Passkeys: The Future of Passwordless Authentication
Welcome to the comprehensive guide on Passkeys, the revolutionary technology designed to usher in a passwordless future. As an aspiring developer, understanding passkeys is crucial for building secure, user-friendly applications in the modern web and mobile landscape. This document will take you from the fundamental concepts of passkeys to advanced implementation techniques, providing clear explanations, practical code examples, and engaging exercises to solidify your learning.
1. Introduction to Passkeys
What are Passkeys?
Passkeys are a new, more secure, and user-friendly way to sign into websites and applications, designed to replace traditional passwords. They leverage public-key cryptography, a fundamental concept in modern security, to provide a phishing-resistant and more convenient authentication experience.
Instead of a password, a passkey is a digital credential that allows you to log in using a method familiar to you, such as your fingerprint, face scan (biometrics), or a device PIN/pattern. This means you no longer need to remember complex passwords or deal with the frustration of forgotten credentials.
Passkeys are built upon open industry standards developed by the FIDO Alliance, primarily WebAuthn (Web Authentication API) and FIDO2. These standards ensure interoperability across different operating systems, browsers, and devices, making passkeys a truly universal solution for authentication.
Why Learn Passkeys? (Benefits, Use Cases, Industry Relevance)
The adoption of passkeys is rapidly growing, driven by major tech companies like Apple, Google, and Microsoft. Here’s why they are becoming the new de facto standard for secure authentication and why you, as a developer, should learn them:
- Enhanced Security:
- Phishing Resistance: Passkeys are inherently resistant to phishing attacks. Unlike passwords that can be stolen through fake login pages, a passkey is cryptographically bound to the specific website or application it was created for. This means it will only work on the legitimate domain, preventing attackers from tricking users into revealing their credentials on fraudulent sites.
- No Shared Secrets: With passwords, both the user and the service store a secret (the password or its hash). This shared secret can be compromised. Passkeys use public-key cryptography, where the user holds a private key and the service holds a public key. The private key never leaves the user’s device, significantly reducing the attack surface.
- Stronger than OTPs: While One-Time Passwords (OTPs) offer an improvement over single-factor passwords, they are still vulnerable to SIM-swapping, phishing, and social engineering attacks. Passkeys are phishing-resistant and operate locally on the device, eliminating network-dependent vulnerabilities.
- Improved User Experience:
- Passwordless Login: Users no longer need to remember, type, or reset complex passwords. Authentication is done with a quick biometric scan (fingerprint, face ID) or device PIN.
- Faster Sign-ins: Logging in with a passkey is significantly faster than typing a password and waiting for an OTP. Google reported that people signing in with passkeys are four times more successful at getting into their accounts than those using passwords.
- Seamless Across Devices: Syncable passkeys allow users to access their accounts across multiple devices (e.g., iPhone, Android, Mac, Windows) using the same credential, often through cloud-backed services like iCloud Keychain or Google Password Manager.
- Industry Relevance and Adoption:
- Major platforms (iOS 26, Android 16, macOS Sequoia 15.4+, Windows 11 22H2+, Chrome, Safari, Edge, Firefox) have robust passkey support and are continuously enhancing their features, including secure import/export, account creation APIs, and lifecycle management.
- Regulators and cybersecurity agencies (like CISA and NIST) are actively discouraging SMS-based OTPs and promoting phishing-resistant MFA solutions like passkeys.
- Businesses are observing significant positive outcomes, including reduced authentication failures (30% or more), cut credential-related support calls (70%), and faster login times (30%).
- A 2025 FIDO Alliance survey found that 69% of people surveyed have at least one passkey, demonstrating growing user adoption.
A Brief History (Optional, keep it concise)
The concept of passkeys has its roots in the FIDO (Fast IDentity Online) Alliance, an industry association focused on creating open authentication standards.
- FIDO UAF and FIDO U2F (2014-2015): Early specifications that aimed to simplify and secure authentication using cryptography.
- FIDO2 (2018): A suite of specifications that include the Client to Authenticator Protocol (CTAP) and the Web Authentication API (WebAuthn). WebAuthn was standardized by the W3C (World Wide Web Consortium) and allowed web applications to integrate FIDO authentication. This laid the groundwork for what we now call passkeys.
- Passkeys (2022 onwards): The term “passkey” gained prominence as Apple, Google, and Microsoft committed to expanding support for the FIDO standard across their platforms. Passkeys are essentially FIDO2 credentials that are typically synced across a user’s devices via cloud services (like iCloud Keychain, Google Password Manager, or third-party password managers), offering improved convenience and recovery compared to earlier, often device-bound FIDO credentials. The focus shifted to making these credentials not just secure, but also highly usable and portable. Recent updates in iOS 26 and Android 16 further enhance their capabilities, addressing crucial aspects like account recovery and enterprise control.
Setting Up Your Development Environment
To begin working with passkeys, you’ll primarily need:
- A modern web browser: Chrome, Safari, Edge, or Firefox, as they all support the WebAuthn API. Ensure your browser is up-to-date.
- A development environment for your chosen backend language: Node.js, Python, Ruby, Java, etc. (we’ll focus on conceptual examples, but you’ll need a server to handle registration and authentication).
- A local web server (HTTPS enabled): WebAuthn requires a secure context (HTTPS) for security reasons. You can use tools like
ngrokfor local development if you need to expose your local server over HTTPS for testing on mobile devices. - A mobile device (optional but recommended): An up-to-date iOS or Android device to test the passkey experience, especially cross-device authentication and platform authenticator flows.
- FIDO2-compatible authenticators (optional): Hardware security keys (like YubiKeys or Google Titan Keys) can be used to test device-bound passkeys.
Example for a Node.js environment setup:
# 1. Initialize a new Node.js project
mkdir passkey-tutorial
cd passkey-tutorial
npm init -y
# 2. Install necessary libraries
# 'express' for creating a web server
# '@simplewebauthn/server' for WebAuthn server-side logic
# '@simplewebauthn/browser' for WebAuthn client-side logic
npm install express @simplewebauthn/server @simplewebauthn/browser
# 3. Create a basic server.js file
touch server.js
Content for server.js (initial structure):
// server.js
const express = require('express');
const https = require('https'); // Required for HTTPS
const fs = require('fs'); // For reading SSL certificates
const app = express();
const port = 3000;
// Middleware to parse JSON bodies
app.use(express.json());
// Serve static files (e.g., your HTML, CSS, JavaScript)
app.use(express.static('public'));
// Basic route
app.get('/', (req, res) => {
res.sendFile(__dirname + '/public/index.html');
});
// For local development with HTTPS, you'd typically need self-signed certificates.
