DAST

WebAuthn passkeys in recorded logins

• Last updated: April 7, 2026

• Read time: 2 Minutes

You can configure a recorded login to authenticate using WebAuthn. This includes passkeys, biometrics such as fingerprint or facial recognition, device PINs such as Windows Hello, and hardware security keys such as YubiKey.

Support is limited to applications that implement the WebAuthn standard. Non-standard implementations or flows tied to specific hardware may not be supported.

If your login uses a passkey, you must capture it using the Login Recorder for Burp Suite extension before recording your login sequence. Existing passkeys in your application or identity provider cannot be used unless they were captured and exported using the extension.

To capture a passkey, do one of the following:

• Capture a new passkey using the Login Recorder for Burp Suite extension.
• Import a passkey that was previously captured and exported from the extension.

Capturing a new passkey

Use this option if you don't already have a passkey captured using the Login Recorder for Burp Suite extension.

1. Open the Login Recorder for Burp Suite extension.
2. Enable the My login uses a passkey toggle.
3. Click Add passkey.
4. Click Capture new passkey. This enables passkey capture in your browser.
5. Go to your application or identity provider and create a new passkey. The extension captures it automatically.
6. Return to the extension and click Stop capturing.

You can now record your login sequence using this passkey. For more information, see Recording login sequences.

Importing a passkey

Use this option if you've previously captured and exported a passkey using the Login Recorder for Burp Suite extension.

1. Open the Login Recorder for Burp Suite extension.
2. Enable the My login uses a passkey toggle.
3. Click Add passkey.
4. Click Import passkey.
5. Upload the passkey file.

You can now record your login sequence using this passkey. For more information, see Recording login sequences.