How to test a platform authenticator?

Test the functionality of a platform authenticator using the Passkeys Debugger. This will verify that the device's built-in authentication hardware (hardware security module like TPM or secure enclave) works for both operations passkey creation and passkey login.

• A device (e.g. laptop, smartphone) with a built-in platform authenticator (e.g., Face ID, Touch ID, Windows Hello).
• A web browser that supports WebAuthn (latest versions of Chrome, Firefox, Edge, or Safari).

Device A: The testing will be conducted on the device with the platform authenticator.

We will generate a platform authenticator test which we can share with other developers, archive after in documentation or use as a bug report.

1. Start debugging: Open a fresh Passkeys Debugger session: Navigate to https://www.passkeys-debugger.io on Device A. If you have already used it on the device, click "Reset state".
2. Prepare debugging: Validate that the platform authenticator is activated. Take a look at the first two boxes:
• WebAuthn needs to be ticked
• Platform Auth needs to be ticked
• If one of the boxes is not ticked: platform authentication will not work, and you will need to activate the authenticator first (see our guides for Windows, iOS, and Android)
3. Passkey Creation – Select Tab “Passkey Creation”: Under the "Passkey Creation" tab, ensure the "Authenticator Attachment" setting is set to "Platform". For testing platform authenticators, you can keep the default settings.
4. (Optional) Passkey Creation - Configure Additional Settings: For a standard passkey platform authenticator test, you can leave all options on the default setting.
5. Passkey Creation - Start: Click the "Start Passkey Creation" button. The browser will prompt you to use the platform authenticator (e.g., Touch ID, Windows Hello).
6. Passkey Creation - Complete: Use the built-in authentication method (fingerprint, facial recognition, or PIN) to complete the passkey creation.
7. Passkey Creation - Review Attestation Response: Check the "Parsed Attestation Response" to verify that the platform authenticator successfully generated the attestation object.
• On the left side: You can see the raw version of the attestation response that is not decoded yet.
• On the right side: You can see the parsed version of the attestation response. It has been decoded.

• At the top of the page, you will notice the the passkey has been created, with the Username  you have provided or the default Username.

8. Passkey Login – Select Tab “Passkey Creation”: Change to the "Passkey Login" tab.

9. (Optional) Passkey Login - Configure Additional Settings: For a standard passkey platform authenticator login, you can leave all options on the default setting.
10. Passkey Login – Start: Click the "Start Passkey Login" button. The browser will prompt you to use the platform authenticator (e.g., Face ID, Touch ID, Windows Hello).
11. Passkey Login - Complete: Use the built-in authentication method (fingerprint, facial recognition, or PIN) to complete the login.
12. Passkey Login - Review Assertion Response: Check the "Parsed Assertion Response" to verify that the platform authenticator successfully generated the assertion response.
• On the left side: You can see the raw version of the assertion response that is not decoded yet.
• On the right side: You can see the parsed version of the assertion response. It has been decoded.
• - Device-bound or synced passkey: The flags are easily readable you can find out of backedupEligible & backedStatus are both true.
• - User verification: You can find out of strong user verification has been completed by verifying userPresent & userVerified are both true.

13. Share debugging result: You have concluded and recorded a full testing session, all information can now be shared with the URL of your test. You can:
• Re-visit the test: You can revisit your testcase in the future. You may want to link the Passkey Debugger directly in your Wiki.
• Use results: You can let other people create test cases for you on rare devices and send you the results.
• Start testing different options: You can now go back and test different settings and scenarios.
• Look at recorded meta-data: Additional information is recorded with the test, so you can lookup in which device (user-agent, client hints) and under which configuration it has been completed (Bluetooth).