// This is for demonstration and local testing only. For production, use proper certificates.
const options = {
key: fs.readFileSync('ssl/server.key'),
cert: fs.readFileSync('ssl/server.crt')
};
// Create a directory for SSL certificates and generate dummy ones (Linux/macOS)
// mkdir ssl
// openssl genrsa -out ssl/server.key 2048
// openssl req -new -x509 -sha256 -key ssl/server.key -out ssl/server.crt -days 3650 -nodes
// Start the HTTPS server
https.createServer(options, app).listen(port, () => {
console.log(`HTTPS server running on https://localhost:${port}`);
});
// Or for simple HTTP (not recommended for WebAuthn in production)
// app.listen(port, () => {
// console.log(`HTTP server running on http://localhost:${port}`);
// });
2. Core Concepts and Fundamentals
Passkeys operate on the principles of public-key cryptography and are facilitated by the WebAuthn API. Let’s break down these fundamental building blocks.
2.1 Public-Key Cryptography (Asymmetric Cryptography)
Public-key cryptography is the bedrock of passkeys. It involves a pair of mathematically linked keys: a public key and a private key.
- Private Key: This key is kept secret and is stored securely on the user’s device (e.g., within a secure enclave, a trusted platform module, or a password manager). It is used to “sign” data.
- Public Key: This key is shared publicly, typically with the online service (relying party) the user wants to authenticate with. It is used to “verify” the signature created by the private key.
How it works (conceptual):
Key Generation (Initial Registration):
- When a user registers for an account with a passkey, their device (authenticator) generates a unique public-private key pair specifically for that online service (relying party).
- The private key is securely stored on the user’s device. It never leaves the device.
- The public key is sent to the online service and stored in association with the user’s account.
Detailed Key Generation Steps (Conceptual Code):
// This is a highly simplified, conceptual representation. // Real WebAuthn APIs handle the actual cryptographic operations internally. class AuthenticatorDevice { generateKeyPairForService(serviceDomain) { console.log(`Generating a new key pair for ${serviceDomain}...`); // Step 1: Request from the OS/Secure Enclave to generate a key pair // The operating system's secure component handles the actual generation // This ensures the private key is generated and stored securely and never exposed. const rawPrivateKey = generateSecureRandomBytes(256); // Imagine this is a highly secure, hardware-backed process const rawPublicKey = derivePublicKey(rawPrivateKey); // Mathematically derived from the private key // Step 2: Store the private key securely on the device // This storage is protected by biometrics (fingerprint/face) or device PIN/pattern this.secureStorage.storePrivateKey(serviceDomain, rawPrivateKey); console.log(`Private key securely stored on device for ${serviceDomain}`); // Step 3: Return the public key (and a credential ID) to the application // This public key will be sent to the relying party (server). console.log(`Public key generated: ${rawPublicKey.substring(0, 30)}...`); return { publicKey: rawPublicKey, credentialId: generateUniqueId() // A unique identifier for this specific passkey }; } signChallenge(serviceDomain, challenge) { // Step 1: User authentication (biometric/PIN) to unlock private key usage if (!this.authenticateUser()) { throw new Error("User authentication failed."); } // Step 2: Retrieve the private key from secure storage const privateKey = this.secureStorage.retrievePrivateKey(serviceDomain); // Step 3: Use the private key to sign the server's challenge const signature = signData(challenge, privateKey); console.log(`Challenge signed with private key: ${signature.substring(0, 30)}...`); return signature; } authenticateUser() { // This would trigger a system prompt for Face ID, Touch ID, or PIN console.log("Prompting user for biometric authentication or PIN..."); // Simulate successful authentication return true; } // Dummy helper functions for illustration secureStorage = { _keys: {}, storePrivateKey: function(domain, key) { this._keys[domain] = key; }, retrievePrivateKey: function(domain) { return this._keys[domain]; } }; } function generateSecureRandomBytes(length) { return 'privateKeyBytes' + Math.random().toString(36).substring(7); } function derivePublicKey(privateKey) { return 'publicKeyBytes' + privateKey.split('Bytes')[1]; } function generateUniqueId() { return 'credentialId-' + Date.now(); } function signData(data, privateKey) { return `signature_of_${data}_with_${privateKey.substring(0, 10)}`; } // --- Usage Example (Conceptual) --- const myDevice = new AuthenticatorDevice(); const service = "mysecureapp.com"; // Imagine user is registering for an account const { publicKey, credentialId } = myDevice.generateKeyPairForService(service); console.log(`Registration successful. Send public key (${publicKey.substring(0, 30)}...) and credential ID (${credentialId}) to ${service} server.`); // Imagine user is logging in later const serverChallenge = "random_challenge_from_server_12345"; console.log(`\nServer sends challenge: ${serverChallenge}`); try { const userSignature = myDevice.signChallenge(service, serverChallenge); console.log(`Authentication successful. Send signature (${userSignature.substring(0, 30)}...) to ${service} server.`); } catch (error) { console.error(error.message); }Authentication (Login):
- When the user attempts to log in, the online service sends a “challenge” (a random piece of data) to the user’s device.
- The user’s device, after authenticating the user (e.g., via fingerprint), uses its private key to cryptographically “sign” this challenge.
- The signed challenge (signature) is sent back to the online service.
- The online service uses the stored public key associated with the user’s account to verify the signature. If the signature is valid, it proves that the user is in possession of the correct private key, and thus, authenticates the user.
2.2 WebAuthn (Web Authentication API)
WebAuthn is the API that enables web applications to integrate FIDO2 authentication. It allows browsers to interact with authenticators (like your phone’s biometrics or a security key) to create and use passkeys.
Key components of WebAuthn:
- Relying Party (RP): This is the online service (your website or application) that wants to authenticate users using passkeys. The RP has both a client-side (frontend) and a server-side (backend) component.
- Authenticator: The device or software that creates and stores passkeys and performs the cryptographic operations. Examples include:
- Platform Authenticators: Built into the device itself (e.g., Face ID/Touch ID on iOS/macOS, Windows Hello, Android’s biometric unlock). These often provide “syncable passkeys” that can be backed up and synchronized across the user’s devices through a platform’s cloud service (like iCloud Keychain or Google Password Manager).
