Based on the knowledge sources, there are some limitations regarding passkey support for native apps in self-hosted Ory. Currently, Ory's WebAuthn/passkey implementation is primarily browser-focused and requires JavaScript and browser APIs. This creates challenges for native mobile applications. According to an Ory team member's comment on a GitHub issue: > "As for the Ory Network - I believe that we do not support WebAuthN on native devices for now. The current implementation of it is pretty browser focused and requires JS and browser APIs (as you mentioned)." [GitHub Issue #284](https://github.com/ory/network/issues/284) For native apps, the typical approach would be to open a browser window (using ASWebAuthenticationSession on iOS or Custom Tabs on Android) to handle the authentication flow, as mentioned in the documentation for social sign-in: > "The user clicks the social sign-in button. A browser window opens (using ASWebAuthenticationSession on iOS or Custom Tabs on Android)." [Social sign-in for native apps](https://www.ory.sh/docs/kratos/social-signin/native-apps) There's also an open issue regarding the use of YubiKeys with the passkey strategy, which indicates some limitations in the current implementation for external authentication devices in self-hosted environments. It appears that full WebAuthn/passkey support for native applications is on Ory's roadmap, but not fully implemented yet: > "We do however have it on the roadmap and would love to support WebAuthN in its full capacity on all supported devices in the (near) future." [GitHub Issue #284](https://github.com/ory/network/issues/284) If you're looking to implement biometric authentication in a native app with self-hosted Ory, you might need to consider alternative approaches or wait for full native support to be implemented.

Based on the knowledge sources, there are still limitations when it comes to using external passkeys with native apps in a self-hosted Ory environment. The documentation explicitly states that WebAuthn (which includes passkey functionality) has specific constraints: > "WebAuthn is a browser standard. It does not work in native mobile apps." [Passkeys & WebAuthN > Constraints](https://www.ory.sh/docs/kratos/passwordless/passkeys#constraints) This limitation is also confirmed in another document: > "WebAuthn is a browser-only standard. It doesn't work with native mobile apps." [WebAuthn and FIDO2 (YubiKey)](https://www.ory.sh/docs/kratos/mfa/webauthn-fido-yubikey) For native apps, the current approach involves opening a browser window to handle authentication flows, similar to how social sign-in works: > "The user clicks the social sign-in button. A browser window opens (using ASWebAuthenticationSession on iOS or Custom Tabs on Android)." [Social sign-in for native apps](https://www.ory.sh/docs/kratos/social-signin/native-apps) There is a GitHub discussion that specifically addresses NFC authentication, which mentions that: > "Sign up via NFC works on mobile and log in works afterwards from desktop -> mobile. For a desktop -> mobile direct path one needs to implement a FIDO2/WebAuthn proxy under a Credential Manager provider Android app." [GitHub Discussion #4046](https://github.com/ory/kratos/discussions/4046) However, this appears to be a workaround rather than a fully supported feature, and it may require significant custom development. In summary, while there might be some workarounds possible, the official documentation indicates that external passkeys (including hardware tokens like YubiKeys) are not natively supported for direct integration with native apps in self-hosted Ory. The recommended approach would still involve using browser-based authentication flows through ASWebAuthenticationSession (iOS) or Custom Tabs (Android).