Native (browserless) mobile Passkeys with OpenID/OAuth 2.0

Justpass
3 min readNov 13, 2023

IF you have used any social logins (say sign-in with google) in mobile, you are probably familiar with the browser redirect or webview experience. The user is being redirected to their identity provider idP, (i.e. google), where they need to provide their login credentials, typically passwords. The identity provider (IdP) confirms users’ identity and the user is logged in to your app.

Security problems with webview in mobile environments are abound:

1- Cross-Site Scripting (XSS) Attacks: WebView can render HTML content, thus it is susceptible to XSS attacks, where malicious scripts can be injected into otherwise benign and trusted websites.

2- Access to Sensitive Data: WebViews might have access to sensitive app data or functions. If a WebView is not properly configured or if it allows loading untrusted content, making it a vector for data leakage or unauthorized actions.

3- JavaScript Interface Injection: In some cases, WebViews allow JavaScript code to interact with the native app layer. If this feature is not securely implemented, it can be exploited to execute harmful code or access sensitive app functions.

AND it does NOT make for a great User experience (see the flow below from OpenAI)

Solution: At justpass.me, we are obsessed with building more secure, native, browserless third and first-party passkeys experiences for our use cases.

We did so by extending the OpenID Connect (OIDC) protocol to allow native registration, building “connect” end-points that allow native integration between any IdP and our passkeys solutions

How would that work for my users?

The advantages are numerous:

1- If you rely on social logins as an Relying Party, you can now migrate your users effortlessly and securely to register passkeys natively on the web/mobile apps (see video above).

2- If you use IdPs such as Azure, Firebase or Cognito, you can enable passkeys now as part of more secure login/authentication flows in minutes without worrying about migrating from these IdPs.

3- If you are a financial institutions, a marketplace or a large platform building third-party wallets for your users (think Google Pay, Apple Pay, Pay with Amazon), providing a native browserless wallets for third-party apps is MUCH more secure (read the blog of our sister company here)

Take our passkeys Auth SDKs or APIs for a Test Drive

JustPass OIDC-compliant hosted login page marks a significant milestone in our journey to simplify user authentication. By seamlessly integrating with major identity providers, offering unified authentication experiences, and reducing the need for extensive code changes, we’re aiming to make Passage the easiest and most robust solution for integrating passkey auth on the market.

But don’t take our word for it. Create a free Justpass account and take the experience for a test drive. If you have any questions, our team is more than happy to chat.

--

--