- Roaming Authenticators (Hardware Security Keys): External devices (e.g., YubiKey) that connect via USB, NFC, or Bluetooth. These are typically “device-bound passkeys,” meaning they are stored only on that physical key.
- User Agent (Browser): The web browser acts as an intermediary, exposing the WebAuthn API to the relying party’s JavaScript and communicating with the authenticator.
WebAuthn Workflow (High-Level):
Registration (Creating a Passkey):
- The RP server generates a unique challenge and sends it to the RP client (browser).
- The RP client (JavaScript) calls the WebAuthn API (
navigator.credentials.create()), passing the challenge and other details (user info, RP ID). - The browser prompts the user to verify their identity (biometric or PIN).
- The authenticator generates a new public-private key pair, stores the private key, and sends the public key (along with a credential ID and attestation information) back to the browser.
- The browser relays this public key credential to the RP client, which then sends it to the RP server.
- The RP server verifies the public key credential and stores the public key and credential ID in its database, associated with the user’s account.
Authentication (Using a Passkey):
- The RP server generates a new challenge and sends it to the RP client.
- The RP client (JavaScript) calls the WebAuthn API (
navigator.credentials.get()), passing the challenge and RP ID. - The browser prompts the user to verify their identity.
- The authenticator uses the stored private key to sign the challenge and sends the signed challenge (assertion) back to the browser.
- The browser relays this assertion to the RP client, which sends it to the RP server.
- The RP server retrieves the user’s stored public key using the credential ID from the assertion, verifies the signature against the public key, and logs the user in if valid.
2.3 Passkey Properties
- Phishing-Resistant: As discussed, passkeys are cryptographically bound to the domain, making them immune to phishing where users might accidentally enter credentials on a fake site.
- Cryptographic Credential: A passkey is not a password or a secret that can be guessed or reused. It’s a pair of cryptographic keys.
- Device-Bound vs. Syncable:
- Device-bound passkeys (often from hardware security keys) are stored on a single physical device and are not automatically synchronized. If you lose the device, you lose the passkey.
- Syncable passkeys (often from platform authenticators like Face ID/Touch ID/Windows Hello) are backed up and synchronized across devices belonging to the same user account via cloud services (e.g., iCloud Keychain, Google Password Manager). This offers excellent convenience and recovery options.
- Discoverable Credentials (Resident Keys): These passkeys allow a user to log in without first entering a username. The authenticator can “discover” which passkeys it holds for a given relying party and present them to the user. This enables a truly passwordless, one-tap login experience.
- Non-Discoverable Credentials: These require the user to first provide a username (or email) so the relying party can identify which public key to request for verification.
Code Examples: WebAuthn Client-Side (Frontend)
Here, we’ll use @simplewebauthn/browser for the client-side WebAuthn interactions.
public/index.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Passkey Demo</title>
<link rel="stylesheet" href="style.css">
</head>
<body>
<div class="container">
<h1>Passkey Demo</h1>
<div id="auth-section">
<input type="email" id="emailInput" placeholder="Enter your email" required />
<button id="registerButton">Register with Passkey</button>
<button id="loginButton">Login with Passkey</button>
</div>
<p id="message"></p>
</div>
<script type="module" src="app.js"></script>
</body>
</html>
public/style.css:
body {
font-family: sans-serif;
display: flex;
justify-content: center;
align-items: center;
min-height: 100vh;
margin: 0;
background-color: #f4f7f6;
color: #333;
}
.container {
background-color: #ffffff;
padding: 30px 40px;
border-radius: 8px;
box-shadow: 0 4px 10px rgba(0, 0, 0, 0.1);
text-align: center;
width: 100%;
max-width: 400px;
}
h1 {
color: #007bff;
margin-bottom: 25px;
}
#auth-section {
display: flex;
flex-direction: column;
gap: 15px;
}
input[type="email"] {
padding: 12px;
border: 1px solid #ddd;
border-radius: 4px;
font-size: 16px;
}
button {
padding: 12px 20px;
background-color: #007bff;
color: white;
border: none;
border-radius: 4px;
font-size: 16px;
cursor: pointer;
transition: background-color 0.2s ease;
}
button:hover {
background-color: #0056b3;
}
button:disabled {
background-color: #cccccc;
cursor: not-allowed;
}
#message {
margin-top: 20px;
font-weight: bold;
color: #28a745;
}
#message.error {
color: #dc3545;
}
public/app.js (Client-side WebAuthn logic):
// public/app.js
import { startRegistration, startAuthentication } from '@simplewebauthn/browser';
const emailInput = document.getElementById('emailInput');
const registerButton = document.getElementById('registerButton');
const loginButton = document.getElementById('loginButton');
const messageElem = document.getElementById('message');
const displayMessage = (msg, isError = false) => {
messageElem.textContent = msg;
messageElem.className = isError ? 'error' : '';
};
registerButton.addEventListener('click', async () => {
const email = emailInput.value;
if (!email) {
displayMessage('Please enter your email.', true);
return;
}
displayMessage('Initiating registration...');
try {
// 1. Get registration options from the server
const resp = await fetch('/generate-registration-options', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({ email }),
});
const { options, userId } = await resp.json();
// 2. Start WebAuthn registration
const attResp = await startRegistration(options);
// 3. Send the credential to the server for verification and storage
await fetch('/verify-registration', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({ email, credential: attResp, userId }),
});
displayMessage('Passkey registered successfully! You can now log in.');
} catch (error) {
console.error('Registration failed:', error);
displayMessage(`Registration failed: ${error.message}`, true);
}
});
loginButton.addEventListener('click', async () => {
const email = emailInput.value;
// For discoverable credentials (preferred for login), email might not be strictly needed initially
// but often used to hint to the server which credentials to look for.
// We'll include it for a more robust example.
displayMessage('Initiating login...');
try {
// 1. Get authentication options from the server
const resp = await fetch('/generate-authentication-options', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({ email }), // Send email to hint the server
});
const { options } = await resp.json();
// 2. Start WebAuthn authentication
const asseResp = await startAuthentication(options);
// 3. Send the assertion to the server for verification
await fetch('/verify-authentication', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({ email, credential: asseResp }),
});
displayMessage('Login successful! Welcome back.');
} catch (error) {
console.error('Authentication failed:', error);
displayMessage(`Login failed: ${error.message}`, true);
}
});
Exercises/Mini-Challenges
- Understand Key Pair Concept: Explain in your own words the difference between a public key and a private key. Why is it critical that the private key never leaves the user’s device?
