Improving the Login Experience and Reducing Cost: The Complete Guide to Passkeys Integration at Halodoc

Passkey Jun 28, 2024

In today's digital era, security is more crucial than ever. With cyber threats constantly evolving, it's essential to protect our users' data. Data breaches can lead to financial losses, damage a company's reputation, and a loss of user trust. At Halodoc, we understand the importance of balancing user experience with stringent security standards. Keeping our users safe and their data secure is key to retaining their loyalty and satisfaction. To achieve this goal with utmost dedication and innovation, we are choosing Passkeys.

This innovative solution not only enhances security and improves the login process but also reduces costs associated with traditional OTP-based authentication methods. Join us as we explore the benefits and implementation of Passkeys integration and its transformative impact on Halodoc.

What are Passkeys?

Passkeys are a secure and user-friendly way to authenticate users without relying on traditional passwords. When a user registers for a service with a Passkeys, a pair of cryptographic keys is generated: a public key and a private key. The public key is sent to the server and stored, while the private key remains securely on the user's device.

Passkeys are intricately linked to both a user's account and the corresponding website or application. They offer a more secure and convenient option compared to passwords or OTPs. Users can access apps and websites using a biometric sensor (like fingerprint or Face ID), PIN, or pattern, eliminating the need to memorize and handle passwords.

Benefits of Passkeys

1.  Enhanced Security

Passkeys use public key cryptography to secure the authentication process, storing a public key on the server while keeping the private key securely on the user's device. This setup makes it difficult for hackers to access user accounts through data breaches.

2.  User Convenience

Passkeys are designed for simplicity and convenience. User can authenticate using biometric (like fingerprint or Face ID), or device-specific PINs, eliminating the need to remember complex passwords or worry about reusing passwords across different sites.

3.  Phishing Resistance

Since Passkeys are tied to the user's device and can't be shared, they are inherently resistant to phishing attacks. Unlike passwords, which can be stolen or intercepted, Passkeys ensure that users are authenticating only on the intended website or app.

4.  Reducing Cost

Implementing Passkeys as an alternative to OTP (one-time password) systems can lead to significant cost reductions for companies. Unlike OTPs, which often incur expenses associated with SMS delivery. Passkeys leverage cryptographic keys stored securely on users' devices. This eliminates the need for costly OTP delivery methods, thereby reducing operational expenses.

With a clear understanding of the advantages offered by passkeys, we're now prepared to dive into the integration process. These guides will walk you through each platform integration, ensuring a smooth and seamless implementation of Passkeys authentication into your system.

Passkeys Integration

Passkeys have three important functionalities that are essential for robust security and user convenience:

  • Register
  • Authentication
  • Revoke

Let's dive into each part!


The Passkeys registration flow is the initial step where user creates a Passkeys for their account. This process involves generating a cryptographic key pair, with the public key being stored on the server and the private key securely kept on the user's device. The overall registration flow is as follows:

  • Request Challenge: Client requests a challenge from the backend, which creates the challenge and sends the response back to the client.
  • Registration Request: After receiving the challenge from the backend, the client passes it to the Passkeys Library to invoke the registration prompt.
  • User Authentication: After the user performs a biometric scan or inputs their device PIN, a passkeys is created and the public key is sent back to the client.
  • Passkeys Registration: Client will pass the passkeys information to the backend to complete the registration process.


Next, we'll delve into the Passkeys authentication flow, which is the center of this blog. The overall authentication flow is as follows:

  • Request Challenge: Client requests a challenge from the backend, which creates the challenge and sends the response back to the client.
  • Assertion Request: After receiving the challenge from the backend, the client passes it to the Passkeys Library to invoke the login prompt.
  • User Authentication: After the user performs a biometric scan or inputs their device PIN, the Passkeys Library sends the signature and passkey information back to the client.
  • Login: Client will pass the passkeys information to the backend, which then verifies its signature and passkey information to proceed the user to login into the application.


Now, moving on to the final flow, revoking. This is a special case scenario, often necessary to comply with certain regulations or to provide users with added flexibility. It's worth noting that deleting a passkey, in the sense of revoking it, isn't supported by the library (Android and iOS). However, that doesn't mean we're out of options. There are workarounds available that you can put into practice.

The concept behind authenticating/login via passkeys is to enable your server or backend to validate the authenticity of the user. Bearing this in mind, we can opt to remove the instance from our server instead. This action ensures that the next time our user attempts to log in with the same passkey, they will be unable to do so, effectively revoking their access to the passkey.

However, since this action only removes the passkeys on the server side, the passkeys stored on the user's device remain intact. As there is no method for removing these programmatically, we need to advise our users on how to delete them manually. For Android users, they can access their device settings or use a browser to open the Google account and password manager, where they can remove passkeys. Meanwhile, for iOS users they can navigate to their device settings, select "Passwords," and delete the passkeys from there.

For detailed processes on how to integrate these functionalities, check out these blogs.

1.  Android

Improving the Login Experience and Reducing Cost: Passkey Integration in Android Apps
In this blog post, we explore our latest endeavour the integration of Passkey authentication into our Android apps

2. iOS

Improving the Login Experience and Reducing Cost: Passkeys Integration in iOS Apps
This blog walks you through improving the Login Experience and Reducing Cost by Passkeys Integration in iOS Apps

3. Backend

Passwordless Authentication Using Passkey
Discover the future of authentication with Passkey! Learn how passwordless authentication can revolutionize security measures and streamline user experiences. Dive into the benefits, implementation strategies, and more on our insightful blog.

OTP Cost Reduction

The adoption of passkeys has resulted in substantial savings on OTP costs. Since introducing the Passkeys feature approximately two months ago, we have reduced OTP expenses by around $600. These savings are expected to grow as more users embrace passkeys and upgrade to the latest version of our App. Looking ahead, with wider passkeys adoption, we anticipate even more significant cost reductions as reliance on OTP-based logins diminishes.


In conclusion, integrating passkeys into our application is a game-changer for both security and user convenience. By streamlining the registration and authentication processes, passkeys provide a robust solution that significantly reduces the risks associated with traditional passwords. This modern authentication method not only simplifies user login experiences but also fosters greater trust and satisfaction among our users. Embracing passkeys means we’re at the forefront of delivering secure and user-friendly applications, setting the stage for a safer and more efficient digital world.

Join us

Scalability, reliability, and maintainability are the three pillars that govern what we build at Halodoc Tech. We are actively looking for engineers at all levels, and if solving hard problems with challenging requirements is your forte, please reach out to us with your resume at

About Halodoc

Halodoc is the number 1 Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke. We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 3500+ pharmacies in 100+ cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allow patients to book a doctor appointment inside our application. We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek, Astra, Temasek, and many more. We recently closed our Series D round and in total have raised around USD$100+ million for our mission. Our team works tirelessly to make sure that we create the best healthcare solution personalized for all of our patient's needs, and are continuously on a path to simplify healthcare for Indonesia.

Kevin Josal

Software Development Engineer iOS