Cross-Device Passkey Authentication for Screenless Devices

The article addresses a significant challenge in modern authentication: how to implement secure, phishing-resistant passkeys on devices without accessible displays. Traditional cross-device passkey flows rely heavily on QR codes for establishing a secure link between a relying party (e.g., a desktop) and a mobile authenticator. This method becomes impossible for devices like Meta Quest, smart home hubs, or industrial sensors. Meta's solution adapts the WebAuthn passkey flow and FIDO's CTAP hybrid protocol to overcome this display limitation.

The Challenge: QR Codes and User Intent for Screenless Devices

Standard cross-device passkey flows use QR code scanning and Bluetooth/NFC proximity. While proximity is feasible for discovery, confirming user intent without visual feedback on the inaccessible device poses security and usability risks. Users need clear assurance that they are approving the correct transaction on the correct device. This problem necessitates a secure message transport mechanism that can replace the QR code's role in conveying the authentication request payload and routing information.

Meta's Architectural Solution: Companion App as Secure Message Transport

Meta's architecture leverages an existing companion application (e.g., Meta Horizon app) that shares the same authenticated account as the inaccessible device. This companion app acts as a secure intermediary to transport the FIDO URL payload, which traditionally would be embedded in a QR code. The system uses authenticated push channels for reliable and secure delivery of this payload to the mobile authenticator.

The Cross-Device Passkey Flow Breakdown

1. <b>Hybrid Flow Message Generation:</b> The inaccessible device (e.g., Meta Quest browser) constructs a FIDO URL containing the ECDH public key, session-specific secret, and routing info, similar to a QR code payload.
2. <b>Message Transfer via Companion App:</b> Instead of a QR code, this FIDO URL is encoded as structured data within a GraphQL-based push notification and sent over the Meta Horizon app's authenticated push channel to the user's mobile device.
3. <b>Notification and App Activation:</b> The mobile platform's push service surfaces a notification. Tapping it (or opening the app directly) deep-links into the Meta Horizon app, which then uses the system URL launcher to open the FIDO URL and invoke the OS passkey interface. This serves as a user consent surface.
4. <b>Hybrid Command Execution:</b> Once the user approves on the mobile device, a secure BLE/NFC channel is established. The WebAuthn challenge is transmitted, and upon successful user verification, the mobile authenticator generates and sends the AuthenticatorAssertionResponse back to the inaccessible device, which then forwards it to the relying party server.

This innovative approach maintains the robust security of existing passkey frameworks while significantly enhancing usability for devices where a display is either absent or inaccessible. It demonstrates how core authentication protocols can be adapted for a burgeoning ecosystem of IoT, XR, and other screenless devices, pushing passwordless authentication beyond traditional desktop and mobile environments.