Skip to main content
SecureAuthSecureAuth

Web-Only Credential Recovery

High-Assurance Re-Enrollment Through Mobile Browsers

Enable self-service credential recovery without app installation. Leverage modern web APIs—WebAuthn, Digital Credentials, and browser-based identity verification—to deliver enterprise-grade security through any mobile browser.

Request DemoTalk to Sales

The Passwordless Recovery Challenge

In a passwordless environment, traditional "reset your password" flows no longer apply. When users lose their primary authenticator, a poorly implemented recovery process can undermine all security gains—falling back to phishable SMS codes or email links.

Identity Assurance Gap

Without an existing authenticator, the system must establish identity from scratch using high-assurance proofing methods.

No Trusted Device

Users may have lost their enrolled device. The solution must leverage browser APIs to achieve similar security.

Enterprise Integration

Recovery must interface with corporate directories and update credentials through provided SDK hooks.

User Experience

Remote identity proofing can be cumbersome. Clear guidance and real-time feedback are critical to success.

No App Installation

Some environments restrict apps, or users simply don't have one installed at lockout time.

Attack Surface

The recovery portal itself could be targeted. Robust anti-spoofing and anti-automation are essential.

End-to-End Recovery Workflow

From accessing the recovery portal to provisioning new hardware-bound credentials, every step is designed for maximum security and user clarity.

1

Access Portal

Navigate to recovery URL

2

Document Scan

Capture government ID

3

Selfie Capture

Live facial verification

4

Liveness Check

Anti-spoofing detection

5

Identity Match

Verify against records

6

Policy Check

Enforce org policies

7

Passkey Creation

WebAuthn enrollment

8

Revoke Old Creds

Invalidate lost factors

1-2

Portal Access & Document Capture

User navigates to a dedicated public recovery URL (e.g., recover.company.com) on their mobile browser. After identifying themselves via username or personalized link, the portal requests camera permission to scan their government-issued photo ID using HTML5 getUserMedia.

3-4

Selfie Capture & Liveness Detection

The portal prompts a live selfie with face alignment guidance. Liveness detection (ISO 30107-3 certified) verifies the sample is from a physically present person—analyzing eye reflections, 3D movement, and presentation attack indicators to defeat photos, videos, and deepfakes.

5-6

Identity Match & Policy Evaluation

Verified identity attributes (name, DOB) are matched against corporate records (AD/HRIS). The system enforces organizational policies—requiring higher assurance levels or secondary approval for privileged accounts before proceeding.

7-8

WebAuthn Enrollment & Revocation

The portal invokes navigator.credentials.create() to register a new FIDO2 passkey in the device's Secure Enclave/TEE. The private key never leaves the device. All previously registered authenticators are revoked simultaneously to prevent misuse of lost credentials.

Browser-Based Identity Verification

Modern mobile browsers provide powerful APIs for camera access, biometric authentication, and hardware security—enabling high-assurance identity proofing without native apps.

Mobile Browser
🔒 recover.company.com
Camera AccessgetUserMedia
WebAuthn APIcredentials.create()
Digital CredentialsW3C API
Device Hardware

Secure Enclave / TEE

Hardware-isolated key storage

Biometric Sensor

Face ID / Touch ID / Fingerprint

NFC Reader

ePassport chip verification (Android)

Core Verification Methods

Live Document Capture

HTML5 getUserMedia enables seamless camera access. The captured ID image is analyzed for security features, holograms, text consistency, and compared against known document templates for forensic verification.

Biometric Facial Matching

The captured selfie is compared to the ID photo using facial recognition algorithms with high-threshold matching. This confirms the person holding the ID is the legitimate owner, preventing use of stolen documents.

Liveness Detection

ISO/IEC 30107-3 certified algorithms analyze skin texture, eye reflections, 3D movement, and challenge-response actions. Passive and active liveness techniques defeat photos, pre-recorded videos, and synthetic deepfakes.

Enhanced Verification Options

NFC ePassport Reading

On supported Android devices, Web NFC can read the embedded chip of ePassports containing digitally-signed holder data. This provides government-grade verification with cryptographic proof of document authenticity.

Note: iOS Safari does not support Web NFC. Fallback to document scan is always available.

Digital ID Wallets

The W3C Digital Credentials API enables Safari (iOS 17+) to request verified identity info from mobile driver's licenses in Apple Wallet. Users consent via Face ID, and issuer-signed data is shared directly—no document scanning required.

