Blazor Authentication with Passkeys in .NET 10 Print

What are Passkeys?

Passkeys are a modern, passwordless authentication method using WebAuthn/FIDO2 standards. They use cryptographic key pairs instead of passwords, providing better security and user experience.

How Passkeys Work

• Private Key: Stored securely on the users device (hardware security module, Windows Hello, Touch ID, Face ID, or password manager)
• Public Key: Stored by your web application
• During authentication, the user proves possession of the private key without it ever leaving their device

Benefits of Passkeys

• Phishing Resistant: Credentials are bound to specific domains
• No Password to Remember: Uses biometrics or security keys
• Stronger Security: Cryptographic authentication
• Better UX: Faster login with fingerprint or face

Setting Up Passkeys in Blazor .NET 10

Step 1: Create Project with Identity

dotnet new blazor -o MyBlazorApp --auth Individual

Step 2: Enable Passkey Support

In Program.cs:

builder.Services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
    // Configure passkey options
    options.Passkey.ServerDomain = "yourdomain.com";
    options.Passkey.ExpectedOrigins.Add("https://yourdomain.com");
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders()
.AddPasskeys();

Step 3: Add Passkey Components

The Blazor Web App template with Individual authentication includes passkey components by default in .NET 10.

Passkey Configuration Options

services.Configure<IdentityPasskeyOptions>(options =>
{
    options.ServerDomain = "yourdomain.com";    // Relying Party ID
    options.AuthenticatorTimeout = 60000;        // Timeout in milliseconds
    options.ChallengeSize = 32;                  // Challenge size in bytes
});

User Experience Flow

Registration:

1. User creates account (password may still be required by default template)
2. User navigates to account settings
3. User clicks "Add Passkey"
4. Browser prompts for biometric or security key
5. Passkey is registered

Login:

1. User clicks "Sign in with Passkey"
2. Browser prompts for biometric or security key
3. User is authenticated

Security Considerations

Recommended Limits

• Maximum number of passkeys per user account
• Maximum length for passkey display names
• The Blazor template enforces these by default

HTTPS Required

Passkeys require HTTPS. Ensure your site has a valid SSL certificate.

Supported Authenticators

• Platform Authenticators: Windows Hello, Touch ID, Face ID
• Roaming Authenticators: YubiKey, other FIDO2 security keys
• Password Managers: 1Password, Bitwarden, etc.

Browser Support

Passkeys are supported in:

• Chrome 67+
• Firefox 60+
• Safari 14+
• Edge 79+

Troubleshooting

"Passkey registration failed"

• Verify HTTPS is properly configured
• Check ServerDomain matches your actual domain
• Ensure browser supports WebAuthn

"Origin not allowed"

• Add your domain to ExpectedOrigins
• Include both www and non-www if needed

Additional Resources

• Microsoft Docs: Passkeys in Blazor
• Microsoft Docs: WebAuthn in ASP.NET Core