To implement passkeys for API based on your custom UI, you can follow these steps: 1. Understand the WebAuthn Specification: Passkeys use the WebAuthn standard to generate and manage cryptographic key pairs for users. WebAuthn is a browser standard and does not work in native mobile apps. It is limited to one domain and does not work in a local environment when using CNAME / Ory Proxy. Implementing WebAuthn in your own UI can be challenging, depending on which framework to use. You can check Ory's reference implementations for [React Native](https://github.com/ory/kratos-selfservice-ui-react-native), [Node.js](https://github.com/ory/kratos-selfservice-ui-node), [React/SPA](https://github.com/ory/react-nextjs-example) for guidance ([source](https://www.ory.sh/docs/kratos/passwordless/passkeys#constraints)). 2. Choose a Passkey Strategy: Ory Network implements a dedicated passkey strategy that improves the ergonomics over using the webauthn strategy for first-factor login. You can compare the two approaches and choose the one that suits your needs ([source](https://www.ory.sh/docs/kratos/passwordless/passkeys#choose-passkey-strategy)). 3. Implement Passwordless Authentication: Passwordless authentication uses the WebAuthn specification to authenticate users with hardware keys, biometrics, or passkeys. For an application to use WebAuthn, add the

/.well-known/ory/webauthn.js

WebAuthn JavaScript to the page. Ory provides the on-click handler for the button to start the passwordless authentication flow. The flow works as follows: - Create login flow. - Render the UI with the

webauthn

group. - User enters their identifier and clicks the

Sign in with security key

button. - The form is submitted which starts a new flow with the

webauthn

group. - Render the new UI which prompts the user to insert their security key. - The user inserts their security key and clicks the

Continue

button. Here is the code snippet to add the WebAuthn JavaScript to the page:

<head>        <script src="/.well-known/ory/webauthn.js"></script>      </head>

([source](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#passwordless-authentication)) 4. UI Messages: Ory provides UI messages for adding a passkey, signing in with a passkey, and signing up with a passkey. You can use these messages in your custom UI to guide the user through the process ([source](https://www.ory.sh/docs/kratos/concepts/ui-messages#add-passkey-1050019), [source](https://www.ory.sh/docs/kratos/concepts/ui-messages#sign-in-with-passkey-1010021), [source](https://www.ory.sh/docs/kratos/concepts/ui-messages#sign-up-with-passkey-1040007)). Remember, implementing passkeys in your own UI can be challenging and may require a good understanding of the WebAuthn specification and the Ory Kratos framework.

Sure, here are some references that can help you with passkey implementation: 1. WebAuthn Guide: This guide provides a comprehensive understanding of the WebAuthn specification, which is the underlying technology for passkeys. It can help you understand the client-server challenge/response mechanism used by WebAuthn. You can find the guide [here](https://webauthn.guide/). 2. WebAuthn GitHub Issue: This GitHub issue discusses the limitations of WebAuthn, specifically its restriction to one domain. This can be useful if you're planning to use WebAuthn in a local environment with CNAME / Ory Proxy. You can find the issue [here](https://github.com/w3c/webauthn/issues/1372). 3. Ory Kratos Reference Implementations: Ory provides reference implementations for different frameworks that can help you understand how to implement WebAuthn in your own UI. You can find the implementations for [React Native](https://github.com/ory/kratos-selfservice-ui-react-native), [Node.js](https://github.com/ory/kratos-selfservice-ui-node), and [React/SPA](https://github.com/ory/react-nextjs-example). 4. Ory Kratos Documentation: The Ory Kratos documentation provides detailed information on how to manage identities, customize identity schemas, and implement passwordless authentication. You can find the documentation [here](https://www.ory.sh/docs/kratos/). 5. FIDO Alliance: The FIDO Alliance provides resources on passkeys, which are a password replacement that provides faster, easier, and more secure sign-ins to websites and apps across a user's devices. You can find more information [here](https://fidoalliance.org/passkeys/). Remember, implementing passkeys in your own UI can be challenging and may require a good understanding of the WebAuthn specification and the Ory Kratos framework.

To enable two-step login with Ory Kratos version 1.3.1, you need to configure the login flow style as "identifier first". This feature is also known as two-step registration or identifier-first authentication. Here's how you can enable it: 1. For self-hosted Ory Kratos: Add the following configuration to your

kratos.yaml

config file:

yaml    selfservice:      flows:        login:          style: identifier_first

[Source](https://www.ory.sh/docs/identities/sign-in/identifier-first-authentication) 2. For Ory Network: You can enable this feature through the Ory Console: 1. Log in to the [Ory Console](https://console.ory.sh). 2. Select your project. 3. Navigate to Project Settings > Advanced. 4. Enable "New Account Experience". 5. Click "Save Changes". [Source](https://www.ory.sh/docs/identities/sign-in/identifier-first-authentication) It's important to note that as of Ory Kratos version 1.2.0, two-step registration became the default behavior. To disable it and revert to the legacy one-step registration, you would need to set

selfservice.flows.registration.enable_legacy_one_step

to

true

in your configuration. [Source](https://github.com/ory/kratos/discussions/4025) After enabling this feature, the login flow will first request the user's identifier (such as an email or username) before prompting for a password or other authentication methods. This creates a more streamlined user experience, especially when multiple authentication strategies are enabled. Remember to test the flow in your application by navigating to the login page after making these changes.