Skip to main content
Ave uses WebAuthn passkeys for passwordless authentication, allowing users to sign in with biometrics (Face ID, Touch ID, Windows Hello) or device PINs instead of traditional passwords.

How It Works

Passkeys are cryptographic key pairs stored securely on your device. When you register, Ave creates a passkey that only works on your device and only for Ave.
1

User enters handle

Start by entering your unique handle (e.g., alice). Ave looks up your account and checks which authentication methods are available.
2

WebAuthn challenge

Your browser receives a cryptographic challenge from Ave’s server. This challenge is unique and expires after 10 minutes.
3

Biometric verification

Your device prompts for biometric authentication (fingerprint, face scan) or PIN. The private key is used to sign the challenge without ever leaving your device.
4

Session created

Ave verifies the signature and creates a session that lasts 30 days. You’re logged in across all your devices.

Registration Flow

When you create an Ave account, passkey registration happens seamlessly: 
// Client-side registration flow
const credential = await navigator.credentials.create({
  publicKey: registrationOptions
});

// Send credential to Ave
await fetch('/api/register/complete', {
  method: 'POST',
  body: JSON.stringify({
    credential,
    identity: { handle, displayName, email },
    device: { name: 'Chrome on MacBook', type: 'computer' }
  })
});
Ave stores:
  • Your public key (used to verify signatures)
  • Passkey metadata (device type, backup status)
  • Counter value (prevents replay attacks)
Passkeys use the resident key (discoverable credential) feature, which means you don’t need to enter your username first. Your browser can suggest available accounts.

Login Methods

Ave offers three ways to authenticate:

1. Passkey (Primary Method)

Use the passkey registered on your current device: 
// POST /api/login/start
{
  "handle": "alice"
}

// Returns WebAuthn options
{
  "authOptions": { /* challenge, rpId, etc */ },
  "authSessionId": "uuid",
  "hasPasskeys": true,
  "hasDevices": true
}

// POST /api/login/passkey
{
  "authSessionId": "uuid",
  "credential": { /* WebAuthn response */ },
  "device": {
    "name": "Chrome on MacBook",
    "type": "computer",
    "browser": "Chrome",
    "os": "macOS"
  }
}
Returns session token and encrypted master key (for end-to-end encryption).

2. Device Approval (Cross-Device Login)

Sign in on a new device by approving the request from a trusted device: 
// POST /api/login/request-approval
{
  "handle": "alice",
  "requesterPublicKey": "base64-encoded-ephemeral-key",
  "device": { /* device info */ }
}

// Returns request ID
{
  "requestId": "uuid",
  "expiresAt": "2024-01-01T12:05:00Z"
}

// Poll for status: GET /api/login/request-status/:requestId
Your trusted devices receive real-time notifications via WebSocket. When approved, the master key is securely transferred using ephemeral key exchange (ECDH).
Device approval requests expire after 5 minutes. Both WebSocket and polling are supported for maximum compatibility.

3. Trust Code Recovery

Recover your account using one of your trust codes: 
// POST /api/login/trust-code
{
  "handle": "alice",
  "code": "ABCDE-FGHIJ-KLMNO-PQRST-UVWXY",
  "device": { /* device info */ }
}

// Returns session and encrypted backup
{
  "sessionToken": "...",
  "encryptedMasterKeyBackup": "...",
  "remainingTrustCodes": 1
}
Trust codes are reusable and decrypt your master key backup locally.
Trust codes are your recovery mechanism. Store them securely offline. If you lose all passkeys and trust codes, your account cannot be recovered.

Passkey Features

Synced Passkeys

Passkeys can sync across devices using your platform’s password manager:
  • Apple: Syncs via iCloud Keychain (iPhone, iPad, Mac)
  • Google: Syncs via Google Password Manager (Android, Chrome)
  • Windows: Windows Hello sync (limited to same device)
When a passkey is backed up, Ave stores this metadata: 
// From registration.ts:184
await db.insert(passkeys).values({
  id: credentialId,
  publicKey: Buffer.from(publicKey).toString('base64'),
  deviceType: 'single_device' | 'multi_device',
  backedUp: true, // Synced passkey
  transports: ['internal', 'hybrid']
});

PRF Extension (Advanced)

Ave supports the PRF (Pseudo-Random Function) WebAuthn extension for hardware-backed master key encryption: 
// During registration, if PRF is available:
const prfOutput = await crypto.subtle.deriveBits({
  name: 'ECDH',
  public: prfSalt
}, prfKey, 256);

// Encrypt master key with PRF output
const prfEncryptedMasterKey = await encryptWithKey(masterKey, prfOutput);

// Store alongside passkey
await fetch('/api/register/complete', {
  body: JSON.stringify({ prfEncryptedMasterKey })
});
With PRF, your master key is protected by the secure enclave on your device, not just browser storage.

Security Properties

Phishing Resistant

Passkeys are bound to Ave’s domain (aveid.net). They cannot be used on phishing sites: 
// From login.ts:226
const verification = await verifyAuthenticationResponse({
  expectedOrigin: 'https://aveid.net',
  expectedRPID: 'aveid.net',
  // Signature fails if origin doesn't match
});

Replay Attack Prevention

Each passkey maintains a counter that increments with every use: 
// From login.ts:243
await db.update(passkeys)
  .set({ 
    counter: verification.authenticationInfo.newCounter,
    lastUsedAt: new Date()
  });
If the counter goes backward, the signature is rejected (indicates cloned passkey).

Attestation

Ave validates that passkeys come from trusted authenticators: 
// From register.ts:49
const options = await generateRegistrationOptions({
  attestationType: 'none', // For privacy
  authenticatorSelection: {
    residentKey: 'required',
    userVerification: 'required'
  }
});

Managing Passkeys

Users can manage their passkeys from the Security page:
  • Add new passkeys: Register additional devices or security keys
  • Rename passkeys: Give them descriptive names (“Work Laptop”, “YubiKey”)
  • Delete passkeys: Remove compromised or old passkeys
  • View metadata: See which passkeys are synced or single-device
You cannot delete your only passkey. Ave requires at least one authentication method to prevent account lockout.

Browser Support

BrowserPlatformBiometric
Chrome 108+macOS, Windows, AndroidTouch ID, Windows Hello, Fingerprint
Safari 16+macOS, iOSTouch ID, Face ID
Edge 108+WindowsWindows Hello
Firefox 119+All platformsPlatform-dependent

Fallback for Older Browsers

If WebAuthn is not available, Ave falls back to trust code login. Users are prompted to upgrade their browser for the best security. 
if (!window.PublicKeyCredential) {
  // Show trust code login only
  showTrustCodeForm();
}

Next Steps

End-to-End Encryption

Learn how Ave encrypts your data with passkey-derived keys

Multi-Device Login

Approve logins from your trusted devices

Build docs developers (and LLMs) love

Get started for freeTalk to us