No Display? No Problem: Cross-Device Passkey Authentication for XR Devices

We’re sharing a novel approach to enabling cross-device passkey authentication for devices with inaccessible displays (like XR devices). Our approach bypasses the use of QR codes and enables cross-…

Paul Wright
7 min readbeginner
--
View Original

Overview

Meta presents a novel approach to enabling cross-device passkey authentication for XR devices and other devices with inaccessible displays. By replacing QR code scanning with a companion app (Meta Horizon) that delivers FIDO URLs via authenticated push notifications, the solution maintains FIDO Alliance security standards while eliminating the need for an on-device screen, opening passwordless authentication to IoT, wearable, and industrial devices.

What You'll Learn

1

How to adapt the WebAuthn passkey flow for devices without accessible displays

2

How to use a companion app as a secure message transport to replace QR code scanning in cross-device authentication

3

How FIDO's CTAP hybrid protocol can be extended for screenless devices using push notifications and FIDO URLs

4

Why Bluetooth/NFC proximity verification remains essential even when bypassing QR codes

5

How to handle the challenge exchange timing differences in companion-app-mediated passkey flows

Prerequisites & Requirements

  • Understanding of WebAuthn and passkey authentication standards
  • Familiarity with FIDO Alliance's CTAP hybrid protocol and cross-device authentication flows
  • Understanding of public-key cryptography concepts including ECDH key exchange
  • Basic knowledge of BLE (Bluetooth Low Energy) and NFC proximity protocols(optional)
  • Experience with mobile app development including push notifications and deep linking(optional)

Key Questions Answered

How can passkey authentication work on devices without a display or screen?
Instead of displaying a QR code, the screenless device generates a FIDO URL containing the ECDH public key, session secret, and routing information. This URL is delivered to the user's mobile device via an authenticated push notification through a companion app (like Meta Horizon). The mobile device then initiates the standard CTAP hybrid transport flow including BLE advertisement, encrypted tunnel establishment, and passkey assertion.
What replaces QR code scanning in cross-device passkey authentication for XR headsets?
A companion mobile application replaces QR code scanning by receiving the FIDO URL payload via a GraphQL-based push notification over an authenticated channel. The companion app, signed into the same account as the headset, validates the delivery context and opens the FIDO URL using the system URL launcher, which invokes the operating system's passkey interface to complete authentication.
How does Meta Quest handle passkey login without showing a QR code?
The Meta Quest headset's browser constructs the same payload that would be embedded in a QR code, encodes it into a FIDO URL, and sends it as structured data within a GraphQL-based push notification to the Meta Horizon mobile app. The app surfaces a notification, and when tapped, opens the FIDO URL to initiate the standard hybrid transport passkey flow with BLE proximity verification.
Does companion-app-based passkey authentication still meet FIDO security requirements?
Yes, the approach fully complies with FIDO Alliance proximity and trust requirements. The BLE/NFC proximity check is still performed during the hybrid transport sequence, the encrypted tunnel is established per WebAuthn standards, and user verification occurs on the mobile device through the standard OS passkey interface. Only the initial message delivery mechanism changes from QR code to push notification.
What happens if push notifications are disabled when using passkey login on Meta Quest?
If notifications are turned off or disabled, users can still authenticate by launching the Meta Horizon app directly. The app queries the backend for any pending passkey requests associated with the user's account. If a valid request exists (requests expire after five minutes), the app automatically initiates the passkey flow by opening the stored FIDO URL.
What is the difference between standard cross-device passkey flow and the companion app approach?
In the standard flow, the relying party displays a QR code that the mobile authenticator scans to obtain connection parameters. In the companion app approach, these same parameters are encoded into a FIDO URL and delivered via an authenticated push channel instead. The subsequent BLE/NFC proximity verification, encrypted tunnel establishment, and passkey assertion steps remain identical to the standard protocol.
Can this passkey approach be used for IoT and smart home devices?
Yes, Meta designed this approach to extend beyond XR devices to any device with an inaccessible display or no screen at all, including smart home hubs, industrial sensors, wearable devices, and consumer electronics. Any device that has a companion app with an authenticated push channel can leverage this pattern to enable passwordless passkey authentication.

