Cratopus icon

Account Recovery

When prioritizing hardware-bound passkeys as a primary authentication method, users will inevitably lose access to their devices. Crate addresses this through the Account Recovery flow.

The Recovery Flow

When a user loses their primary device, they need a secure way to regain access to their identity and register a new passkey.

  1. Verify Identity via Fallback: The user initiates a recovery request. Because their passkey is lost, you must verify them using an alternate method, such as a Magic Link sent to their verified email address or phone number.
  2. Begin Add Passkey: Once the user is authenticated via the fallback method (e.g., a magic link session), call the BeginAddPasskey endpoint to start the WebAuthn ceremony for a new device on the existing identity.
  3. Finish Add Passkey: The user registers their new passkey, and the FinishAddPasskey endpoint binds the new credential to their identity.

Cleaning Up Old Devices

After successful recovery, it is best practice to remove the lost passkey to prevent unauthorized access if the device is found.

Use the RemovePasskey endpoint (providing the CredentialId of the lost device) to revoke the old passkey from the user’s identity.