- WebAuthn Role: Describe the role of the browser (User Agent) in the WebAuthn flow for both registration and authentication.
- Security Benefits: How do passkeys fundamentally prevent phishing attacks that are common with traditional passwords?
3. Intermediate Topics
Now let’s delve deeper into the server-side implementation and important considerations like user management and cross-platform compatibility.
3.1 WebAuthn Server-Side (Backend)
The server-side component (Relying Party server) is responsible for:
- Generating challenges for both registration and authentication.
- Storing user information, including the user’s ID, username, and their public key credentials.
- Verifying the cryptographic signatures received from the client during both registration and authentication.
We’ll extend our server.js using @simplewebauthn/server.
server.js (Backend logic):
// server.js (continued and modified)
const express = require('express');
const https = require('https');
const fs = require('fs');
const {
generateRegistrationOptions,
verifyRegistrationResponse,
generateAuthenticationOptions,
verifyAuthenticationResponse,
} = require('@simplewebauthn/server');
const app = express();
const port = 3000;
// Middleware to parse JSON bodies
app.use(express.json());
// Serve static files
app.use(express.static('public'));
// --- In-memory User and Credential Storage (for demonstration purposes) ---
// In a real application, you would use a database.
const users = new Map(); // Stores user info: { email, id, currentChallenge }
const credentials = new Map(); // Stores user's public key credentials: Map<userId, Array<Credential>>
// Each credential: { id, publicKey, algorithm, transports }
const RP_NAME = 'Passkey Demo App'; // Your application's name
const RP_ID = 'localhost'; // Your domain (e.g., 'yourdomain.com'). For local testing, 'localhost' is fine.
const ORIGIN = `https://${RP_ID}:${port}`;
// Basic route
app.get('/', (req, res) => {
res.sendFile(__dirname + '/public/index.html');
});
// --- Passkey Registration Endpoints ---
// 1. Server generates registration options
app.post('/generate-registration-options', async (req, res) => {
const { email } = req.body;
if (!email) {
return res.status(400).json({ error: 'Email is required' });
}
let user = users.get(email);
if (!user) {
// New user
user = {
id: String(Date.now()), // Unique ID for the user
email,
currentChallenge: '', // Will store the challenge for the current operation
};
users.set(email, user);
credentials.set(user.id, []); // Initialize credentials array for new user
} else if (credentials.get(user.id).length > 0) {
// User already has a passkey registered. In a real app, you might want to prevent re-registration
// or offer an "add another passkey" flow. For this demo, we allow re-registration.
console.log(`User ${email} already has passkeys. Allowing new registration.`);
}
try {
const options = await generateRegistrationOptions({
rpName: RP_NAME,
rpID: RP_ID,
userID: user.id,
userName: email,
attestationType: 'none', // 'none' is generally recommended for consumer apps
authenticatorSelection: {
// Configure types of authenticators allowed
authenticatorAttachment: 'platform', // 'platform' (device built-in), 'cross-platform' (security key)
residentKey: 'required', // 'required' for discoverable credentials (passwordless flow)
userVerification: 'preferred', // 'preferred' or 'required'
},
excludeCredentials: credentials.get(user.id).map(cred => ({
id: cred.id,
type: 'public-key',
transports: cred.transports,
})),
timeout: 60000, // 60 seconds
});
// Store the challenge for verification later
user.currentChallenge = options.challenge;
users.set(email, user); // Update user with the new challenge
return res.json({ options, userId: user.id });
} catch (error) {
console.error('Error generating registration options:', error);
return res.status(500).json({ error: error.message });
}
});
// 2. Server verifies the registration response from the client
app.post('/verify-registration', async (req, res) => {
const { email, credential, userId } = req.body;
if (!email || !credential || !userId) {
return res.status(400).json({ error: 'Missing required fields' });
}
const user = users.get(email);
if (!user || user.id !== userId) {
return res.status(400).json({ error: 'User not found or ID mismatch' });
}
try {
const verification = await verifyRegistrationResponse({
response: credential,
expectedChallenge: user.currentChallenge,
expectedOrigin: ORIGIN,
expectedRPID: RP_ID,
requireUserVerification: false, // Set to true if 'userVerification: required' was set in options
});
const { verified, registrationInfo } = verification;
if (verified && registrationInfo) {
const {
credentialPublicKey,
credentialID,
counter,
authenticatorIs='s,
} = registrationInfo;
const newCredential = {
id: Buffer.from(credentialID).toString('base64url'), // Store as base64url string
publicKey: Buffer.from(credentialPublicKey).toString('base64url'),
algorithm: -7, // Always use -7 for ES256 (P-256 curve, SHA-256 hash)
counter: counter,
transports: credential.response.transports || ['unknown'], // Store transports
};
const userCredentials = credentials.get(user.id);
userCredentials.push(newCredential); // Add new passkey
credentials.set(user.id, userCredentials);
// Clear the current challenge after use
user.currentChallenge = '';
users.set(email, user);
console.log(`User ${email} successfully registered a new passkey.`);
return res.json({ message: 'Passkey registered successfully', verified });
} else {
return res.status(400).json({ error: 'Passkey registration failed verification' });
}
} catch (error) {
console.error('Error verifying registration:', error);
return res.status(500).json({ error: error.message });
}
});
// --- Passkey Authentication Endpoints ---
// 1. Server generates authentication options
app.post('/generate-authentication-options', async (req, res) => {
const { email } = req.body;
if (!email && users.size === 0) {
// If no email provided and no users exist, cannot proceed
return res.status(400).json({ error: 'No registered users and no email provided for authentication.' });
}
let user;
let userCredentials = [];
if (email) {
// If email is provided, try to find the user
user = users.get(email);
if (user) {
userCredentials = credentials.get(user.id) || [];
} else {
return res.status(404).json({ error: 'User with this email not found.' });
}
} else {
// For passwordless/discoverable login without email, we'd typically
// allow the authenticator to present any available credentials.
