Passkeys & WebAuthn — Phishing-Resistant Login

Conventional MFA can be relayed — the attacker proxies a fake login site, captures the OTP, and uses it in real time. Passkeys can't be: the credential is bound to the legitimate origin's domain, and the device's WebAuthn API simply refuses to sign for the wrong domain. The attacker never gets a usable signature, no matter what the user types or taps.

Your server stores public keys. A database dump leaks public keys — useless to an attacker. Compare to passwords (hashable but crackable) or TOTP secrets (immediately usable if leaked).

"Tap your fingerprint to sign in" beats "find your authenticator app, type 6 digits within 30 seconds." Passkey sign-ins routinely measure 2–4× higher completion than password+OTP.

Synced passkeys let a user sign in on their iPhone, then their MacBook, then a new device — without re-enrolling. Apple, Google, Microsoft, 1Password, Dashlane, Bitwarden, and others all sync. The early "you'll get locked out if you lose your phone" objection is mostly gone.

1. User signs in with their existing method (password, magic link, OIDC).
2. Server generates a random challenge and sends WebAuthn registration options including the relying party (your domain), user info, and supported algorithms.
3. Browser prompts the user to use Touch ID / Face ID / a security key.
4. Device generates a key pair, signs the challenge, returns the public key + attestation to the browser.
5. Server verifies the attestation, stores the public key keyed by user.

1. User clicks "sign in." Server sends a challenge.
2. Browser presents available passkeys; user picks one and unlocks the device.
3. Device signs the challenge with the private key.
4. Browser sends the signed assertion back; server verifies against the stored public key.
5. Issue a session.

The smoothest UX: the server requests a credential without naming a user. The browser shows the user every passkey they have for your origin; they pick one. The user identifier comes back with the assertion. No email field at all — sign-in is one click.

Synced passkeys cover most of the "lost device" cases. You still need a recovery path for users who lose access to their entire OS account or sync chain. Options: registered backup passkey on a hardware key, identity verification, recovery via another factor. Don't downgrade to email-only — that's how account takeovers come back.

Let users register more than one passkey — phone + laptop + hardware key. Show them a management UI listing each credential with the device name and last-used time, and let them revoke individually.

Don't go passkey-only on day one. Most teams ship passkeys alongside passwords; over time, the password becomes the fallback and eventually optional. Track adoption and breach signals before removing passwords entirely.

WebAuthn lets you require attestation about which authenticator was used. For consumer apps, set attestation: "none" — strict attestation breaks legitimate platform authenticators in subtle ways and gives little real value. Attestation matters mainly for enterprise contexts that require certified hardware keys.

WebAuthn is a serious protocol with subtle verification rules. Libraries: SimpleWebAuthn, py_webauthn, Webauthn4j, Yubico's webauthn-server-core. Or a managed service: Auth0, Okta, Stytch, Clerk, Hanko, Corbado, Passage. Don't reinvent.