docs: add device authentication with PIN and biometrics guide#2673
docs: add device authentication with PIN and biometrics guide#2673hperl wants to merge 19 commits into
Conversation
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Append the iOS guide to the device authentication PIN page: prerequisites, a full Swift reference implementation, biometric-key notes, and the PIN change / secret rotation flows. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Remove the stale "second factor only" claims from the device binding page and cross-link the new first-factor PIN and biometrics page. Also fix a copy-paste error where the step-up step pointed at the settings flow instead of the login flow, and note the enrollment user_verification level. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds comprehensive documentation for using the deviceauthn strategy as a first factor via an app PIN or platform biometrics (AAL2 in one submission), and updates the existing device binding page to reflect this and fix flow/verb references. The new page is also wired into the Ory Network and OEL sidebars so it’s discoverable under Passwordless authentication.
Changes:
- Adds a new “Device authentication with PIN and biometrics” page with configuration, protocol details, diagrams, and iOS/Android reference implementations.
- Updates the existing “Device binding” page to remove outdated “second factor only” claims and correct step-up references to the login flow and POST submissions.
- Registers the new page in
sidebars-network.tsandsidebars-oel.ts.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| sidebars-oel.ts | Adds the new deviceauthn-pin doc entry to the OEL sidebar. |
| sidebars-network.ts | Adds the new deviceauthn-pin doc entry to the Network sidebar. |
| docs/kratos/passwordless/09_deviceauthn-pin.mdx | New guide page with protocol reference, diagrams, and client reference implementations. |
| docs/kratos/passwordless/08_deviceauthn.mdx | Updates device binding docs to point to first-factor usage and fixes flow/HTTP verb references. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
📝 WalkthroughWalkthroughThe network and Ory Kratos documentation sidebars now include the ChangesPasswordless navigation
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The add-key examples still showed the client choosing and submitting client_key_id. The server now derives it as the lowercase-hex SHA-256 fingerprint of the key's public key (SubjectPublicKeyInfo, DER) and the add payload has no such field. Update the payloads, SDK snippets, reference steps, and diagrams accordingly, and align the availability wording with the new PIN page. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Dissolve the standalone "Device authentication with PIN and biometrics" page. Platform-agnostic content (how it works, configuration, protocol reference, client requirements, recovery, troubleshooting, security model) merges into the device binding overview; the iOS and Android reference implementations merge into the respective platform guides. Preserves the #pin-enrollment, #first-factor-login, #rotating-the-pin-secret, and #client-implementation-requirements anchors on the overview page. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The section now covers both second-factor binding and first-factor PIN/biometric login, so the strategy's umbrella name fits better. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The pages were listed in both the network and OEL sidebars; a doc can only display one sidebar, and the OEL one won the association, so navigating from the Ory Network sidebar into the section reshuffled the navigation to Ory Enterprise License. Sibling feature pages (passkeys, one-time codes) are network-only for the same reason. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Check CommonCrypto and SecRandomCopyBytes status codes in the Swift reference (structural failures throw instead of proceeding with zeroed or undefined buffers), decode the nonce JSON as UTF-8 and hex-encode the key fingerprint explicitly unsigned in the Kotlin reference, and state the API 28+ floor for setUnlockedDeviceRequired in the hard rules. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Shared partials under src/components/Shared/kratos/passwordless/deviceauthn with Network and OEL shell pages and per-deployment sidebar entries, so the section ships migrated (#2674) and OEL keeps navigation context. The old public URL redirects to the Network page. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
SameDeploymentLink's dev-time existence check now strips URL fragments, so cross-page links can carry #anchors; re-add the section anchors on the android/ios links into the overview page. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Documents device authentication end to end and restructures it into a section with per-platform guides.
New structure:
kratos/passwordless/deviceauthn/first_factor, complete passwordless login via app PIN or platform biometrics (AAL2 in one request). Concepts (three-key model,user_verificationlevels), configuration (first_factor,pin_max_attempts,ios_biometric_first_factor, app-ID pinning), a byte-exact protocol reference for all flows (enrollment, PIN enrollment with challengeSHA256(nonce ‖ transport_public_key), biometric enrollment, step-up, first-factor login withpin_proof, secret rotation) with sequence diagrams, normative client implementation requirements, recovery/lockout, troubleshooting, and the security model.Corrections to existing content
client_key_idis server-assigned (the lowercase-hex SHA-256 fingerprint of the key's public key); the add-key examples no longer show a client-chosen ID and the guides show how to derive or read it.Deployment structure (added 2026-07-13)
The section ships migrated to the deployment structure from
AGENTS.md(#2674): page bodies live in shared partials undersrc/components/Shared/kratos/passwordless/deviceauthn/, exposed via shell pages underdocs/network/...anddocs/oel/...with canonicals pointing to the Network URLs. Both the Ory Network and OEL sidebars carry a "Device authentication" category (OEL under a new "Authentication" category), so OEL readers keep their navigation context. The previous public URL/docs/kratos/passwordless/deviceauthn308-redirects to the Network page; the platform sub-pages are new URLs that only ever exist under the deployment paths.The cross-page links from the platform guides deep-link into the overview's sections; to support that,
SameDeploymentLink's dev-time existence check now strips#fragments before comparing against doc ids (one-line change, no runtime behavior change).Coordination with #2675 (passwordless + MFA migration, same structure): whichever PR lands second merges the OEL "Authentication" category items and, if #2675 lands first, this branch's
docs/kratos/mfa/01_overview.mdxlink edit moves into the refreshed shared partial as aSameDeploymentLinkwith anoss=override.Related Issue or Design Document
Documentation improvement. The deployment-structure migration addresses #2674 for this section.
Checklist
🤖 Generated with Claude Code