Following the acquisition, Onfido is now known as Entrust.Read more
Onfido LogoOnfido Logo

Developers

Support
HomeGetting StartedAccount OpeningAccount Takeover PreventionAPISDKs
Back to Home
Authentication solutions
Support

Biometric Passkey: Introduction

Introduction

Passwords and shared-secret checks, such as SMS one-time passwords, are still often exploited in account takeover and phishing attacks. Consumer passkeys improve everyday sign-in by removing passwords, but they do not always prove that the real account owner is present for higher-risk actions. In regulated flows, this includes high-value payments, payee changes, adding new beneficiaries, and account recovery on a new device.

Biometric Passkey combines a device-bound passkey with biometric verification tied to the enrolled user. With a single credential, you can enable fast sign-in for low-risk actions using on-device biometrics (for example, fingerprint or face unlock handled by the user’s device), and require an additional live biometric verification for higher-risk actions. For example, a customer can sign in to a banking app with one tap using their device biometrics, then complete a stronger identity check before approving a high-value transfer or adding a new beneficiary.

Biometric Passkey includes a mobile SDK for your app, a backend service you host, and a dashboard for support and fraud teams. It is built on Entrust Identity Verification, which powers biometric checks and identity workflows during enrollment and step-up. Learn more in biometric verification engine.

Please note: The Biometric Passkey SDK and API are exclusively for the management of biometric passkey credentials and are distinct and separate from the Entrust IDV SDKs and API. For integrating the Entrust IDV SDKs for identity verification, please refer to our documentation here.

What makes Biometric Passkey different

  • One credential, two assurance levels. Biometric Passkey uses one device-bound credential for both everyday sign-in and higher-risk approvals. Your app can choose the right assurance level for each action. Standard passkeys usually offer only device unlock, which is often not enough for actions such as high-value payments or beneficiary changes.
  • Proof tied to the person, not just the device. During enrollment, Biometric Passkey links the credential to a verified person and keeps a biometric reference for future step-up checks and recovery on a new device. Standard passkeys can prove the registered device was used, but not always that the real account owner is holding it. For details, see Biometric authentication.
  • Decision per action. For each sign-in or approval, your app decides whether device verification is enough or whether a live biometric check is required. This is controlled by your risk policy for each transaction, rather than one setting for every account action.
  • Clear operations view for support teams. Authorized teams can review users, credentials, sessions, lifecycle events, and audit logs in a management dashboard, without viewing raw biometric data.

Supported journeys

JourneyWhat it does
EnrollmentCreates a device-bound credential and establishes the user's biometric reference.
Routine authenticationUses the device-bound passkey with standard device unlock for everyday, lower-risk actions, e.g. sign-in.
Step-up authenticationRuns a live biometric check for higher-risk actions.
Account recoveryVerifies the user against the stored biometric reference and issues a replacement credential on a new device.

Where Biometric Passkey sits

Biometric Passkey has four parts: user channels, your application and identity stack, Biometric Passkey services, and Entrust Identity Verification. It is designed to fit alongside your existing Identity Provider (IDP) setup, while your application stays in control of the user session, risk rules, transaction details, and final authorization decision.

AreaWhat lives there
User channelsUsers can start actions on the web or in-app, then complete biometric verification in your mobile app, which includes the Biometric Passkey SDK.
Your application and IDPBiometric Passkey acts as a drop-in supplement to your existing IDP solution. Your backend keeps control of sessions, risk rules, transaction details, and final authorization.
Biometric PasskeyBiometric Passkey services manage authentication flow, stored biometric references, credential lifecycle events, and audit records. A dashboard lets support and fraud teams review users, credentials, sessions, and events without exposing raw biometric data.
Entrust Identity VerificationEntrust workflows run identity and biometric checks. Biometric Passkey starts these workflows during enrollment, step-up authentication, and recovery.

Next steps

Ready to integrate? Continue with Biometric Passkey: Integration overview for the technical entry point. For supported release lines and upgrade planning, see Biometric Passkey: Version policy. For the biometric verification engine that powers higher-risk paths, see Biometric authentication.

Table of contents
SolutionsIdentity SolutionsWorkflow StudioIdentity Verification SDKsSupported Documents
Challenges we solveComplianceCustomer acquisitionReducing cost of acquisitionFraud prevention
IndustriesFinancial ServicesGovernmentEnterpriseEducationHealthcareGaming
Our companyAbout EntrustOur PartnersCertificationsLeadershipPressBlog
Entrust logo
Contact Us
Back to top
Onfido (now part of Entrust) uses 256-bit SSL encryption 100% of the time on every device.
SOC 2 Type II compliantOnfido (now part of Entrust) is SOC 2 Type II compliant.
ISO 27001 certifiedOnfido (now part of Entrust) has been certified by BSI to ISO 27001 under certificate number IS 660122.
Service StatusPrivacy PolicySecurityWebsite Data Usage and Cookie PolicyTerms of UseAnti Modern Slavery Statement
© 2026. Entrust Corporation. All rights reserved.