Here is the rewritten article:
We are introducing an innovative way to enable cross-device passkey authentication for devices like XR devices, which have inaccessible displays. This method eliminates the need for QR codes and allows for authentication without a display, while still meeting trust and proximity demands. Our solution is based on the FIDO Alliance’s work and aims to expand secure, passwordless authentication to a new range of devices and platforms.
Passkeys offer a secure, phishing-resistant alternative to traditional passwords. Typically, the cross-device passkey process involves approving an action on a nearby mobile device using QR codes. However, XR devices with head-mounted displays or devices with inaccessible displays like smart home hubs pose a challenge. We have adapted the WebAuthn passkey flow and the FIDO CTAP hybrid protocol for devices without screens or with inaccessible displays. This implementation is now available on Meta Quest devices with Meta Horizon OS, providing secure, easy-to-use authentication for various screenless IoT devices and consumer electronics.
Challenge: No Screen, No QR Code
The standard cross-device flow depends on two main mechanisms:
1. QR code scanning: Displays a QR code for the mobile device to scan and establish a secure link.
2. Bluetooth/NFC proximity: Uses local protocols for secure exchange initiation.
Devices without displays cannot use QR codes. While proximity-based discovery is possible, user verification and transaction confirmation can be difficult without on-device visual feedback, risking security and usability.
Solution: Using a Companion App for Secure Message Transport
The companion app can replace QR codes by passing login requests to the authenticator OS. This is executed using link/intent execution. When a passkey login starts on Meta Quest, the browser creates a payload that includes a fresh ECDH public key and routing information. Instead of generating a QR code, this data is encoded into a FIDO URL. The companion app uses authenticated push channels to send this URL directly to the mobile device. Users receive a notification of a pending login request. When they tap it, the FIDO URL is opened, triggering the passkey flow.
Hybrid flow steps:
1. Hybrid Flow Message Generated: Payload with ECDH key and instructions embedded in a FIDO URL.
2. Message Sent to Companion App: FIDO URL sent using Meta Horizon app’s push channel.
3. Login Request Notification: Push notification indicates a pending request. Tapping it initiates the passkey flow.
4. Hybrid Command Executed: User approves action on the mobile device, establishing a secure channel for WebAuthn challenge exchange.
Impact and Future Direction
This implementation bypasses the need for on-device displays, complying with proximity and trust challenges. It aims to enable secure, passwordless authentication across different ecosystems, expanding beyond mobile and desktop environments into wearables and IoT devices. We continue to build on the FIDO Alliance’s work, strengthening the secure and easy login ecosystem.