The rapid expansion of connected technology has introduced a new class of devices, from immersive extended reality (XR) headsets to smart home hubs and industrial sensors, that often lack a traditional screen. This evolution presents a significant challenge to modern security practices, particularly the adoption of passkeys, which have become the gold standard for phishing-resistant, passwordless authentication. The standard cross-device passkey flow, where a user authenticates on a desktop by scanning a QR code with their mobile phone, is fundamentally incompatible with these screenless devices. A novel approach has been developed that adapts this secure framework, bypassing the need for QR codes entirely. This innovative method leverages a companion application to facilitate authentication, ensuring that even devices without a display can benefit from the robust security of passkeys while complying with all necessary trust and proximity requirements established by the FIDO Alliance. This breakthrough opens the door to a more secure, passwordless future for an entire ecosystem of emerging technologies.
1. The Obstacle of Screenless Authentication
The established protocol for cross-device passkey authentication is elegant in its simplicity and security, but it heavily relies on visual interaction between two devices. This standard flow involves two primary mechanisms working in concert: QR code scanning and proximity detection. When a user initiates a login on a primary device like a laptop, the relying party generates and displays a unique QR code. The user then uses their secondary device, typically a smartphone acting as the authenticator, to scan this code. This action securely transmits the initial handshake information, establishing a link between the two. Concurrently, local communication protocols like Bluetooth Low Energy (BLE) or Near Field Communication (NFC) verify that the two devices are physically near each other, preventing remote attacks. This combination ensures that the person attempting to log in is the legitimate owner of the passkey and is present at the point of access. The visual confirmation provided by the QR code is a critical element in this chain of trust, giving the user clear assurance about the service they are accessing.
For the growing category of devices with inaccessible or non-existent displays, this standard authentication model presents an insurmountable hurdle. The inability to display a QR code renders the primary method for initiating the secure handshake completely unusable. While proximity-based discovery through Bluetooth or NFC is still feasible, relying on it alone introduces significant security and usability concerns. Without any on-device visual feedback, a user has no clear way to verify the authenticity of the login request. They might receive a prompt on their phone to approve an action, but they cannot be certain that it originates from the intended device or for the correct service. This ambiguity could be exploited by malicious actors in close proximity, potentially tricking users into approving fraudulent transactions. Therefore, a new method was required to bridge this communication gap, one that could securely transmit the authentication request from a screenless device to a mobile authenticator without compromising user confidence or the integrity of the passkey protocol.
2. A Companion App as the Secure Bridge
The solution to the screenless authentication dilemma lies in leveraging a pre-existing, trusted connection between the device and the user’s smartphone: a companion application. Many XR headsets, smartwatches, and IoT devices already require a mobile app for setup, management, and notifications. This application, which is authenticated to the same user account as the screenless device, can serve as a secure conduit for transmitting the necessary authentication data. Instead of generating a QR code to be scanned, the screenless device can pass the same essential request, a standardized FIDO URL, directly to its companion app. This approach effectively substitutes the visual QR code channel with a secure, server-mediated push notification channel that is already authenticated and trusted by the user. The integrity of the authentication flow is maintained because the request is handled within an established and secure ecosystem, eliminating the need for a visual verification step that is impossible on a headless device. The process becomes both secure and user-friendly, integrating smoothly into the user’s existing interaction patterns with their devices.
This method was engineered to provide a seamless and intuitive user experience by utilizing familiar mobile interactions. When a login request is initiated on the screenless device, the user receives a standard push notification on their phone from the companion app. This notification clearly states that a login is pending, prompting the user to take action. Tapping the notification takes them directly into the application and immediately executes the FIDO URL, which in turn invokes the native passkey interface of the mobile operating system (iOS or Android). This streamlined flow eliminates friction, as the user is guided through the process without confusion. For simplicity and security, the hybrid flow is designed to begin as soon as the app is opened in response to the request. This design decision is based on the rationale that the user has already demonstrated intent by actively clicking the notification or manually opening the app. An additional layer of security is preserved through the mandatory user verification step—such as a fingerprint scan, face recognition, or PIN entry—that is required by the mobile OS to approve any passkey operation, ensuring the user is in full control.
3. The Step by Step Authentication Process
The technical execution of this screenless passkey flow begins the moment a user initiates a login on a device like an XR headset. The device’s browser locally constructs the same critical data payload that would typically be embedded within a QR code. This payload includes a fresh Elliptic Curve Diffie–Hellman (ECDH) public key for establishing a secure channel, a session-specific secret to prevent replay attacks, and routing information for the subsequent handshake. Rather than rendering this information as a scannable image, the browser encodes it into a standardized FIDO URL. This URL is specifically designed for hybrid transport, instructing the receiving mobile device to begin the passkey authentication sequence. Once this FIDO URL is generated, the headset requires a secure and reliable method to transfer it to the user’s phone. It achieves this by leveraging the companion app’s authenticated push notification channel. The FIDO URL is encapsulated as structured data within a GraphQL-based push notification and sent to the app’s backend servers, which then deliver it securely to the user’s mobile device, ensuring it is routed to the correct account and user.
Upon delivery, the FIDO URL manifests as a standard iOS or Android notification on the user’s smartphone, alerting them that a login request is pending. When the user taps this notification, the mobile operating system recognizes it as a deep link and routes it directly to the companion app. The app then opens the FIDO URL using the system’s URL launcher, which in turn invokes the operating system’s native passkey interface. For users who might have notifications disabled, a fallback mechanism ensures the process remains accessible; simply launching the companion app triggers a query to the backend for any pending passkey requests associated with the account. If a valid request exists, the app automatically initiates the same passkey flow. Once the OS passkey interface is active, the mobile device begins the standard hybrid transport sequence, broadcasting a BLE advertisement, establishing an encrypted tunnel with the nearby screenless device, and preparing to produce the passkey assertion. The final challenge exchange is then completed over this secure channel, with the mobile authenticator generating the cryptographic response and sending it back to the screenless device, which forwards it to the relying party to finalize the login.
4. Implications and Future Horizons
This innovative implementation successfully overcame the fundamental challenge of using passkeys on devices without a display. It effectively bypassed the need for a QR code in the cross-device flow while meticulously adhering to the essential proximity and trust requirements that underpin the security of the passkey standard. The solution demonstrated that by leveraging an existing trusted channel—the companion application—it was possible to maintain a high level of security and provide a user-friendly experience. The use of authenticated push notifications to transport the FIDO URL proved to be a robust and reliable substitute for the visual QR code method. The entire transaction, from initiation on the screenless device to final cryptographic assertion from the mobile authenticator, was completed in a way that preserved the integrity of the WebAuthn standards. The system notification and the app launch path both served as effective user consent surfaces, ensuring the user was always in control and aware of the authentication event they were approving.
The development of this approach has paved the way for a significant expansion of secure, passwordless authentication. Its impact extends far beyond XR devices, offering a viable and scalable solution for a wide range of platforms and ecosystems that have previously been excluded from the passkey revolution. This includes the burgeoning world of wearable technology, smart home hubs, and industrial IoT devices, where screens are often impractical or non-existent. The method enhances the foundational work already accomplished by the FIDO Alliance and its partners in mobile operating systems, contributing to a more robust and interoperable ecosystem for secure login. By proving that passwordless security can be adapted to even the most constrained hardware environments, this work moves the entire industry closer to a future where strong, phishing-resistant authentication is ubiquitous, protecting users across every device they interact with, regardless of its form factor.
