Skip to content

docs: add device authentication with PIN and biometrics guide#2673

Open
hperl wants to merge 23 commits into
masterfrom
deviceauthn-pin-docs
Open

docs: add device authentication with PIN and biometrics guide#2673
hperl wants to merge 23 commits into
masterfrom
deviceauthn-pin-docs

Conversation

@hperl

@hperl hperl commented Jul 10, 2026

Copy link
Copy Markdown
Member

Documents device authentication end to end and restructures it into a section with per-platform guides.

New structure: kratos/passwordless/deviceauthn/

  • Overview (keeps the existing URL): both modes — second-factor device binding and, with first_factor, complete passwordless login via app PIN or platform biometrics (AAL2 in one request). Concepts (three-key model, user_verification levels), configuration (first_factor, pin_max_attempts, ios_biometric_first_factor, app-ID pinning), a byte-exact protocol reference for all flows (enrollment, PIN enrollment with challenge SHA256(nonce ‖ transport_public_key), biometric enrollment, step-up, first-factor login with pin_proof, secret rotation) with sequence diagrams, normative client implementation requirements, recovery/lockout, troubleshooting, and the security model.
  • Android / iOS guides: the full per-platform journey — second-factor binding plus PIN and biometric first factor — with complete copy-pasteable reference implementations (Keystore/BouncyCastle HPKE on Android incl. a fail-closed hardware check for the sealing key; App Attest/CryptoKit HPKE/Secure Enclave on iOS). The 2FA-vs-PIN attestation-challenge difference is called out where integrations commonly break.
  • Dart/Flutter guide: the native-bridge pattern.

Corrections to existing content

  • client_key_id is server-assigned (the lowercase-hex SHA-256 fingerprint of the key's public key); the add-key examples no longer show a client-chosen ID and the guides show how to derive or read it.
  • Removed the outdated "can only be used as a second factor" claims.
  • Step-up examples now reference the login flow (previously linked the settings flow); sequence diagrams use POST for flow submission.

Deployment structure (added 2026-07-13)

The section ships migrated to the deployment structure from AGENTS.md (#2674): page bodies live in shared partials under src/components/Shared/kratos/passwordless/deviceauthn/, exposed via shell pages under docs/network/... and docs/oel/... with canonicals pointing to the Network URLs. Both the Ory Network and OEL sidebars carry a "Device authentication" category (OEL under a new "Authentication" category), so OEL readers keep their navigation context. The previous public URL /docs/kratos/passwordless/deviceauthn 308-redirects to the Network page; the platform sub-pages are new URLs that only ever exist under the deployment paths.

The cross-page links from the platform guides deep-link into the overview's sections; to support that, SameDeploymentLink's dev-time existence check now strips #fragments before comparing against doc ids (one-line change, no runtime behavior change).

Coordination with #2675 (passwordless + MFA migration, same structure): whichever PR lands second merges the OEL "Authentication" category items and, if #2675 lands first, this branch's docs/kratos/mfa/01_overview.mdx link edit moves into the refreshed shared partial as a SameDeploymentLink with an oss= override.

Related Issue or Design Document

Documentation improvement. The deployment-structure migration addresses #2674 for this section.

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation
    • Updated documentation navigation to introduce a dedicated “Device authentication” section under Authentication, with an index and platform-specific guides (Android, iOS, Flutter).
    • Added a permanent redirect from the old device-authn docs path to the new network path to keep existing links working.
  • Chores
    • Improved Markdown/MDX formatting handling for device-authn related content to avoid parsing issues with long inline components.

hperl and others added 10 commits July 10, 2026 17:58
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Append the iOS guide to the device authentication PIN page: prerequisites,
a full Swift reference implementation, biometric-key notes, and the PIN
change / secret rotation flows.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Remove the stale "second factor only" claims from the device binding
page and cross-link the new first-factor PIN and biometrics page. Also
fix a copy-paste error where the step-up step pointed at the settings
flow instead of the login flow, and note the enrollment user_verification
level.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 10, 2026 18:29
@hperl hperl self-assigned this Jul 10, 2026
@hperl
hperl requested review from piotrmsc and wassimoo as code owners July 10, 2026 18:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds comprehensive documentation for using the deviceauthn strategy as a first factor via an app PIN or platform biometrics (AAL2 in one submission), and updates the existing device binding page to reflect this and fix flow/verb references. The new page is also wired into the Ory Network and OEL sidebars so it’s discoverable under Passwordless authentication.

Changes:

  • Adds a new “Device authentication with PIN and biometrics” page with configuration, protocol details, diagrams, and iOS/Android reference implementations.
  • Updates the existing “Device binding” page to remove outdated “second factor only” claims and correct step-up references to the login flow and POST submissions.
  • Registers the new page in sidebars-network.ts and sidebars-oel.ts.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
sidebars-oel.ts Adds the new deviceauthn-pin doc entry to the OEL sidebar.
sidebars-network.ts Adds the new deviceauthn-pin doc entry to the Network sidebar.
docs/kratos/passwordless/09_deviceauthn-pin.mdx New guide page with protocol reference, diagrams, and client reference implementations.
docs/kratos/passwordless/08_deviceauthn.mdx Updates device binding docs to point to first-factor usage and fixes flow/HTTP verb references.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/kratos/passwordless/09_deviceauthn-pin.mdx Outdated
Comment thread docs/kratos/passwordless/09_deviceauthn-pin.mdx Outdated
Comment thread docs/kratos/passwordless/09_deviceauthn-pin.mdx Outdated
Comment thread docs/kratos/passwordless/09_deviceauthn-pin.mdx Outdated
Comment thread docs/kratos/passwordless/09_deviceauthn-pin.mdx Outdated
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 46e47f5e-7daa-41b4-bfb2-a6e9d387cccf

📥 Commits

Reviewing files that changed from the base of the PR and between c2497bd and f25269f.

⛔ Files ignored due to path filters (2)
  • src/components/Shared/kratos/01_mfa-overview.mdx is excluded by !**/*.mdx
  • src/components/Shared/kratos/passwordless/deviceauthn/flutter.mdx is excluded by !**/*.mdx
📒 Files selected for processing (4)
  • .prettierrc.js
  • sidebars-network.ts
  • sidebars-oel.ts
  • vercel.json
🚧 Files skipped from review as they are similar to previous changes (2)
  • .prettierrc.js
  • sidebars-oel.ts

📝 Walkthrough

Walkthrough

Device authentication documentation navigation now exposes an index and Android, iOS, and Flutter pages in both sidebars. The former Kratos passwordless URL permanently redirects to the network path, and Prettier’s MDX override now covers device-authentication partials.

Changes

Device authentication documentation

Layer / File(s) Summary
Reorganize navigation and redirect legacy URL
sidebars-network.ts, sidebars-oel.ts, vercel.json
Replaces standalone device-authentication sidebar entries with platform-specific categories and permanently redirects the previous path to the network documentation path.
Extend deviceauthn MDX formatting
.prettierrc.js
Adds device-authentication MDX partials to the Prettier override and documents the related parsing issue.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

  • ory/docs#2447: Updates navigation around the existing kratos/passwordless/deviceauthn documentation path.
  • ory/docs#2636: Also changes documentation redirect behavior in vercel.json.

Suggested reviewers: piotrmsc, vinckr, zepatrik, unatasha8, wassimoo

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: adding device authentication documentation with PIN and biometrics.
Description check ✅ Passed The PR description covers the changes, related issue, checklist items, and deployment notes, with only minor template items left unfilled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch deviceauthn-pin-docs

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install timed out. The project may have too many dependencies for the sandbox.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

The add-key examples still showed the client choosing and submitting
client_key_id. The server now derives it as the lowercase-hex SHA-256
fingerprint of the key's public key (SubjectPublicKeyInfo, DER) and the
add payload has no such field. Update the payloads, SDK snippets,
reference steps, and diagrams accordingly, and align the availability
wording with the new PIN page.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
hperl and others added 2 commits July 11, 2026 16:28
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Dissolve the standalone "Device authentication with PIN and biometrics"
page. Platform-agnostic content (how it works, configuration, protocol
reference, client requirements, recovery, troubleshooting, security model)
merges into the device binding overview; the iOS and Android reference
implementations merge into the respective platform guides. Preserves the
#pin-enrollment, #first-factor-login, #rotating-the-pin-secret, and
#client-implementation-requirements anchors on the overview page.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The section now covers both second-factor binding and first-factor
PIN/biometric login, so the strategy's umbrella name fits better.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The pages were listed in both the network and OEL sidebars; a doc can
only display one sidebar, and the OEL one won the association, so
navigating from the Ory Network sidebar into the section reshuffled the
navigation to Ory Enterprise License. Sibling feature pages (passkeys,
one-time codes) are network-only for the same reason.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Check CommonCrypto and SecRandomCopyBytes status codes in the Swift
reference (structural failures throw instead of proceeding with zeroed
or undefined buffers), decode the nonce JSON as UTF-8 and hex-encode
the key fingerprint explicitly unsigned in the Kotlin reference, and
state the API 28+ floor for setUnlockedDeviceRequired in the hard
rules.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Shared partials under src/components/Shared/kratos/passwordless/deviceauthn
with Network and OEL shell pages and per-deployment sidebar entries, so the
section ships migrated (#2674) and OEL keeps navigation context. The old
public URL redirects to the Network page.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
SameDeploymentLink's dev-time existence check now strips URL fragments,
so cross-page links can carry #anchors; re-add the section anchors on
the android/ios links into the overview page.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@gaultier

gaultier commented Jul 15, 2026

Copy link
Copy Markdown
Contributor
  • Did we update the code snippets for mobile to adapt to the latest changes in the API? They might be outdated
  • The iOS and Android specific page should reiterate that the app id(s) should be present in the config for better security, with an example
  • Small formatting issue with the bullet points:
Screenshot 2026-07-15 at 16 41 27
Screenshot 2026-07-15 at 16 50 53
Screenshot 2026-07-15 at 16 51 32

… app-ID pinning

Multi-line <SameDeploymentLink> elements inside list items are parsed as
block-level JSX by MDX, splitting the bullet into separate paragraphs.
Keep the elements inline (tags attached to surrounding text) and raise
prettier's print width for these partials so it cannot push the long
opening tags back onto their own lines.

Per review, the Android and iOS guides now also state that production
deployments should pin enrollment to their app via android_app_ids /
ios_app_ids, with a config example on each page.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@hperl

hperl commented Jul 17, 2026

Copy link
Copy Markdown
Member Author

Did we update the code snippets for mobile to adapt to the latest changes in the API? They might be outdated

I think so, let me check again. The client_key_id change was reflected, I think that was the big one. Did you notice anything off?

The iOS and Android specific page should reiterate that the app id(s) should be present in the config for better security, with an example

Good idea!

Small formatting issue with the bullet points

Strange, the deployed preview had no such issues (source), and locally I didn't notice that either.

hperl and others added 2 commits July 17, 2026 11:45
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
# Conflicts:
#	docs/kratos/mfa/01_overview.mdx
#	sidebars-network.ts
#	sidebars-oel.ts
#	vercel.json
Same MDX block-JSX pitfall as the device authentication partials: a
multi-line SameDeploymentLink inside a list item is parsed as
block-level JSX and splits the bullet into separate paragraphs. Rewrite
all seven affected links inline and format the file at the raised print
width so prettier cannot reintroduce the shape.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants