Manage WebAuthn credentials

Amplify Auth uses passkeys as the credential mechanism for WebAuthn. The following APIs allow users to register, keep track of, and delete the passkeys associated with their Cognito account.

Learn more about using passkeys with Amplify.

Associate WebAuthn credentials

Registering a passkey is supported on Android 9 (API level 28) and above.

Note that users must be authenticated to register a passkey. That also means users cannot create a passkey during sign up; consequently, they must have at least one other first factor authentication mechanism associated with their account to use WebAuthn.

You can associate a passkey using the following API:

Amplify.Auth.associateWebAuthnCredential(
    activity,
    () -> Log.i("AuthQuickstart", "Associated credential"),
    error -> Log.e("AuthQuickstart", "Failed to associate credential", error)

Amplify.Auth.associateWebAuthnCredential(
    activity,
    { Log.i("AuthQuickstart", "Associated credential") },
    { Log.e("AuthQuickstart", "Failed to associate credential", error) }

    val result = Amplify.Auth.associateWebAuthnCredential(activity)
    Log.i("AuthQuickstart", "Associated credential")
} catch (error: AuthException) {
    Log.e("AuthQuickstart", "Failed to associate credential", error)

RxAmplify.Auth.associateWebAuthnCredential(activity)
    .subscribe(
        result -> Log.i("AuthQuickstart", "Associated credential"), 
        error -> Log.e("AuthQuickstart", "Failed to associate credential", error)

You must supply an Activity instance so that Amplify can display the PassKey UI in your application's Task.

The user will be prompted to register a passkey using their local authenticator. Amplify will then associate that passkey with Cognito.

List WebAuthn credentials

You can list registered passkeys using the following API:

Amplify.Auth.listWebAuthnCredentials(
    result -> result.getCredentials().forEach(credential -> {
        Log.i("AuthQuickstart", "Credential ID: " + credential.getCredentialId());
        Log.i("AuthQuickstart", "Friendly Name: " + credential.getFriendlyName());
        Log.i("AuthQuickstart", "Relying Party ID: " + credential.getRelyingPartyId());
        Log.i("AuthQuickstart", "Created At: " + credential.getCreatedAt());
    error -> Log.e("AuthQuickstart", "Failed to list credentials", error)

Amplify.Auth.listWebAuthnCredentials(
    { result ->
        result.credentials.forEach { credential ->
            Log.i("AuthQuickstart", "Credential ID: ${credential.credentialId}")
            Log.i("AuthQuickstart", "Friendly Name: ${credential.friendlyName}")
            Log.i("AuthQuickstart", "Relying Party ID: ${credential.relyingPartyId}")
            Log.i("AuthQuickstart", "Created At: ${credential.createdAt}")
    { error -> Log.e("AuthQuickstart", "Failed to list credentials", error) }

    val result = Amplify.Auth.listWebAuthnCredentials()
    result.credentials.forEach { credential ->
        Log.i("AuthQuickstart", "Credential ID: ${credential.credentialId}")
        Log.i("AuthQuickstart", "Friendly Name: ${credential.friendlyName}")
        Log.i("AuthQuickstart", "Relying Party ID: ${credential.relyingPartyId}")
        Log.i("AuthQuickstart", "Created At: ${credential.createdAt}")
} catch (error: AuthException) {
    Log.e("AuthQuickstart", "Failed to list credentials", error)

RxAmplify.Auth.listWebAuthnCredentials()
    .subscribe(
        result -> result.getCredentials().forEach(credential -> {
            Log.i("AuthQuickstart", "Credential ID: " + credential.getCredentialId());
            Log.i("AuthQuickstart", "Friendly Name: " + credential.getFriendlyName());
            Log.i("AuthQuickstart", "Relying Party ID: " + credential.getRelyingPartyId());
            Log.i("AuthQuickstart", "Created At: " + credential.getCreatedAt());
        }), 
        error -> Log.e("AuthQuickstart", "Failed to list credentials", error)

Delete WebAuthn credentials

You can delete a passkey with the following API:

Amplify.Auth.deleteWebAuthnCredential(
    credentialId,
    (result) -> Log.i("AuthQuickstart", "Deleted credential"),
    error -> Log.e("AuthQuickstart", "Failed to delete credential", error)

Amplify.Auth.deleteWebAuthnCredential(
    credentialId,
    { Log.i("AuthQuickstart", "Deleted credential") },
    { Log.e("AuthQuickstart", "Failed to delete credential", error) }

    val result = Amplify.Auth.deleteWebAuthnCredential(credentialId)
    Log.i("AuthQuickstart", "Deleted credential")
} catch (error: AuthException) {
    Log.e("AuthQuickstart", "Failed to delete credential", error)

RxAmplify.Auth.deleteWebAuthnCredential(credentialId)
    .subscribe(
        result -> Log.i("AuthQuickstart", "Deleted credential"), 
        error -> Log.e("AuthQuickstart", "Failed to delete credential", error)

The delete passkey API has only the required credentialId as input, and it does not return a value.

Manage passwords

Manage devices