3255a18..a14ad2e 100644 --- a/docs/passkeys/options.md +++ b/docs/passkeys/options.md @@ -72,6 +72,8 @@ This option, if set, restricts the type of authenticators that can be registered These options allow you to specify whether you want your users to create discoverable or non-discoverable credentials. See [Discoverable vs. non-discoverable](/passkeys/discoverable-vs-non-discoverable) for more information. Default values: `residentKey` is `discouraged` and `requireResidentKey` is `false`. +Important note: the default for `requireResidentKey` (`discouraged`) results in different outcomes based on OS: Android devices create non-discoverable credentials whereas iOS devices create discoverable credentials. If you want to create discoverable credentials whenever possible, set `requireResidentKey` to `false` and `residentKey` to `preferred`, which work across Android and iOS devices. + #### `userVerification` "User verification" refers to mechanisms on the authenticators themselves such as PIN codes or biometric/fingerprint readers. This flag can be set to: