A list of libraries for passkeys and FIDO2/WebAuthn
Selection criteria
Companies that want to own passwordless authentication internally, or are looking to implement a turnkey solution for passkeys, will likely look for libraries or vendors. When selecting a library to implement passkeys, what should
Relying Party
developers keep an eye on?
Note: A small set of these criteria are not specific to passkeys, but are useful
to keep in mind when selecting an open-source solution.
WebAuthn versions and capabilities
- Version: Check which version of the spec the library supports (
Level 2
,
Level 3
…)
- Features and capabilities: Check whether the library includes key features and capabilities for your use case.
- Does the library help with generating registration and authentication options? Does it help with verification of the registration and authentication response? From a Relying Party perspective, these are the key steps of your implementation; make sure the library you select provides useful functions for these steps.
- If you’re thinking of using attestation features:
- Does the library help leverage
FIDO MDS
in some way?
- Can it verify all attestation statement formats?
Verification steps
Check whether the library follows the necessary verification steps:
UX
If you’re looking for a library offering UI elements:
- Visual consistency: Check that the solution uses
standardized icons
.
- Clear language: Instructions using plain language are critical for broader user understanding. Prioritize solutions aligned with the
FIDO UX guidelines
.
More UX/UI guidelines can be found on Google Identity:
Communicating passkeys to users
and
Passkeys user interface design
.
Developer experience
- Full-stack coverage: A library that offers tightly-integrated frontend and backend components, like in
SimpleWebAuthn
, can streamline your integration.
- Developer documentation: Check that the library has a maintained docs website to ease the integration process.
Developer involvement and maintenance
- Open-source maintenance: For open-source options, investigate their community activity. A few active issues, or many issues with up-to-date labels (assuming these require manual assignment), and comments by contributors, are all signals of an active community.
- Note that standards can be slow-moving! As a result, WebAuthn/passkey libraries can go a long time between updates if there aren’t any real issues with it—but it doesn’t mean they’re unmaintained.
Licensing
Review the solution’s licensing model (e.g., MIT, Apache, commercial) in the
context of your project.
Updated for passkeys
Rust
TypeScript
Java
Other FIDO2/WebAuthn libraries
The
“Awesome WebAuthn”
GitHub repo is also regularly updated with libraries from the community.
.NET
Go
Java
Python
Ruby
Swift
Zig