Account Recovery
When prioritizing hardware-bound passkeys as a primary authentication method, users will inevitably lose access to their devices. Crate addresses this through the Account Recovery flow.
The Recovery Flow
When a user loses their primary device, they need a secure way to regain access to their identity and register a new passkey.
- Verify Identity via Fallback: The user initiates a recovery request. Because their passkey is lost, you must verify them using an alternate method, such as a Magic Link sent to their verified email address or phone number.
- Begin Add Passkey: Once the user is authenticated via the fallback method (e.g., a magic link session), call the
BeginAddPasskeyendpoint to start the WebAuthn ceremony for a new device on the existing identity. - Finish Add Passkey: The user registers their new passkey, and the
FinishAddPasskeyendpoint binds the new credential to their identity.
Cleaning Up Old Devices
After successful recovery, it is best practice to remove the lost passkey to prevent unauthorized access if the device is found.
Use the RemovePasskey endpoint (providing the CredentialId of the lost device) to revoke the old passkey from the user’s identity.