Auth / Passkeys

Passkey Authentication

Passkeys are a modern, secure way to sign in to Valora without using a password. They use your device's biometric sensors (like Fingerprint or Face ID) or a security key.

Overview

Passkeys are more secure than passwords because they are unique to Valora and cannot be guessed or stolen via phishing. When you use a passkey, your device proves it has the correct key without ever sending your sensitive biometric data to our servers.

Use passkeys for:

  • Fast and secure login to the Valora web application.
  • Adding an extra layer of security to your account.

Requirements:

  • A modern browser (Chrome, Safari, Firefox, or Edge).
  • A device with biometrics (TouchID, FaceID, Windows Hello) or a physical security key (like a YubiKey).
  • HTTPS is required for all passkey operations.

Setting up a Passkey

You can register a new passkey from your account settings.

  1. Sign in to Valora using your email and password.
  2. Navigate to Settings → Security → Passkeys.
  3. Click on Register New Passkey.
  4. Follow your browser's prompts to use your biometric sensor or security key.
  5. Give your passkey a friendly name (e.g., "Work Laptop" or "Personal Phone") to help you identify it later.

Signing in with a Passkey

Once you have registered a passkey, you can use it to sign in quickly.

  1. Go to the Valora login page.
  2. Select the Sign in with Passkey option.
  3. Your browser will prompt you to verify your identity.
  4. Once verified, you will be logged in immediately.

For Developers (API Flow)

If you are building a client that interacts with Valora's passkey system, the flow involves two steps for both registration and authentication:

Registration Flow

  1. Request Options: POST /auth/passkey/register/options
    • Returns the configuration required by the browser's WebAuthn API.
  2. Submit Response: POST /auth/passkey/register
    • Sends the data generated by the browser back to Valora to finish registration.

Authentication Flow

  1. Request Options: POST /auth/passkey/authenticate/options
    • Returns a "challenge" that the browser needs to sign.
  2. Submit Response: POST /auth/passkey/authenticate
    • Verifies the signature and logs the user in.

Managing Passkeys

You can view all your registered passkeys in Settings → Security → Passkeys. From there, you can:

  • Rename an existing passkey.
  • Delete a passkey if you no longer have access to the device.

Note: If you lose the device associated with a passkey, you can still sign in using your email and password (or another passkey) and then remove the old one.