Skip to Content

Cross-Device Passkey Authentication for XR Devices without a Display

Learn how to enable secure, passwordless passkey authentication on XR headsets and other screenless devices using a companion app and FIDO hybrid flow, and why this approach improves security and usability.
4 February 2026 by
Suraj Barman

What Is Cross-Device Passkey Authentication for Screenless Devices?

Passkeys are cryptographic credentials that replace passwords. In a cross‑device scenario, a user authenticates on a device that cannot display a QR code (e.g., an XR headset) by leveraging a nearby trusted device such as a smartphone.

Why Is a New Approach Required?

Traditional cross‑device flows rely on QR codes or on‑device visual feedback. XR headsets, smart‑home hubs, and many IoT sensors lack an accessible display, making QR‑code scanning impossible and raising usability and security concerns.

  • No visual confirmation for the user.
  • Potential for man‑in‑the‑middle attacks if proximity is not verified.
  • Usability friction when users must switch devices.

How Does the Hybrid Flow Work Without a Display?

The solution replaces the QR‑code step with a companion‑app push channel that transports a FIDO URL containing the authentication payload.

  • Step 1 – Payload Generation: The XR browser creates the same data that would be encoded in a QR code (ECDH public key, session secret, routing info) and embeds it in a FIDO URL.
  • Step 2 – Secure Transfer: The URL is sent as structured data in a push notification to the user’s companion app (e.g., Meta Horizon) via an authenticated GraphQL channel.
  • Step 3 – User Notification: The mobile OS displays a standard notification. Tapping it opens the companion app, which launches the FIDO URL.
  • Step 4 – Hybrid Transport: The mobile device initiates BLE/NFC advertising, establishes an encrypted tunnel, and receives the WebAuthn challenge from the XR device.
  • Step 5 – Assertion Generation: After user verification (biometrics, PIN, etc.), the mobile authenticator creates the AuthenticatorAssertionResponse and sends it back over the secure channel.
  • Step 6 – Completion: The XR device forwards the assertion to the relying‑party server, completing the login exactly as a display‑equipped device would.

Implementation Details

Key technical components that enable the flow:

  • FIDO URL (Hybrid Transport): Standard mechanism defined by the FIDO Alliance for out‑of‑band message delivery.
  • Companion App Push Channel: Authenticated, deterministic delivery using the same user account on both devices.
  • BLE/NFC Proximity: Guarantees that the two devices are physically near each other, satisfying trust requirements.
  • Timeout Management: Requests expire after five minutes to mitigate replay attacks.

Security Considerations

The approach maintains the security guarantees of the original WebAuthn/CTAP specifications:

  • All cryptographic material is exchanged over an encrypted BLE/NFC tunnel.
  • User verification is performed on the trusted mobile device.
  • Push notifications are signed and delivered over an authenticated channel, preventing spoofing.
  • Proximity is enforced by the BLE/NFC link, satisfying the “same‑user‑device” requirement.

Benefits and Future Directions

By eliminating the need for a display, this method expands passwordless authentication to a broader ecosystem of wearables, IoT sensors, and industrial hardware while preserving security and user experience.

  • Improved accessibility for devices with limited UI.
  • Consistent user experience across mobile, desktop, and XR platforms.
  • Potential for standardization across other screenless device categories.