WebAuthn Hardware Binding

navigator.credentials.create() generates FIDO2 passkeys stored in the device's Secure Enclave/TEE. The private key never leaves hardware, and biometric unlock (Face ID, fingerprint) provides the "something you are" factor.

Digital ID Wallet Integration

Leverage cryptographically-verified digital credentials stored in Apple Wallet or Android Wallet for the fastest, highest-assurance identity verification experience.

Apple Wallet

iOS 17+ Digital ID

Safari Digital Credentials API
Face ID consent flow
Cross-device QR handoff
Issuer-signed data

Android Wallet

Identity Credential API

W3C Digital Credentials
Biometric unlock
Web NFC for ePassports
Hardware attestation

Cross-Device QR Handoff

For users on non-iOS browsers, Safari's Digital Credentials API supports an inter-device flow: display a QR code on the recovery page that the user scans with their iPhone to share their digital ID info. This enables cross-platform capability while maintaining the security benefits of hardware-backed credentials.

Defense-in-Depth Security Architecture

Multiple layers of security controls protect the recovery process from session hijacking, replay attacks, XSS, and device compromise.

HTTPS + HSTS + Certificate PinningContent Security Policy (CSP) + Origin IsolationBrowser SessionDPoP Token BindingCSRF ProtectionSession NoncesVerification EngineLiveness DetectionDocument ForensicsBiometric MatchingDevice AttestationWebAuthn AttestationPlay Integrity / DeviceCheckBrowser FingerprintingEnterprise Integration LayerIdentity Store • Policy Engine • Credential Registry • Audit Logging

DPoP Token Binding

OAuth 2.0 Demonstration of Proof-of-Possession cryptographically ties tokens to the browser instance. Stolen tokens are useless without the device's private key.

Content Security Policy

Strict CSP allows only approved scripts, blocking XSS and injection attacks. Sandbox attributes isolate third-party verification widgets.

Device Attestation

WebAuthn attestation statements indicate authenticator model and certification level. Play Integrity/DeviceCheck detect rooted or compromised devices.

Session Nonces & CSRF

Single-use tokens protect against replay. CSRF tokens prevent malicious sites from posting data to the recovery portal.

Rate Limiting

Throttled verification attempts prevent brute force. Suspicious activity triggers lockout and security alerts.

Audit Logging

Every event is logged with cryptographic evidence. SIEM integration enables anomaly detection and compliance reporting.

Browser Compatibility Matrix

The solution uses progressive enhancement: advanced APIs are used where available, with graceful fallbacks ensuring broad compatibility across all modern mobile browsers.

FeatureSafari (iOS)Chrome (Android)FirefoxEdge
WebAuthn / Passkeys
Camera Access (getUserMedia)
Digital Credentials API
Web NFC (ePassport)
Secure Enclave / TEE
DPoP Token Binding
Fully Supported
Partial Support
Not Supported

Platform-Specific Considerations

iOS / Safari

  • • Digital Credentials API for Apple Wallet IDs (iOS 17+)
  • • No Web NFC support—document scan fallback required
  • • WebAuthn with Secure Enclave passkeys fully supported

Android / Chrome

  • • Web NFC available for ePassport chip reading
  • • Digital Credentials API emerging support
  • • WebAuthn with TEE-backed passkeys fully supported

Enterprise SDK Integration

Delivered as a JavaScript SDK with backend reference code, the solution integrates seamlessly with your existing identity infrastructure—Active Directory, HRIS, and credential registries.

Frontend SDK

JavaScript components for camera capture, WebAuthn, and Digital Credentials API interactions.

SecureAuth.Recovery.init({...})

Backend Reference

Server-side code for identity verification, policy enforcement, and credential management.

verifyIdentity() → enrollCredential()

Enterprise Hooks

Integration points for AD/HRIS lookup, policy evaluation, and credential registry updates.

onVerified(user) → updateRegistry()

Integration Capabilities

  • Account lookup via AD/HRIS with attribute matching
  • Configurable identity assurance level requirements
  • Policy hooks for approval workflows
  • Credential registry updates (FIDO2, QR factors)
  • Automatic revocation of compromised authenticators
  • Federation claim updates (SAML/OIDC assurance levels)

Audit & Compliance

  • Complete verification event logging
  • Hashed document reference storage
  • Identity assurance level tagging
  • SIEM integration for anomaly detection
  • GDPR-compliant data handling
  • Configurable evidence retention policies

Web-Only Vs. Legacy Recovery

Traditional web recovery relies on phishable channels and weak verification. Our web-only solution delivers app-level security through modern browser APIs.