// For this demo, let's just pick the first user's credentials if no email is given,
// or ensure at least one user exists.
if (users.size > 0) {
user = users.values().next().value; // Get first user for demo
userCredentials = credentials.get(user.id) || [];
console.log(`Authenticating without email, using credentials of user: ${user.email}`);
} else {
return res.status(400).json({ error: 'No users registered to authenticate.' });
}
}
if (userCredentials.length === 0) {
return res.status(400).json({ error: `No passkeys registered for ${email || 'this user'}.` });
}
try {
const options = await generateAuthenticationOptions({
rpID: RP_ID,
// For passwordless/discoverable authentication, credential IDs are not strictly
// required initially. The authenticator can "discover" them.
// However, providing them helps guide the authenticator if specific
// passkeys are preferred or if it's a "known user" login flow.
allowCredentials: userCredentials.map(cred => ({
id: Buffer.from(cred.id, 'base64url'), // Convert back from base64url string
type: 'public-key',
transports: cred.transports,
})),
userVerification: 'preferred',
timeout: 60000,
});
// Store the challenge for verification later
user.currentChallenge = options.challenge;
users.set(user.email, user); // Update user with the new challenge
return res.json({ options });
} catch (error) {
console.error('Error generating authentication options:', error);
return res.status(500).json({ error: error.message });
}
});
// 2. Server verifies the authentication response from the client
app.post('/verify-authentication', async (req, res) => {
const { email, credential } = req.body;
if (!credential) {
return res.status(400).json({ error: 'Missing credential in request' });
}
// Determine the user based on the credential ID from the assertion or provided email
// For discoverable credentials, the authenticator's response will contain the credential ID.
// If no email is provided, we need to iterate through all users' credentials
// to find a matching credentialID.
let user = null;
let storedCredential = null;
if (email) {
user = users.get(email);
if (user) {
const userCredentials = credentials.get(user.id);
if (userCredentials) {
// Find the specific credential used for authentication
storedCredential = userCredentials.find(
(cred) => cred.id === Buffer.from(credential.rawId).toString('base64url')
);
}
}
} else {
// Iterate through all stored credentials to find a match for the rawId
for (const [userId, userCreds] of credentials.entries()) {
storedCredential = userCreds.find(
(cred) => cred.id === Buffer.from(credential.rawId).toString('base64url')
);
if (storedCredential) {
// If found, identify the user who owns this credential
for (const u of users.values()) {
if (u.id === userId) {
user = u;
break;
}
}
break;
}
}
}
if (!user || !storedCredential) {
return res.status(400).json({ error: 'Credential not found for user.' });
}
try {
const verification = await verifyAuthenticationResponse({
response: credential,
expectedChallenge: user.currentChallenge,
expectedOrigin: ORIGIN,
expectedRPID: RP_ID,
authenticator: {
credentialID: Buffer.from(storedCredential.id, 'base64url'),
credentialPublicKey: Buffer.from(storedCredential.publicKey, 'base64url'),
counter: storedCredential.counter,
transports: storedCredential.transports,
},
requireUserVerification: false,
});
const { verified, authenticationInfo } = verification;
if (verified && authenticationInfo) {
const { newCounter } = authenticationInfo;
// Update the counter for the used credential to prevent replay attacks
storedCredential.counter = newCounter;
// (In a real app, save this to your database)
// Clear the current challenge after use
user.currentChallenge = '';
users.set(user.email, user);
console.log(`User ${user.email} successfully authenticated.`);
return res.json({ message: 'Login successful', verified });
} else {
return res.status(400).json({ error: 'Passkey authentication failed verification' });
}
} catch (error) {
console.error('Error verifying authentication:', error);
return res.status(500).json({ error: error.message });
}
});
// For local development with HTTPS
const options = {
key: fs.readFileSync('ssl/server.key'),
cert: fs.readFileSync('ssl/server.crt')
};
https.createServer(options, app).listen(port, () => {
console.log(`HTTPS server running on https://localhost:${port}`);
console.log('Ensure you have self-signed SSL certificates in the "ssl" directory.');
console.log('You might need to accept the self-signed certificate in your browser to proceed.');
});
3.2 User Management with Passkeys
Integrating passkeys requires careful consideration of how users interact with their credentials.
- Initial Enrollment (Registration):
- Password-first to Passkey: Many existing applications will allow users to add a passkey as a second factor or as an alternative to their password after they’ve logged in with a traditional password. This gradual transition is key for adoption.
- Passkey-first: For new sign-ups, services can offer a passkey-only registration from the start. This streamlines the onboarding process significantly (e.g., Apple’s new Passkey Account Creation API).
- Multiple Passkeys:
- Allow multiple passkeys per account: Users may have different devices (laptop, phone, security key) or use different passkey providers (iCloud, Google, 1Password). Allowing them to register multiple passkeys enhances convenience and provides recovery options if one device is lost.
- Naming passkeys: Enable users to rename their registered passkeys (e.g., “iPhone 15 Passkey,” “Work Laptop Passkey,” “YubiKey”) to easily identify and manage them.
- Account Recovery:
- Essential fallback: While passkeys are robust, users can still lose access (e.g., all devices lost, forgotten PIN for synced passkeys). A secure account recovery mechanism (e.g., email/SMS recovery, security questions, or backup codes) is still crucial. This process should ideally allow the user to register a new passkey, not just reset a password.
- Platform-specific recovery: Operating systems are improving passkey recovery. For example, Android 16’s “Restore Credentials” feature allows for seamless recovery of passkeys on new devices during the device setup process, using a FIDO2-compatible “restore key” that can be synced via cloud backup.
- Passkey Management (CRUD Operations):
- Users should be able to view, rename, and revoke (delete) their passkeys from their account settings. If a device is lost or compromised, the user should be able to revoke the associated passkey immediately.
- New Passkey Management Endpoints (
/.well-known/passkey-endpoints) allow credential managers to directly link users to a service’s passkey management pages, improving discoverability and ease of use.
3.3 Cross-Platform Compatibility and Syncing
One of the biggest advantages of passkeys is their potential for cross-platform interoperability.
- FIDO Alliance Standards: The underlying FIDO2/WebAuthn standards are platform-agnostic, meaning the core technology works similarly across different operating systems and browsers.
- Platform Authenticators:
- Cloud Syncing: Apple’s iCloud Keychain, Google Password Manager, and Microsoft’s authenticator app enable passkeys to be securely synced across all devices logged into the user’s account within that ecosystem. This provides convenience and resilience.
- End-to-end encryption: These synced passkeys are typically protected with end-to-end encryption, meaning the cloud provider cannot access the private keys.
- Third-Party Passkey Providers: Password managers like 1Password and Bitwarden are integrating as passkey providers, allowing users to store and sync passkeys across various platforms and browsers, independent of the OS vendor.
