Skip to Content

Cross‑Device Passkey Authentication for Screen‑less XR and IoT Devices

2 March 2026 by
Suraj Barman

Context & History

Passkeys have become the preferred method for passwordless authentication because they resist phishing and rely on public‑key cryptography. The original cross‑device flow was designed for a desktop paired with a smartphone, using a QR code to transfer a FIDO URL. As wearable head‑mounted displays (XR), smart home hubs, and industrial sensors entered the market, the QR‑code approach became impractical many of these devices either lack a screen or have a display that cannot be easily captured by a camera. Early research by the FIDO Alliance and the WebAuthn specification laid the groundwork for hybrid transports that can move authentication data over BLE or NFC. This guide builds on that foundation and explains how to extend the flow to devices that cannot show visual cues.

Implementation & Best Practices

Roadmap First, the head‑less device constructs the same payload that a QR code would contain-an ECDH public key, a session secret, and routing data. Second, the payload is encoded into a standard FIDO URL. Third, the URL is delivered to a companion app via an authenticated push channel. Fourth, the companion app launches the URL, triggers the OS‑level passkey UI, and completes the BLE‑based hybrid exchange. Finally, the response is relayed back to the original device, which forwards it to the relying‑party server. The sections below expand each step and highlight security considerations.

Creating the FIDO URL on a display‑less device

The device's browser generates a JSON object containing clientDataJSON, a newly generated ECDH key pair, and a nonce that identifies the authentication request. This object is base64url‑encoded and appended to the fido// scheme as defined in the WebAuthn spec (Wikipedia). The resulting URL looks like fido//auth?c=... and can be transmitted as plain text.

Secure delivery via push notification

Because the device cannot render a QR code, it uses an authenticated push channel to send the URL to the user's companion app. The push service is implemented as a service worker on the server side see the service‑worker guide for details on setting up reliable push delivery. The payload is wrapped in a GraphQL mutation that includes the target user ID and a short expiration timestamp (five minutes). The companion app validates the signature and displays a native notification that the user can tap.

Companion app handling and deep‑link execution

When the user taps the notification, the operating system resolves the deep link and opens the FIDO URL inside the app. The app then invokes the platform's passkey manager (iOS Passkeys or Android Credential Manager). The manager presents the usual biometric or PIN verification step, ensuring that the user explicitly approves the request.

Hybrid transport over BLE

After user verification, the mobile device starts a BLE advertisement that carries the ECDH public key and session identifier. The head‑less device, already listening for BLE packets, establishes an encrypted tunnel, performs the challenge‑response exchange, and generates a signed assertion. This assertion is sent to the relying‑party server exactly as a conventional WebAuthn response would be.

Fallback polling path

If the user disables push notifications, the companion app can poll the backend for pending requests. The same GraphQL query used for push delivery returns any active FIDO URLs, allowing the app to initiate the flow without user interaction. This ensures that authentication remains possible even in low‑notification environments.

Security and usability notes

  • All messages are signed with the user's account key to prevent spoofing.
  • Requests expire after five minutes to limit replay attacks.
  • BLE communication is encrypted using the exchanged ECDH keys, providing confidentiality and integrity.
  • Both the device and the companion app must verify the originating account see the interoperability guide for best practices when handling cross‑origin data.

Key takeaways

  • By replacing the QR code with an authenticated push of a FIDO URL, screen‑less devices can participate in the standard WebAuthn hybrid flow.
  • The approach satisfies proximity and user‑consent requirements without sacrificing security.
  • Implementation relies on existing standards (WebAuthn, FIDO CTAP, BLE) and can be adapted to any platform that supports push notifications and deep‑link handling.