Passkey-first authentication
Phishing-resistant by default. Users authenticate with biometrics or hardware keys — no passwords to steal, leak, or forget.
Phishing-resistant
Credentials are cryptographically bound to the origin. Attackers cannot intercept or replay passkey authentication challenges.
No shared secrets
Private keys never leave the user's device. Only public keys are stored on the server, eliminating credential stuffing and database breach risks.
Cross-device
Platform authenticators sync across devices via iCloud Keychain, Google Password Manager, or Windows Hello, enabling seamless authentication everywhere.
Single-step MFA
Passkeys combine possession (device) and inherence (biometric) factors in one step, meeting regulatory MFA requirements without friction.
0
passwords to manage
<2s
average login time
0
phishing-resistant
noo id puts passkeys front and center, built on the WebAuthn/FIDO2 standard with public-key cryptography that eliminates shared secrets entirely. Authentication takes under two seconds using biometrics or hardware keys, combining possession and inherence factors into a single phishing-resistant step.
How passkeys work
Passkeys replace passwords with a cryptographic key pair. A private key stays on the user's device; a public key is stored by noo id. The entire flow takes under two seconds.
User initiates login
The user visits the login page and the browser requests a challenge from noo id via the WebAuthn API.
Device authenticator responds
The device's secure enclave (Touch ID, Face ID, Windows Hello, or a hardware key) locates the credential bound to this origin.
Biometric verification
The user confirms with a biometric or PIN. The authenticator signs the challenge with the private key.
Server verifies signature
noo id verifies the signed challenge against the stored public key. If valid, a session token is issued.
Session established
The user is authenticated. No password was transmitted, stored, or typed at any point in the flow.
WebAuthn/FIDO2 standard
Passkeys are built on the Web Authentication standard published by the W3C and FIDO Alliance, implemented by all major browsers and operating systems.
- Origin-bound credentials — each passkey is tied to a specific domain, so phishing sites cannot use credentials from the legitimate site
- Attestation — authenticators cryptographically prove their make and model, enabling policies like 'only allow FIDO2-certified devices'
- User verification — the standard distinguishes between user presence (a tap) and user verification (biometric or PIN) for fine-grained policy control
- Discoverable credentials — resident keys allow passwordless login without entering a username first
- Full specification support — noo id implements the complete WebAuthn spec including attestation validation and credential management APIs
Passkey lifecycle management
Enrollment
Self-service registration during signup or from account settings, bulk enrollment invitations for enterprise rollouts, QR code enrollment for mobile devices, and support for multiple passkeys per user.
Usage
Automatic passkey selection on supported platforms, graceful fallback to password if passkeys are unavailable, and real-time sync across devices via platform vendors.
Revocation
Users can remove passkeys from account settings, administrators can revoke all passkeys on offboarding, and device wipe or factory reset triggers automatic revocation.
Monitoring
Audit logs for every passkey registration, usage, and removal event. Dashboards showing adoption rates per tenant or group and alerts for suspicious enrollment patterns.
Migration from passwords
Most organizations have existing password-based systems. noo id makes the transition to passkeys gradual, policy-driven, and fully reversible.
Enable hybrid mode
Users keep existing passwords while passkeys are offered as the primary option. Both methods work side by side to reduce support burden.
Drive enrollment
Set enrollment deadlines and send targeted invitations. Track adoption rates with built-in analytics and identify users who have not yet enrolled.
Enforce passkey-only policies
Gradually disable password login for enrolled users. Enforce passkey-only authentication for new hires and high-security groups.
Monitor and adjust
Measure authentication method usage across the organization. If needed, re-enable password login with a single toggle — passkey data is always preserved.
Passkeys eliminate phishing by design
Frequently asked questions
Which browsers and devices support passkeys? +
Passkeys are supported on all modern browsers (Chrome 108+, Safari 16+, Edge 108+, Firefox 119+) and platforms (iOS 16+, Android 9+, macOS Ventura+, Windows 10+). Coverage exceeds 95% of global users.
What happens if a user loses their device? +
Users can authenticate with any synced device (e.g., iPhone if they lost their MacBook) or use a recovery passkey registered during onboarding. Administrators can also manually reset passkey enrollment if needed.
How does migration from passwords to passkeys work? +
noo id supports progressive migration. Users can register passkeys alongside existing passwords, then administrators can gradually enforce passkey-only policies per group or tenant. The transition can be instant or phased over months.
How do we roll out passkeys in an enterprise with 10,000+ users? +
Start with a pilot group, measure adoption and support load, then expand in waves. noo id provides enrollment analytics, self-service setup flows, and helpdesk tools to reset passkeys. Most enterprises complete rollout in 3-6 months.