Key Statistics & Figures

Passkey request expiration time
5 minutes
Pending passkey requests expire after five minutes if not consumed

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Authentication Standard
Webauthn
Core passkey authentication framework used for cross-device login
Authentication Protocol
Fido Ctap Hybrid Protocol
Cross-device authentication transport protocol adapted for screenless devices
Communication Protocol
Ble (bluetooth Low Energy)
Proximity verification and secure channel establishment between devices
Communication Protocol
Nfc
Alternative proximity-based discovery and secure exchange mechanism
Cryptography
Ecdh
Elliptic Curve Diffie-Hellman key exchange for generating shared secrets in the hybrid flow
API
Graphql
Used for structuring push notification payloads containing FIDO URLs
Operating System
Meta Horizon OS
Platform powering Meta Quest devices where the passkey implementation is deployed
Mobile Application
Meta Horizon App
Companion app serving as the secure message transport and authentication entry point

Key Actionable Insights

1
Use authenticated push channels as a secure alternative to QR codes for cross-device authentication on screenless devices. By encoding FIDO URLs as structured data within push notifications delivered through a companion app signed into the same account, you can maintain the same security guarantees as QR-code-based flows while eliminating the display requirement entirely.
This is particularly relevant for teams building authentication for IoT devices, smart home hubs, industrial sensors, or any hardware with limited or no display capabilities.
2
Implement a fallback polling mechanism alongside push notifications for passkey authentication requests. Users with disabled notifications should still be able to authenticate by opening the companion app, which queries the backend for pending requests. Set a reasonable expiration window (Meta uses five minutes) to prevent stale authentication requests from being consumed.
This ensures robust UX coverage regardless of user notification settings and prevents security risks from long-lived authentication requests.
3
Begin the hybrid authentication flow immediately upon app launch rather than adding additional confirmation steps within the companion app. Since the user has already taken an explicit action (tapping a notification or opening the app), and the mobile OS provides its own user verification step through the native passkey interface, additional in-app confirmation adds friction without meaningful security benefit.
Meta chose this approach for their Meta Horizon app integration, relying on the iOS and Android native passkey verification as the user consent surface.
4
Leverage the existing FIDO URL standard mechanism for hybrid transport rather than inventing a proprietary protocol. The FIDO URL format already contains all necessary parameters (ECDH public key, session-specific secret, routing information) and is designed to instruct mobile devices to begin passkey authentication. This ensures interoperability with existing mobile OS passkey implementations.
Building on established standards like WebAuthn and CTAP hybrid protocol reduces implementation complexity and ensures forward compatibility as these standards evolve.
5
Validate the delivery context of push-delivered FIDO URLs to ensure authentication requests reach the correct user. The companion app must verify that the push notification is routed to the same account that is associated with the requesting device, preventing potential account confusion or misdirected authentication attempts.
This is a critical security consideration when replacing the physical proximity guarantee of QR code scanning with a network-delivered authentication initiation.

Common Pitfalls

1
Attempting to use only proximity-based discovery (BLE/NFC) without any visual feedback or companion app for screenless device authentication. While proximity discovery is technically feasible, initiating user verification and confirming transaction intent without any on-device visual feedback creates significant security and usability risks, as users cannot confirm they are approving the correct transaction on the correct device.
The companion app approach solves this by surfacing the authentication request on the user's phone screen, providing clear visual confirmation of the action being approved.
2
Not implementing a fallback mechanism for users who have push notifications disabled or are experiencing notification delivery issues. If the only way to initiate the passkey flow is through a push notification, a significant portion of users may be unable to authenticate when notifications fail to deliver.
Meta addresses this by having the companion app query the backend for pending passkey requests on app launch, ensuring authentication works even without active push notification delivery.
3
Designing custom or proprietary authentication protocols instead of building on established FIDO standards for screenless device authentication. Inventing new security protocols introduces untested attack surfaces and prevents interoperability with the broader passkey ecosystem on iOS and Android.
By encoding the same payload into a FIDO URL that would normally be in a QR code, the solution reuses the entire existing hybrid transport stack including BLE advertisement, encrypted tunnel, and passkey assertion.
4
Allowing authentication requests to persist indefinitely without expiration. Long-lived pending requests could be consumed by unauthorized users who gain access to the companion app at a later time, creating a window for account takeover.
Meta mitigates this by expiring pending passkey requests after five minutes, limiting the attack window.

Related Concepts

Passkey Authentication
Webauthn
Fido2
Ctap (client To Authenticator Protocol)
Cross-device Authentication
Qr Code Authentication
Ble (bluetooth Low Energy) Proximity Verification
Ecdh Key Exchange
Phishing-resistant Authentication
Passwordless Authentication
Iot Device Security
Xr (extended Reality) Authentication
Push Notification Security
Deep Linking
Companion App Authentication Patterns