Legacy Web Recovery

  • Email/SMS reset links (phishable)
  • Security questions (guessable)
  • No biometric verification
  • Password-based re-enrollment
  • No device binding

Web-Only High-Assurance

  • Government ID + biometric verification
  • Liveness detection (ISO 30107-3)
  • WebAuthn passkey enrollment
  • Hardware-bound credentials
  • DPoP token binding + CSP

Identity Assurance

Legacy:Low (knowledge-based)
Web-Only:High (IAL2+ compliant)

Phishing Resistance

Legacy:Vulnerable (email/SMS)
Web-Only:Resistant (hardware-bound)

Device Binding

Legacy:None
Web-Only:Secure Enclave / TEE
Security Comparison

Why Native App Remains The Stronger Option

While web-only recovery provides excellent accessibility and convenience, native mobile apps offer measurably stronger security guarantees for high-risk recovery scenarios.

Security AreaMobile Web (Browser)Native Mobile App
Phishing ResistanceUser can be tricked into look-alike sites; mitigations help but browser is inherently URL-drivenApp distribution + deep link controls reduce spoofing surface significantly
Client Integrity AttestationVery limited: web apps can't strongly prove untampered client codeStrong: iOS App Attest and Android Play Integrity provide cryptographic proof
Device Integrity / PostureWeak access to managed-device posture; mostly indirect signalsStronger options: consume device integrity and attestation signals directly
Hardware-Backed Key StorageWebCrypto generates keys but can't guarantee hardware-backed storageNon-exportable keys in Keychain/Keystore with Secure Enclave/TEE protection
Token Replay ProtectionDPoP possible but key storage is browser-managed, not guaranteed hardware-backedDPoP/mTLS with keys bound to Secure Enclave/TEE for strongest protection
Certificate PinningWebsites can't reliably pin certs; HPKP is deprecated/obsoleteApps can implement stricter trust evaluation and pinning controls
NFC / ePassport ReadingLimited: Safari iOS has no support; Web NFC can't do low-level operationsFull ISO 7816 APDU exchange support via Core NFC (iOS) and NFC frameworks (Android)
Digital ID / WalletImproving: W3C Digital Credentials API in Safari/WebKitStrong: native integration with Verify with Wallet and platform mechanisms
UI Security / Anti-OverlayHarder to guarantee; browser UI shared with other contextsLock down screens, use OS secure prompts, reduce UI spoofing

Five Reasons Native App Delivers Stronger Security

1. Provable Client Integrity

iOS App Attest validates requests from genuine app instances. Android Play Integrity confirms genuine app + certified device and detects tampering. Web portals lack equivalent standardized client integrity proof.

2. Stronger Device Binding

Apps store enrollment control keys in Secure Enclave/TEE-backed storage and sign DPoP proofs with hardware-protected keys. In mobile web, DPoP keys are browser-managed without guaranteed hardware backing.

3. Superior NFC/ePassport IDV

Native apps access Core NFC with full ISO 7816 APDU exchange for passport chip reading. Web NFC is limited and unsupported on iOS Safari, making highest-assurance IDV asymmetric across platforms.

4. Channel Hardening Options

Apps implement stricter server trust evaluation and certificate pinning via Android Network Security Config and iOS manual trust evaluation. Web apps can't rely on in-app pinning—HPKP is deprecated.

5. Reliable Secure UX

Native apps protect recovery UX from replication or overlay attacks, anchoring sensitive actions behind OS-controlled biometric prompts. Web portals can mitigate risks but cannot fully control the browsing environment.

Practical Positioning

Native app: Primary path when you need strongest guarantees.Mobile web: Valuable fallback when app install is impossible, relying more on strong IDV and WebAuthn.

Need Maximum Security?

For environments requiring the highest security guarantees, explore our native mobile app recovery solution with full hardware attestation and Secure Enclave integration.

Explore Mobile-First Recovery

Enable Secure Self-Service Recovery

Deploy high-assurance credential recovery through any mobile browser. No app installation required—just enterprise-grade security.

Request a DemoBack to Workforce Authority