Passkey management

HCL Domino offers a sustainable approach to the creation and management of passkeys: passkey metadata stored on local authenticators is kept up to date with changes made on the Domino server.

Managing passkeys

End users can manage their own passkeys in the Passkey database by selecting the Create or manage passkeys checkbox when logging in to the Domino HTTP server. This user interface allows end users to view and manage all of their registered passkeys for a given internet site. Note that a user's final passkey cannot be deleted to minimize the risk of the end user accidentally locking themselves out of the server.

Domino returns passkey creation and management endpoints from the new passkey well-known endpoint (https://www.example.com/.well-known/passkey-endpoints) as defined by the W3C working draft in A Well-Known URL for Relying Party Passkey Endpoints if the RP ID matches the Internet Site name. For example, if the configured RP ID for www.example.com is example.com, the well-known endpoint will not be returned, but if the configured RP ID for www.example.com is www.example.com, it will be returned. Credential providers and password managers can query this standardized endpoint and allow end users to create new passkeys and manage their existing passkeys for a site from within their own user experience.

Keeping passkeys up to date

One of the concerns that some people have with passkeys is related to the inability of servers to communicate changes back to the authenticators holding those passkeys. Starting in 14.5.1, these concerns are addressed with three new WebAuthn Signal APIs that Domino uses by default to keep information in authenticators synchronized with information in Domino's Passkey database (passkey.nsf) When a user changes their name or email address in Domino, the signalCurrentUserDetails API is used to inform the authenticator of the update. When a user attempts to authenticate with a passkey that was deleted from passkey.nsf, the signalUnknownCredential informs the authenticator that the credential is no longer useful. Finally, after a user authenticates to Domino with a passkey, Domino uses the signalAllAcceptedCredentials API to inform the authenticator of the current set of valid credentials for that user so the authenticator can remove any no-longer-accepted credentials for that site.

Note: The WebAuthn Signal APIs are currently supported and functional with authenticators such as Google Password Manager and Apple Passwords (available from Safari 26 onward on macOS). The Signal APIs are relatively new and still rolling out, with broader support expected across more platforms and authenticators soon.