- Cross-Device Authentication (CDA): This allows a user to authenticate on one device (e.g., a desktop computer) by using a passkey stored on a nearby mobile device (e.g., scanning a QR code or receiving a push notification). This bridges gaps between different ecosystems and devices.
- Secure Import/Export: iOS 26 introduced secure import/export capabilities for passkeys, built on the FIDO Alliance’s Credential Exchange Protocol (CXP). This allows users to move passkeys between different credential managers (e.g., iCloud Keychain to 1Password), addressing vendor lock-in concerns and enhancing user control. Android is also working on similar features.
Exercises/Mini-Challenges
- Modify Registration Flow:
- In the
server.js, changeauthenticatorSelection.residentKeyfrom'required'to'preferred'. How might this affect the user experience during registration? What are the implications for login? - Add logic to allow users to register a passkey from a “cross-platform” authenticator (e.g., a security key) by changing
authenticatorAttachment.
- In the
- Passkey Management UI Idea: Outline a user interface flow for a user to manage their registered passkeys (view, rename, delete) within your application. What information would you display for each passkey?
- Cross-Platform Scenario: Imagine a user has a passkey on their iPhone and wants to log in to your website on a Windows laptop. Describe the technical steps and user experience involved if your application supports cross-device authentication.
4. Advanced Topics and Best Practices
As you become more comfortable with passkeys, these advanced considerations will help you build robust and future-proof implementations.
4.1 Attestation and Trust
- Attestation: During registration, an authenticator can optionally provide an “attestation statement” to the relying party. This statement cryptographically proves properties about the authenticator itself (e.g., it’s a specific model of security key, or it’s a genuine platform authenticator).
- Use Cases: Primarily useful for high-security enterprise scenarios where you need to enforce that only trusted hardware is used.
- Consumer Apps: For most consumer-facing applications, attestation is generally not recommended or required. Apple devices, for example, often return
attestationType: 'none'for synced passkeys to prioritize user privacy and ecosystem openness. Requiring attestation would effectively block many users.
- Authenticator Assurance Globally Unique ID (AAGUID): A UUID that identifies the model or type of authenticator. While not directly attestation, it can help the RP understand the general capabilities or origin of an authenticator. However, for synced passkeys, Apple might send a zeroed-out AAGUID to prioritize privacy.
4.2 Replay Attack Prevention (Counters and Challenges)
- Challenges: As seen in the core concepts, both registration and authentication involve a server-generated “challenge” (a cryptographically secure random number). This challenge is signed by the authenticator’s private key. The purpose of the challenge is to prevent “replay attacks,” where an attacker might try to reuse a previously captured valid signature to authenticate. By requiring a new, unique challenge for each operation, a reused signature will be invalid.
- Signature Counters: Authenticators maintain an internal counter that increments with each successful authentication. This counter value is included in the authentication response. The relying party server stores the last seen counter value for each credential and verifies that the new counter is strictly greater than the previous one. This provides an additional layer of replay protection, especially for device-bound authenticators. Syncable passkey providers also manage their internal counters.
4.3 Passkey Lifecycle Management
- Credential Update (WebAuthn Signal API): The W3C’s WebAuthn Signal API (supported by iOS 26 via
ASCredentialUpdaterand corresponding browser APIs) allows the relying party to proactively signal changes to the user’s device. For example, if a user changes their username or email, the RP can notify the credential manager to update the locally stored passkey metadata, ensuring the passkey remains accurate and usable. - Passkey Upgrade Flow (Conditional Create): Modern platforms (iOS 18+, Android) offer “Conditional Create” or “Automatic Passkey Upgrades.” This feature intelligently detects if a user has a password-based account and proactively offers to create a passkey for them, often in a single tap, transforming their existing account to be passwordless-by-default.
- The
conditional mediationoption in WebAuthn registration allows the browser to present a passkey creation UI automatically when a user focuses on a username field, without an explicit button click.
- The
- Deletion/Revocation: When a user deletes a passkey from their device or from your service, it’s crucial that both the client (authenticator/credential manager) and the server update their records. Removing a passkey from the RP server means that public key can no longer be used for verification.
4.4 Best Practices for Adoption
- Progressive Enhancement: If you have an existing site, start by adding passkey support as an option alongside passwords. Use
autocomplete="username webauthn"on your username input field to hint to browsers that passkeys are available for autofill. - Clear User Education: Passkeys are still new to many users. Provide clear, concise messaging about what passkeys are, their benefits (security, convenience), and how to use them. Address common misconceptions (e.g., biometrics are not sent to the server).
- Optimize UI/UX:
- Post-Sign-In Prompts: Gently nudge users to create passkeys immediately after a successful password-based login.
- Contextual Messaging: Tailor messages to emphasize convenience (“Faster logins”) or security (“Protect from phishing”) based on user segments.
- Automatic Enrollment on Mobile: On mobile, consider automatically triggering biometric-based passkey enrollment, as this can significantly increase adoption (30-50%). For desktop, manual prompts are often preferred.
- One-Tap Login: Design your login flow to prioritize discoverable credentials for a truly passwordless, one-tap experience.
- Multiple Passkeys for Resilience: Always allow users to register multiple passkeys across different devices and providers. This is crucial for account recovery and convenience.
- Comprehensive Error Handling: WebAuthn operations can fail for various reasons (user cancellation, network issues, device not configured, unsupported authenticators). Implement robust error handling and provide clear feedback to the user, offering fallback options (e.g., password login) when a passkey operation fails.
- Don’t Abandon Account Recovery: Even with passkeys, robust account recovery flows are essential. Ensure users can regain access if they lose all their authenticators, and provide an option to add a new passkey during recovery.
- Stay Up-to-Date: The passkey ecosystem is rapidly evolving. Keep your SDKs and implementations updated to leverage the latest features and security enhancements.
- Use Well-Known URLs: Implement
.well-known/passkey-endpointsto help credential managers discover your service’s passkey management pages.
Exercises/Mini-Challenges
- Replay Attack Scenario: Explain how a server-generated challenge and an authenticator’s counter value work together to prevent an attacker from reusing a captured authentication response.
- Attestation Decision: As a developer for a popular e-commerce platform, would you enable attestation requirements for passkey registration? Justify your answer considering security, user experience, and adoption.
- User Onboarding Flow: Design a user onboarding flow for a new user creating an account, where you prioritize a passkey-first experience but also provide a fallback for users who cannot or choose not to use passkeys.
5. Guided Projects
These projects will help you apply the concepts learned and build functional passkey implementations.
Project 1: Basic Web Application with Passkey Registration and Login
Objective: Create a simple web application where users can register with a passkey and then log in using that passkey. This project will utilize the server.js and public/app.js examples provided in Section 2 and 3, and guide you through setting them up.
Problem Statement: You want to replace traditional password authentication with passkeys for a lightweight web service.
Steps:
Set up Project Structure:
- Ensure you have a
passkey-tutorialdirectory. - Inside, create
server.js,public/index.html,public/app.js,public/style.css. - Create an
ssldirectory. - Install dependencies:
npm install express @simplewebauthn/server @simplewebauthn/browser.
- Ensure you have a
Generate Self-Signed SSL Certificates:
- Open your terminal in the
passkey-tutorialdirectory. - If you’re on Linux or macOS, run these commands:
mkdir ssl openssl genrsa -out ssl/server.key 2048 openssl req -new -x509 -sha256 -key ssl/server.key -out ssl/server.crt -days 3650 -nodes -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=localhost" - If you’re on Windows, you might need a tool like OpenSSL for Windows, or consider using
mkcert(a cross-platform tool) for local trusted certificates:# Install mkcert (Windows, macOS, Linux) choco install mkcert # For Windows with Chocolatey brew install mkcert # For macOS with Homebrew # Then, once mkcert is installed: mkcert -install mkcert localhost 127.0.0.1 # This will generate localhost.pem and localhost-key.pem. # Rename them to server.crt and server.key and move to your ssl folder. - Crucial step: You’ll likely need to manually “trust” this self-signed certificate in your browser (e.g., by visiting
https://localhost:3000and accepting the security warning).
- Open your terminal in the
Populate
server.js: Copy the fullserver.jscontent from Section 3.1.Populate
public/index.html: Copy the fullpublic/index.htmlcontent from Section 2.3.Populate
public/style.css: Copy the fullpublic/style.csscontent from Section 2.3.Populate
public/app.js: Copy the fullpublic/app.jscontent from Section 2.3.Run the Server:
node server.jsYou should see
HTTPS server running on https://localhost:3000.Test the Application:
- Open your browser and navigate to
https://localhost:3000. - Accept the security warning for the self-signed certificate.
- Register: Enter an email address and click “Register with Passkey.” Your device should prompt you for biometric verification (Face ID, Touch ID, Windows Hello, Android biometric). Complete the verification.
- Login: After successful registration, try logging in with the same email or leave it blank (if using discoverable credentials) and click “Login with Passkey.” Your device should again prompt for biometric verification.
- Open your browser and navigate to
Challenge for Independent Problem-Solving:
- Enhance User Feedback: Modify
public/app.jsto show a loading indicator or disable buttons during network requests to improve the user experience. - Persistent User Data (Optional): Currently, user data is lost when the server restarts. Research how to use a simple file-based database (like
lowdbfor Node.js) or a basic JSON file to persist user and credential data between server restarts.
Project 2: Implementing Passkey Management
Objective: Extend the basic web application to allow users to view their registered passkeys and delete them.
Problem Statement: Users need the ability to manage their authentication methods, including revoking lost or compromised passkeys.
Steps (Building upon Project 1):
- Add Management UI to
public/index.html:- Add a new section to
index.htmlto display a list of registered passkeys and a “Delete” button for each.
<!-- public/index.html (add this section) --> <hr style="margin: 30px 0;"> <div id="manage-passkeys-section"> <h2>Your Passkeys</h2> <button id="refreshPasskeysButton">Refresh Passkeys</button> <ul id="passkeyList"> <!-- Passkeys will be listed here --> </ul> </div> - Add a new section to
- Add Styling to
public/style.css:/* public/style.css (add this) */ #manage-passkeys-section { margin-top: 40px; text-align: left; } #passkeyList { list-style: none; padding: 0; } #passkeyList li { display: flex; justify-content: space-between; align-items: center; background-color: #f9f9f9; border: 1px solid #eee; padding: 10px 15px; margin-bottom: 8px; border-radius: 4px; } #passkeyList li button { background-color: #dc3545; padding: 8px 12px; font-size: 14px; } #passkeyList li button:hover { background-color: #c82333; } - Extend
public/app.jsfor Management:- Add event listeners for the “Refresh” button and dynamically created “Delete” buttons.
- Implement functions to fetch and display passkeys, and to send deletion requests to the server.
// public/app.js (add these at the end) const managePasskeysSection = document.getElementById('manage-passkeys-section'); const refreshPasskeysButton = document.getElementById('refreshPasskeysButton'); const passkeyList = document.getElementById('passkeyList'); // Function to fetch and display passkeys async function fetchAndDisplayPasskeys() { passkeyList.innerHTML = '<li>Loading...</li>'; const email = emailInput.value; if (!email) { passkeyList.innerHTML = '<li>Enter your email above to see your passkeys.</li>'; return; } try { const resp = await fetch(`/get-passkeys?email=${encodeURIComponent(email)}`); const { passkeys } = await resp.json(); passkeyList.innerHTML = ''; // Clear existing list if (passkeys.length === 0) { passkeyList.innerHTML = '<li>No passkeys registered for this email.</li>'; } else { passkeys.forEach(passkey => { const li = document.createElement('li'); li.innerHTML = ` <span>ID: ${passkey.id.substring(0, 10)}... (Created: ${new Date(parseInt(passkey.id.split('-')[1])).toLocaleDateString()})</span> <button data-credential-id="${passkey.id}">Delete</button> `; passkeyList.appendChild(li); }); // Add event listeners to delete buttons passkeyList.querySelectorAll('button').forEach(button => { button.addEventListener('click', async (event) => { const credentialId = event.target.dataset.credentialId; await deletePasskey(email, credentialId); }); }); } } catch (error) { console.error('Error fetching passkeys:', error); passkeyList.innerHTML = `<li class="error">Error loading passkeys: ${error.message}</li>`; } } // Function to delete a passkey async function deletePasskey(email, credentialId) { displayMessage('Deleting passkey...'); try { const resp = await fetch('/delete-passkey', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, credentialId }), }); const result = await resp.json(); if (result.success) { displayMessage('Passkey deleted successfully.'); fetchAndDisplayPasskeys(); // Refresh the list } else { displayMessage(`Failed to delete passkey: ${result.error}`, true); } } catch (error) { console.error('Error deleting passkey:', error); displayMessage(`Error deleting passkey: ${error.message}`, true); } } // Initial load and event listener refreshPasskeysButton.addEventListener('click', fetchAndDisplayPasskeys); emailInput.addEventListener('change', fetchAndDisplayPasskeys); // Refresh when email changes // Automatically try to display passkeys if an email is already present or after login/registration // This might be called after a successful login/registration in the future fetchAndDisplayPasskeys(); - Extend
server.jsfor Management Endpoints:- Add endpoints to retrieve a user’s passkeys and to handle passkey deletion.
