Struct PasskeyAuthMethod 

pub struct PasskeyAuthMethod {
    pub config: PasskeyConfig,
    pub token_manager: TokenManager,
    pub registered_passkeys: RwLock<HashMap<String, PasskeyRegistration>>,
}

Passkey/WebAuthn authentication method implementing FIDO2 standards.

PasskeyAuthMethod provides a pure Rust implementation of WebAuthn/FIDO2 passkey authentication, supporting both platform authenticators (built into devices) and roaming authenticators (USB security keys).

Features

• FIDO2/WebAuthn Compliance: Implements the latest WebAuthn Level 2 specification
• Cross-Platform Support: Works with Windows Hello, Touch ID, YubiKey, and other authenticators
• Phishing Resistance: Cryptographic binding to origin prevents phishing attacks
• Passwordless Authentication: Eliminates password-related vulnerabilities
• Multi-Device Support: Users can register multiple authenticators

Security Properties

• Public Key Cryptography: Each passkey uses unique key pairs
• Origin Binding: Passkeys are cryptographically bound to the website origin
• User Verification: Supports biometric and PIN-based user verification
• Replay Protection: Each authentication uses unique challenges
• Privacy: No biometric data leaves the user’s device

Authenticator Types Supported

• Platform Authenticators: Windows Hello, Touch ID, Android Biometrics
• Roaming Authenticators: YubiKey, SoloKey, other FIDO2 security keys
• Hybrid Transport: QR code-based authentication between devices

Registration Flow

1. Generate registration challenge with user and relying party information
2. Client creates credential using authenticator
3. Verify attestation and store public key
4. Associate passkey with user account

Authentication Flow

1. Generate authentication challenge
2. Client signs challenge with private key
3. Verify signature using stored public key
4. Return authentication result

Example

use auth_framework::methods::passkey::{PasskeyAuthMethod, PasskeyConfig};

let config = PasskeyConfig {
    rp_name: "Example Corp".to_string(),
    rp_id: "example.com".to_string(),
    origin: "https://example.com".to_string(),
    timeout: 60000,
    require_user_verification: true,
};

let passkey_method = PasskeyAuthMethod::new(config, token_manager)?;

// Register a new passkey
let challenge = passkey_method.start_registration("user123", "user@example.com").await?;

// Authenticate with passkey
let auth_challenge = passkey_method.start_authentication("user123").await?;

Thread Safety

This implementation is thread-safe and can be used in concurrent environments. The internal passkey storage uses RwLock for safe concurrent access.

Production Considerations

• Replace in-memory storage with persistent database in production
• Configure appropriate timeout values for user experience
• Implement proper error handling for unsupported browsers
• Consider implementing credential management for device changes

Fields

config: PasskeyConfig

token_manager: TokenManager

registered_passkeys: RwLock<HashMap<String, PasskeyRegistration>>

Storage for registered passkeys (in production, use a database)

Implementations

impl PasskeyAuthMethod

pub fn new(config: PasskeyConfig, token_manager: TokenManager) -> Result<Self>

Create a new passkey authentication method

pub async fn register_passkey( &mut self, _user_id: &str, _user_name: &str, _user_display_name: &str, ) -> Result<()>

Fallback for when passkeys feature is disabled

impl PasskeyAuthMethod

pub async fn advanced_verification_flow( &self, assertion_response: &str, expected_challenge: &[u8], stored_counter: u32, public_key_jwk: &Value, ) -> Result<AdvancedVerificationResult>

Advanced passkey verification with full WebAuthn compliance Implements proper signature verification, replay protection, and attestation validation

pub async fn cross_platform_verification( &self, assertion_response: &str, authenticator_types: &[AuthenticatorType], ) -> Result<CrossPlatformVerificationResult>

Cross-platform passkey verification for multiple authenticator types

Trait Implementations

impl AuthMethod for PasskeyAuthMethod

type MethodResult = MethodResult

type AuthToken = AuthToken

fn name(&self) -> &str

Get the name of this authentication method.

async fn authenticate( &self, credential: Credential, _metadata: CredentialMetadata, ) -> Result<Self::MethodResult>

Authenticate using the provided credentials.

fn validate_config(&self) -> Result<()>

Validate configuration for this method.

fn supports_refresh(&self) -> bool

Check if this method supports refresh tokens.

async fn refresh_token( &self, _refresh_token: String, ) -> Result<Self::AuthToken, AuthError>

Refresh a token if supported.

impl Debug for PasskeyAuthMethod

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.