docs: add device authentication with PIN and biometrics guide#2673
docs: add device authentication with PIN and biometrics guide#2673hperl wants to merge 16 commits into
Conversation
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Append the iOS guide to the device authentication PIN page: prerequisites, a full Swift reference implementation, biometric-key notes, and the PIN change / secret rotation flows. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Remove the stale "second factor only" claims from the device binding page and cross-link the new first-factor PIN and biometrics page. Also fix a copy-paste error where the step-up step pointed at the settings flow instead of the login flow, and note the enrollment user_verification level. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds comprehensive documentation for using the deviceauthn strategy as a first factor via an app PIN or platform biometrics (AAL2 in one submission), and updates the existing device binding page to reflect this and fix flow/verb references. The new page is also wired into the Ory Network and OEL sidebars so it’s discoverable under Passwordless authentication.
Changes:
- Adds a new “Device authentication with PIN and biometrics” page with configuration, protocol details, diagrams, and iOS/Android reference implementations.
- Updates the existing “Device binding” page to remove outdated “second factor only” claims and correct step-up references to the login flow and POST submissions.
- Registers the new page in
sidebars-network.tsandsidebars-oel.ts.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| sidebars-oel.ts | Adds the new deviceauthn-pin doc entry to the OEL sidebar. |
| sidebars-network.ts | Adds the new deviceauthn-pin doc entry to the Network sidebar. |
| docs/kratos/passwordless/09_deviceauthn-pin.mdx | New guide page with protocol reference, diagrams, and client reference implementations. |
| docs/kratos/passwordless/08_deviceauthn.mdx | Updates device binding docs to point to first-factor usage and fixes flow/HTTP verb references. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| fun clientKeyId(signingKeyAlias: String): String = | ||
| sha256(keyStore.getCertificate(signingKeyAlias).publicKey.encoded) | ||
| .joinToString("") { "%02x".format(it) } |
| /// The flow's hidden deviceauthn_nonce node value: | ||
| /// base64(JSON {"nonce": "<base64 of 32 raw bytes>"}) → raw nonce bytes. | ||
| fun decodeNonce(nodeValue: String): ByteArray { | ||
| val json = String(Base64.decode(nodeValue, Base64.DEFAULT)) |
| static func aesCtr(key: [UInt8], iv: [UInt8], data: [UInt8]) -> [UInt8] { | ||
| var cryptor: CCCryptorRef? | ||
| CCCryptorCreateWithMode( | ||
| CCOperation(kCCEncrypt), CCMode(kCCModeCTR), CCAlgorithm(kCCAlgorithmAES128), | ||
| CCPadding(ccNoPadding), iv, key, key.count, nil, 0, 0, 0, &cryptor) | ||
| defer { CCCryptorRelease(cryptor) } | ||
| var out = [UInt8](repeating: 0, count: data.count) | ||
| var moved = 0 | ||
| CCCryptorUpdate(cryptor, data, data.count, &out, out.count, &moved) | ||
| return out | ||
| } |
| var salt = [UInt8](repeating: 0, count: 16) | ||
| _ = SecRandomCopyBytes(kSecRandomDefault, salt.count, &salt) | ||
| var iv = [UInt8](repeating: 0, count: 16) | ||
| _ = SecRandomCopyBytes(kSecRandomDefault, iv.count, &iv) |
| - **Require an unlocked device.** Create the sealing key so it is usable only while the device is unlocked | ||
| (`setUnlockedDeviceRequired(true)` on Android; `kSecAttrAccessibleWhenUnlockedThisDeviceOnly` on iOS). |
📝 WalkthroughWalkthroughThe network and Ory Kratos documentation sidebars now include the ChangesPasswordless navigation
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The add-key examples still showed the client choosing and submitting client_key_id. The server now derives it as the lowercase-hex SHA-256 fingerprint of the key's public key (SubjectPublicKeyInfo, DER) and the add payload has no such field. Update the payloads, SDK snippets, reference steps, and diagrams accordingly, and align the availability wording with the new PIN page. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Dissolve the standalone "Device authentication with PIN and biometrics" page. Platform-agnostic content (how it works, configuration, protocol reference, client requirements, recovery, troubleshooting, security model) merges into the device binding overview; the iOS and Android reference implementations merge into the respective platform guides. Preserves the #pin-enrollment, #first-factor-login, #rotating-the-pin-secret, and #client-implementation-requirements anchors on the overview page. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The section now covers both second-factor binding and first-factor PIN/biometric login, so the strategy's umbrella name fits better. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The pages were listed in both the network and OEL sidebars; a doc can only display one sidebar, and the OEL one won the association, so navigating from the Ory Network sidebar into the section reshuffled the navigation to Ory Enterprise License. Sibling feature pages (passkeys, one-time codes) are network-only for the same reason. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Documents device authentication end to end and restructures it into a section with per-platform guides.
New structure:
kratos/passwordless/deviceauthn/first_factor, complete passwordless login via app PIN or platform biometrics (AAL2 in one request). Concepts (three-key model,user_verificationlevels), configuration (first_factor,pin_max_attempts,ios_biometric_first_factor, app-ID pinning), a byte-exact protocol reference for all flows (enrollment, PIN enrollment with challengeSHA256(nonce ‖ transport_public_key), biometric enrollment, step-up, first-factor login withpin_proof, secret rotation) with sequence diagrams, normative client implementation requirements, recovery/lockout, troubleshooting, and the security model.Corrections to existing content
client_key_idis server-assigned (the lowercase-hex SHA-256 fingerprint of the key's public key); the add-key examples no longer show a client-chosen ID and the guides show how to derive or read it.The previous
kratos/passwordless/deviceauthnURL is preserved; the platform pages are new URLs. Both the Ory Network and OEL sidebars get a "Device binding" category.Related Issue or Design Document
Documentation improvement; no issue reference required.
Checklist
🤖 Generated with Claude Code