Overview
FIDO2 Passkeys are a user-friendly implementation of FIDO2/WebAuthn credentials that replace passwords with cryptographic key pairs, providing phishing-resistant, passwordless authentication. Passkeys come in two forms: device-bound passkeys that stay on a single device (traditional FIDO2 credentials), and synced passkeys that are synchronized across devices within a platform ecosystem (iCloud Keychain, Google Password Manager, Microsoft Authenticator). Users authenticate using biometrics (Face ID, Touch ID, Windows Hello) or device PIN—no passwords to remember, type, or phish. Major platforms (Apple, Google, Microsoft) now support passkeys natively, making passwordless authentication accessible to billions of users. Passkeys represent the most significant advancement in authentication usability and security since passwords themselves, finally offering a credential type that's both stronger than passwords and easier to use.
Architecture & Reference Patterns
Pattern 1: Consumer Passkey Registration and Login
Users create passkeys during account signup or credential upgrade flows. The relying party calls WebAuthn registration API; the platform prompts for biometric/PIN and creates a key pair, syncing it to the user's account. On subsequent logins, the user selects their account (or autocomplete suggests it), provides biometric, and is authenticated. No passwords involved.
Pattern 2: Cross-Device Authentication
Users authenticate on a device without their passkey by scanning a QR code with their phone (which has the passkey). The phone creates a secure tunnel to the target device, user provides biometric on phone, and authentication completes on target device. Enables passkey use on shared computers, new devices, or devices outside the user's ecosystem.
Pattern 3: Enterprise Passkey Deployment
Organizations deploy passkeys to workforce users as part of passwordless initiatives. IT may provision device-bound passkeys (security keys) for privileged users while allowing synced passkeys for general workforce. Passkey registration is integrated with onboarding; recovery procedures address lost devices. See FIDO2 topic for hardware security key patterns.
Pattern 4: Hybrid Password + Passkey (Migration)
During transition, users have both password and passkey credentials. Login UI prioritizes passkey when available while falling back to password. Users are nudged to register passkeys if they don't have one. Eventually, passwords can be disabled for users with passkeys. Supports gradual migration without forcing immediate change.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Passkey type allowed | Synced only, device-bound only, both | Both—synced for usability, device-bound option for high-security | Device-bound is more secure but harder if device is lost |
| Sync provider trust | Trust all, trust specific providers, attestation-based | Trust major providers (Apple, Google, MS); consider attestation for high-security | Limiting providers affects user experience |
| Registration flow | During signup, post-signup prompt, explicit setup | During signup for new users; prompt for existing users | Aggressive prompts frustrate users—balance carefully |
| Recovery when passkey lost | Password fallback, recovery codes, account recovery, new device attestation | Multiple options: recovery codes + account recovery with identity proofing | Single recovery option is fragile |
| Username-less authentication | Enabled (discoverable credentials), disabled (non-discoverable) | Enabled for best UX when supported | Requires resident keys; some authenticators have storage limits |
| Password deprecation | Keep indefinitely, deprecate after passkey, remove option | Deprecate for users with 2+ passkeys, after stability period | Removing passwords is major change—phase carefully |
Implementation Approach
Phase 0: Discovery
Inputs: Current authentication methods, user population, device/platform landscape, UX requirements, security requirements Outputs: Passkey capability assessment (browser/platform support), user readiness analysis, IdP passkey support evaluation, UX design requirements, recovery procedure requirements
Phase 1: Design
Inputs: Discovery outputs, security requirements, UX requirements Outputs: Passkey registration flow design, authentication flow design, recovery procedure design, migration strategy from passwords, UX design specifications, monitoring requirements
Phase 2: Build & Integrate
Inputs: Design documents, WebAuthn libraries, IdP configuration, test users Outputs: Registration flow implemented and tested, authentication flow working across platforms, recovery procedures functional, monitoring operational, cross-device authentication tested
Phase 3: Rollout
Inputs: Tested implementation, user communication plan, support training Outputs: Passkey registration available to users, adoption tracked and incentivized, support staff trained, user feedback incorporated, issues addressed
Phase 4: Operate
Inputs: Production passkey environment, monitoring dashboards, adoption metrics Outputs: Adoption growing toward targets, password usage declining, recovery procedures working, user satisfaction measured, continuous improvement based on feedback
Deliverables
- Passkey UX design (registration, authentication, recovery flows)
- WebAuthn integration guide with code samples
- Platform compatibility documentation
- Recovery procedure documentation and training
- User communication and education materials
- Support staff training materials
- Monitoring dashboard for passkey adoption and authentication success
- Password deprecation roadmap
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| Lost device with only passkey causes lockout | M | H | Support tickets, account recovery requests | Require 2+ passkeys or backup recovery method |
| Synced passkey provider compromise | L | H | Security incidents at Apple/Google/MS | Device-bound for highest-risk accounts, monitor provider security |
| Cross-device authentication UX confuses users | M | M | Abandonment during QR flow, support calls | Clear instructions, fallback options, test extensively |
| Browser/platform compatibility issues | M | M | Authentication failures on specific platforms | Test across all supported platforms, graceful fallback |
| User resistance to change | H | M | Low adoption, preference for passwords | Clear communication of benefits, non-disruptive migration |
| Recovery procedure failures | M | H | Users permanently locked out, escalations | Test recovery thoroughly, multiple recovery options |
KPIs / Outcomes
- Passkey registration rate: Target 50%+ of active users within 12 months
- Password-less authentications: Percentage of authentications using passkeys (growing)
- Authentication success rate: Target over 99% for passkey authentications
- Account takeover incidents: Should approach zero for passkey-protected accounts
- Support tickets for authentication: Should decrease as passkey adoption grows
- User satisfaction: Survey scores should show improved authentication experience
