Passkeys in Tesseral

What is a Passkey?

A Passkey is a modern, secure alternative to passwords, based on public-key cryptography. It enables Users to authenticate using their devices existing advanced authentication methods (such as biometric authentication).

When a User registers a Passkey, Tesseral stores a public key and a few additional metadata fields. The corresponding private key stays on the User’s device. During login, Tesseral verifies the User’s identity by confirming a cryptographic signature generated by the private key.

Within Tesseral, Passkeys are secondary authentication factors, meaning that they are used in conjunction with a primary authentication method (like a password or SSO). This two-factor approach enhances security by requiring both something the User knows (the primary factor) and something the User has (the Passkey).

Properties of Passkeys

Passkeys in Tesseral are associated with Users and expose the following properties:

• ID
• User ID
• Create time
• Update time
• Disabled
• Credential ID
• Public key
• AAGUID
• Relying party ID

Related concepts

Passkeys and Users

Each Passkey is linked to a single User through the userId field. Users can register multiple Passkeys, typically one per device. When a User authenticates, Tesseral verifies the signature using the public key associated with their Passkey.

This allows seamless, secure sign-in across different devices and sessions.

Learn more about Users here.

Passkeys and Authentication

Tesseral supports Passkeys via WebAuthn-compatible flows. This includes support for biometric authenticators, security keys, and platform authenticators across iOS, Android, Windows, macOS, and Linux.

Passkeys help protect against phishing, credential stuffing, and other common attack vectors.

Top-level properties of Passkeys

ID

Each Passkey has a unique identifier in Tesseral, represented by the id field. Passkey IDs always begin with the prefix passkey_.

Example: passkey_2mk0zv3qt9fdn2d5gq8ae13yh

User ID

The userId field identifies the User to whom the Passkey belongs. This must match the ID of an existing Tesseral User (e.g. user_83n6pr2lz5tmgdc7w45j1ybm8).

Create time

The createTime field is a timestamp indicating when the Passkey was first registered with Tesseral.

Update time

The updateTime field records the most recent time the Passkey record was modified—for example, due to changes in metadata or status.

Disabled

The optional disabled field is a boolean flag indicating whether the Passkey has been disabled. A disabled Passkey cannot be used for authentication but remains in the system for auditing purposes.

Credential ID

The credentialId field contains a binary value uniquely identifying the credential. This is used during the authentication ceremony to look up the correct Passkey.

Public key

The publicKeyPkix field contains the PEM-encoded PKIX public key associated with the Passkey. This key is used to verify authentication assertions from the User’s device.

Example:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...
-----END PUBLIC KEY-----

AAGUID

The aaguid (Authenticator Attestation GUID) identifies the model of the authenticator used to create the Passkey. It can be useful for auditing or applying policies based on device type.

Relying party ID

The rpId represents the relying party (RP) for which the Passkey is valid. In most cases, this corresponds to your Tesseral Vault domain (e.g. project_xxxxxxxx.tesseral.app, vault.yourcompanydomain.com).