We’re sharing a novel approach to enabling cross-device passkey authentication for devices with inaccessible displays (like XR devices). Our approach bypasses the use of QR codes and enables cross-…
Overview
Meta presents a novel approach to enabling cross-device passkey authentication for XR devices and other devices with inaccessible displays. By replacing QR code scanning with a companion app (Meta Horizon) that delivers FIDO URLs via authenticated push notifications, the solution maintains FIDO Alliance security standards while eliminating the need for an on-device screen, opening passwordless authentication to IoT, wearable, and industrial devices.
What You'll Learn
How to adapt the WebAuthn passkey flow for devices without accessible displays
How to use a companion app as a secure message transport to replace QR code scanning in cross-device authentication
How FIDO's CTAP hybrid protocol can be extended for screenless devices using push notifications and FIDO URLs
Why Bluetooth/NFC proximity verification remains essential even when bypassing QR codes
How to handle the challenge exchange timing differences in companion-app-mediated passkey flows
Prerequisites & Requirements
- Understanding of WebAuthn and passkey authentication standards
- Familiarity with FIDO Alliance's CTAP hybrid protocol and cross-device authentication flows
- Understanding of public-key cryptography concepts including ECDH key exchange
- Basic knowledge of BLE (Bluetooth Low Energy) and NFC proximity protocols(optional)
- Experience with mobile app development including push notifications and deep linking(optional)
Key Questions Answered
How can passkey authentication work on devices without a display or screen?
What replaces QR code scanning in cross-device passkey authentication for XR headsets?
How does Meta Quest handle passkey login without showing a QR code?
Does companion-app-based passkey authentication still meet FIDO security requirements?
What happens if push notifications are disabled when using passkey login on Meta Quest?
What is the difference between standard cross-device passkey flow and the companion app approach?
Can this passkey approach be used for IoT and smart home devices?
Key Statistics & Figures
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Key Actionable Insights
1Use authenticated push channels as a secure alternative to QR codes for cross-device authentication on screenless devices. By encoding FIDO URLs as structured data within push notifications delivered through a companion app signed into the same account, you can maintain the same security guarantees as QR-code-based flows while eliminating the display requirement entirely.This is particularly relevant for teams building authentication for IoT devices, smart home hubs, industrial sensors, or any hardware with limited or no display capabilities.
2Implement a fallback polling mechanism alongside push notifications for passkey authentication requests. Users with disabled notifications should still be able to authenticate by opening the companion app, which queries the backend for pending requests. Set a reasonable expiration window (Meta uses five minutes) to prevent stale authentication requests from being consumed.This ensures robust UX coverage regardless of user notification settings and prevents security risks from long-lived authentication requests.
3Begin the hybrid authentication flow immediately upon app launch rather than adding additional confirmation steps within the companion app. Since the user has already taken an explicit action (tapping a notification or opening the app), and the mobile OS provides its own user verification step through the native passkey interface, additional in-app confirmation adds friction without meaningful security benefit.Meta chose this approach for their Meta Horizon app integration, relying on the iOS and Android native passkey verification as the user consent surface.
4Leverage the existing FIDO URL standard mechanism for hybrid transport rather than inventing a proprietary protocol. The FIDO URL format already contains all necessary parameters (ECDH public key, session-specific secret, routing information) and is designed to instruct mobile devices to begin passkey authentication. This ensures interoperability with existing mobile OS passkey implementations.Building on established standards like WebAuthn and CTAP hybrid protocol reduces implementation complexity and ensures forward compatibility as these standards evolve.
5Validate the delivery context of push-delivered FIDO URLs to ensure authentication requests reach the correct user. The companion app must verify that the push notification is routed to the same account that is associated with the requesting device, preventing potential account confusion or misdirected authentication attempts.This is a critical security consideration when replacing the physical proximity guarantee of QR code scanning with a network-delivered authentication initiation.