Skip to Content

Enabling Passkey Authentication on Screenless XR Devices without QR Codes

21 February 2026 by
Suraj Barman

Cross‑device passkey authentication for devices without displays replaces QR codes with a push‑based flow that meets FIDO proximity and trust requirements.

Adapted hybrid transport for screenless devices

This component re‑creates the payload normally shown as a QR code and sends it through a secure link. It keeps the cryptographic guarantees of the FIDO hybrid protocol while removing the need for visual scanning.

  • Payload composition: fresh ECDH public key, session secret, and routing data are packed into a FIDO URL.
  • Deterministic generation: the headset builds the same payload a QR code would contain, ensuring compatibility with existing relying parties.
  • Zero‑trust alignment: the flow follows the zero‑trust guidelines for identity verification.
  • BLE advertisement: after the mobile device receives the URL, it starts the BLE‑based encrypted tunnel required by the hybrid spec.
  • Standard WebAuthn compliance: the final assertion is formatted exactly like a conventional display‑based passkey.

Push‑channel delivery of FIDO URLs

Because the headset cannot render a QR code, it relies on the authenticated push service of the companion app. The URL travels as structured data inside a notification, guaranteeing delivery only to the correct user.

  • GraphQL‑encoded payload embedded in the push message.
  • Signed notification ensures tamper‑evidence and origin verification.
  • Fallback pull request: the app can query the backend for pending URLs when notifications are disabled.
  • Expiration timer (five minutes) limits replay risk.
  • Transport uses the same encrypted channel that the hybrid protocol expects.

User consent via in‑app notifications

The mobile app presents a clear approval screen that mirrors the intent shown on a typical QR‑code flow. This step gives users confidence that the request belongs to the correct device.

  • System notification includes the originating device name and request timestamp.
  • Tap action opens the deep link directly in the Horizon app.
  • Explicit “Approve” button triggers the OS‑level passkey UI.
  • Audit log entry records user decision for compliance.
  • Optional voice prompt for accessibility on head‑mounted displays.

Secure session construction and key exchange

Once the mobile app launches the FIDO URL, it initiates the standard encrypted handshake defined by WebAuthn. The headset acts only as a conduit for the response.

  • ECDH key agreement creates a shared secret for the session.
  • Encrypted challenge‑response pairs travel over BLE.
  • Assertion signed with the authenticator’s private key.
  • Relying party receives the assertion through the original request channel.
  • Session data is cleared immediately after completion.

Integration with Meta Quest and Horizon app

The implementation is live on Meta Quest devices running Horizon OS and demonstrates how other screenless IoT platforms can adopt the same pattern. Multi‑agent coordination concepts from related research help manage the handoff between headset and phone.

  • Headset browser generates the FIDO URL on login initiation.
  • Horizon app receives the push, validates the account, and opens the URL.
  • BLE advertisement broadcast begins automatically from the phone.
  • Passkey assertion is returned to the Quest, completing the login.
  • Developers can reuse the same code path for smart home hubs, industrial sensors, or any device lacking a screen.