Meta Engineers Introduce Display-Free Passkey Authentication for XR Devices
Meta Engineers Introduce Display-Free Passkey Authentication for XR Devices
Synopsis- Meta has developed a cross-device passkey authentication method for XR hardware that does not rely on on-device displays or QR codes.
- The approach adapts existing WebAuthn and FIDO hybrid standards using a trusted companion app.
- The implementation is now live on Meta Quest devices and is designed to extend secure, passwordless login to XR and screenless devices.
Passkeys have emerged as a critical step forward in secure authentication, replacing traditional passwords with phishing-resistant, cryptographic credentials. Yet the standard cross-device passkey experience assumes one essential element: a visible screen. When users authenticate on a desktop or laptop, the process typically involves scanning a QR code with a nearby phone to confirm identity. That assumption breaks down for a growing class of devices, including XR headsets, wearables, and other hardware where displays are inaccessible or absent altogether.
In a recent report published by Engineering at Meta, Meta engineers describe a new method that enables secure, cross-device passkey authentication without requiring any on-device visual interface. The work addresses a long-standing gap in the WebAuthn ecosystem and opens a path for passwordless authentication across XR platforms, smart devices, and industrial hardware.
The challenge is structural. Traditional cross-device authentication relies on two mechanisms working together: a QR code to bootstrap trust between devices, and local proximity signals such as Bluetooth or NFC to confirm physical presence. For devices without usable displays, the QR code step becomes impossible. At the same time, relying solely on proximity can create ambiguity for users, who need clear confirmation that they are approving the correct login request on the intended device.
Meta’s solution reframes the problem by shifting the initiation step away from the device itself and into a trusted companion application. Rather than encoding authentication data into a QR code, the XR device generates the same information as a structured FIDO URL, the standard transport format defined for hybrid WebAuthn flows. This payload includes a fresh elliptic-curve Diffie–Hellman public key, a session-specific secret, and routing information required later in the handshake.
Instead of displaying this payload, the XR device securely transmits it to the user’s phone via an authenticated push channel associated with the same account. On Meta Quest devices, this role is handled by the Meta Horizon mobile app. When a login attempt is initiated on the headset, the browser packages the FIDO URL into structured data and delivers it through a GraphQL-based push notification system.
The companion app receives the request only if it is signed in under the same user account as the headset, ensuring deterministic routing and preventing cross-user leakage. Once delivered, the platform surfaces the request as a standard operating-system notification on iOS or Android. Tapping the notification opens the companion app, which immediately launches the FIDO URL and invokes the operating system’s native passkey interface.
For users who have notifications disabled, the system provides a fallback. Opening the companion app directly triggers a backend check for any pending authentication requests linked to the account. If a valid request exists, and requests expire automatically after five minutes, the app initiates the same passkey flow without requiring user reconfiguration.
From that point forward, the process aligns closely with established WebAuthn behavior. The mobile device begins the hybrid transport sequence by advertising over Bluetooth Low Energy, establishing an encrypted tunnel, and handling user verification. The XR device generates the WebAuthn challenge locally and waits for the response. Once the user approves the request on their phone, the mobile authenticator produces the appropriate assertion or attestation response using the passkey stored on the device.
That response is transmitted back to the XR headset over the secure channel. The headset then forwards the result to the relying party server, completing the authentication flow in the same manner as a device equipped with a traditional display.
According to the Meta engineering team, the key distinction lies in how user intent is confirmed. In this model, both the system notification and the act of opening the companion app function as consent surfaces, replacing the visual confirmation typically provided by a QR code. The approach preserves proximity guarantees while maintaining compliance with existing FIDO and WebAuthn trust requirements.
The implementation is already broadly available on Meta Quest headsets running Meta Horizon OS. Meta engineers note that the design is not limited to XR hardware and could be extended to other classes of screenless or hard-to-access devices, including consumer electronics, IoT platforms, and industrial systems.
The company positions the work as an extension of ongoing collaboration with the FIDO Alliance and mobile operating system providers. By building directly on established standards rather than introducing proprietary authentication logic, the approach aims to remain interoperable while addressing real-world usability constraints.
As XR devices continue to evolve beyond experimental use cases and into everyday workflows, authentication becomes a foundational concern. This display-free passkey model illustrates how established security frameworks can be adapted to emerging hardware realities, without compromising either user trust or cryptographic rigor.
Source: Engineering at Meta – Have a Story? Address it to the Editor and submit it here
About Meta
Meta is a global technology company focused on building platforms and products that enable people to connect, share, and interact through digital experiences. Its portfolio spans social platforms, messaging services, virtual and augmented reality hardware, and software ecosystems designed to support immersive computing. Through Meta Quest and Meta Horizon OS, the company is advancing consumer and enterprise XR by integrating hardware, operating systems, and developer tools into a unified platform. Meta is also an active contributor to open standards and industry collaborations, including work with the FIDO Alliance to improve authentication security across devices. Through its Engineering at Meta publications, the company regularly shares technical insights into large-scale systems, security architecture, privacy engineering, and the infrastructure that underpins its products.
Featured image Source: Connect the Watts
Disclaimer
The information provided in this article is for general informational purposes only and from publicly available sources. While we strive for accuracy, we do not make any representations or warranties, express or implied, regarding the completeness, reliability, or validity of the content. This article does not make any direct claims about specific companies, individuals, or organizations. Any references to reports or external sources are for context and do not imply endorsement or verification of any specific allegations. Readers are encouraged to conduct their own research and seek professional advice before making business decisions. We disclaim any liability for any losses or damages incurred as a result of reliance on the information provided.