Understanding the Need for PIN Sync in Passkey Functionality

To support Passkeys effectively, PIN Synchronization must be enabled. This ensures that when the FIDO2 flow triggers a User Verification prompt, the mobile app can validate the user's PIN locally and securely, allowing the cryptographic handshake to proceed to the next stage where server communication begins.

Why PIN Synchronization is Required for Passkeys

Core Architecture Constraint: The "Pre-Context" Verification Barrier
The fundamental reason PIN Synchronization (Offline Sync) is required for Passkeys is the sequence of the FIDO2/WebAuthn handshake. In a standard flow (MakeCredential or GetAssertion), User Verification must occur before the device can select a specific credential or establish a session context with the Veridium server.

Key Technical Points:

1. Offline Validation Necessity: During the Passkey process, the mobile device must verify the user (via Biometrics or PIN) locally on the handset. Because this happens before the app knows which specific Veridium profile or server environment the request belongs to, it cannot "ask" the server to validate a PIN. Therefore, the PIN validation must be performed offline using the synchronized hash stored in the device's Secure Enclave/TEE.

2. The "Relying Party" Problem: Verification occurs at the "Relying Party" level (the device/browser interaction) before a signed assertion is released. Without PIN Sync, if a user chooses PIN as their verification method, the device has no local reference to confirm if the PIN is correct, causing the process to fail before it even reaches the Veridium infrastructure.

3. Mandatory Policy Enforcement: To ensure a passkey is "phishing-resistant" and secure, the server policy typically mandates User Verification. For this to work reliably across all scenarios (including those with poor connectivity or specific hardware requirements), the system must enforce either Biometrics or PIN with Sync.