// server.js (add these new endpoints) // Endpoint to get a user's registered passkeys app.get('/get-passkeys', (req, res) => { const { email } = req.query; if (!email) { return res.status(400).json({ error: 'Email is required.' }); } const user = users.get(email); if (!user) { return res.status(404).json({ error: 'User not found.' }); } const userCredentials = credentials.get(user.id) || []; // Only send necessary info, not the public key directly const simplifiedPasskeys = userCredentials.map(cred => ({ id: cred.id, transports: cred.transports, // You might want to store a creation date or a friendly name for display })); return res.json({ passkeys: simplifiedPasskeys }); }); // Endpoint to delete a passkey app.post('/delete-passkey', (req, res) => { const { email, credentialId } = req.body; if (!email || !credentialId) { return res.status(400).json({ error: 'Email and credentialId are required.' }); } const user = users.get(email); if (!user) { return res.status(404).json({ error: 'User not found.' }); } let userCredentials = credentials.get(user.id) || []; const initialLength = userCredentials.length; userCredentials = userCredentials.filter(cred => cred.id !== credentialId); if (userCredentials.length < initialLength) { credentials.set(user.id, userCredentials); console.log(`Passkey ${credentialId} deleted for user ${email}`); return res.json({ success: true, message: 'Passkey deleted successfully.' }); } else { return res.status(404).json({ success: false, error: 'Passkey not found for this user.' }); } }); - Test the Application:
- Restart your
node server.js. - Navigate to
https://localhost:3000. - Register a few passkeys with the same email (e.g., from different browsers or simulating different devices).
- Enter the email in the input field and click “Refresh Passkeys.” You should see a list of your registered passkeys.
- Try deleting a passkey and observe the list update.
- Restart your
Challenge for Independent Problem-Solving:
- Implement Passkey Renaming: Add a feature to allow users to give friendly names to their passkeys (e.g., “My Laptop Passkey,” “Phone Passkey”) instead of just displaying a truncated ID. This would involve adding a
nameproperty to yournewCredentialobject and updating the UI and server endpoints accordingly. - Error Handling for Empty Email: What happens if a user tries to refresh passkeys without entering an email? Improve the user feedback for this scenario.
6. Bonus Section: Further Learning and Resources
The world of passkeys and WebAuthn is constantly evolving. Here are some excellent resources to continue your learning journey:
Recommended Online Courses/Tutorials
- FIDO Alliance: While not a course, their documentation and guides (like passkeycentral.org) are authoritative.
- Google Developers: Check out Google’s guides on implementing passkeys, often with code labs for web and Android.
- Apple Developer Documentation: For iOS and macOS specific implementations.
- What’s new in passkeys - WWDC25 Videos (and related videos from WWDC22, WWDC24)
Official Documentation
- WebAuthn Specification: The ultimate source for technical details. Be warned, it’s very dense! https://www.w3.org/TR/webauthn/
- FIDO Alliance Documentation: Comprehensive resources on FIDO standards. https://fidoalliance.org/
- passkeys.dev: A community-driven resource with excellent explanations and device support matrices. https://passkeys.dev/
@simplewebauthnLibraries: The library we used in this guide has great documentation. https://github.com/MasterKale/SimpleWebAuthn
Blogs and Articles
- Corbado Blog: Frequently updated with detailed articles on passkey features, adoption strategies, and platform-specific updates (e.g., Android 16, iOS 26 passkey analyses). https://www.corbado.com/blog
- Yubico Blog: Offers insights into hardware security keys and broader WebAuthn best practices. https://www.yubico.com/blog/
- idDataWeb Blog: Provides analyses on the shift from OTPs to passkeys and industry trends. https://www.iddataweb.com/
- web.dev: Google’s platform for web development, often features excellent articles on WebAuthn and passkeys.
YouTube Channels
- Google Chrome Developers: Look for videos related to WebAuthn and passkeys.
- Apple Developer: WWDC (Worldwide Developers Conference) videos offer deep dives into Apple’s passkey implementations.
- FIDO Alliance: May host webinars or technical presentations.
- Individual Security/Dev Channels: Many content creators explain these concepts; search for “WebAuthn tutorial” or “passkey explanation.”
Community Forums/Groups
- FIDO-dev Community Group: A great place to ask technical questions and engage with experts from major companies. https://groups.google.com/a/fidoalliance.org/g/fido-dev
- Passkeys Developer Discussions: Another active forum for developers. https://passkeys.dev/discuss
- Stack Overflow: Search for
webauthnorpasskeystags. - Discord Servers: Many developer communities have channels dedicated to security or web development where you can ask questions.
Next Steps/Advanced Topics
After mastering the content in this document, consider exploring:
- Server-Side Library Deep Dive: Understand the full capabilities of libraries like
@simplewebauthn/serveror other language-specific WebAuthn libraries (e.g.,webauthn-libfor Python). - Cross-Device Authentication (QR Code flows): Implement the full flow for authenticating on a desktop using a mobile device passkey.
- Platform-Specific APIs: Dive into Android’s Credential Manager API or Apple’s AuthenticationServices framework for native app passkey integration.
- Passkey Syncing Provider Integration: Understand how third-party password managers integrate as passkey providers and how your RP can support them.
- Advanced Attestation: For niche, high-security use cases, explore different attestation formats and their verification.
- Passkey Provisioning/Deprovisioning: Implement robust system for issuing and revoking passkeys in an enterprise context.
- WebAuthn Extensions: Explore other WebAuthn extensions like User ID and Client Hints.
By continuing to learn and experiment, you’ll be at the forefront of the passwordless revolution, building more secure and user-friendly authentication experiences for everyone.
Want more advanced stuff in Passkeys -> Follow here Passkeys Advanced Developer Guide