Skip to content
· 5 min read MEDIUM @Sdmrf

Passkeys Are Finally Real and I Have Opinions

After years of promises, passwordless authentication is actually happening. My experience deploying passkeys and what's still broken.

#passkeys #authentication #webauthn #mfa #security
On this page

Remember when WebAuthn was going to kill passwords? That was 2019. Then 2020. Then 2021.

Well, it’s 2025 and I’ve finally deployed passkeys in production. Here’s the actual experience, not the marketing version.

Where We Are Now

Passkey support is genuinely widespread now:

  • iOS/macOS: Full support, synced via iCloud Keychain
  • Android: Full support, synced via Google Password Manager
  • Windows: Support via Windows Hello, sync coming
  • Browsers: Chrome, Safari, Firefox, Edge all work
  • Password managers: 1Password, Bitwarden, Dashlane support passkeys

The ecosystem reached critical mass sometime in mid-2024. By now, most users CAN use passkeys even if they don’t know what they are.

The Implementation

I implemented passkeys for a B2B SaaS product. Here’s how it actually went.

The Good

Server-side is straightforward. Libraries exist for every language. We used simplewebauthn for Node. Registration and authentication flows are well-documented.

// Simplified registration
const options = await generateRegistrationOptions({
  rpName: 'Our App',
  rpID: 'app.example.com',
  userID: user.id,
  userName: user.email,
  authenticatorSelection: {
    residentKey: 'required',
    userVerification: 'preferred',
  },
});

// Client calls navigator.credentials.create()
// Server verifies with verifyRegistrationResponse()

Cross-platform sync works. User registers passkey on iPhone, can use it on Mac. Android to Chrome works. The promise of “just works across devices” is real.

User experience is genuinely better. Face ID or fingerprint to log in. No password to remember. No TOTP codes. Users like it.

Phishing resistant. This is the big one. Passkeys are bound to the origin. Evil proxy site at app.examp1e.com can’t use your passkey for app.example.com. This alone makes them worth it.

The Bad

Account recovery is complicated. User loses their phone, gets a new one, doesn’t have iCloud backup… now what? We had to keep password as fallback. Defeats some of the purpose.

Enterprise device management. Synced passkeys across personal Apple/Google accounts. Enterprise doesn’t love that. Had to figure out attestation and policy for managed devices.

“What’s a passkey?” User education was more work than implementation. Most users had never heard of passkeys. “Use fingerprint to log in” worked better than “register a passkey.”

Partial support. Not everyone can use passkeys. Old browsers. Corporate locked-down machines. That random user on an old Android.

We couldn’t make passkeys mandatory. Had to keep passwords + TOTP as an alternative path.

The Ugly

Cross-device authentication is confusing. “I’m on my work laptop but my passkey is on my phone.” The QR code flow works but users don’t understand it initially.

Windows sync isn’t there yet. Windows Hello passkeys don’t sync across machines yet. Microsoft is working on it, but we’re not there. Users with only Windows had passkeys stuck on one machine.

The browser UI is inconsistent. Different browsers present the passkey flow differently. Some show QR codes prominently, some hide them. Testing matrix is annoying.

What We Learned

Keep Password Fallback (For Now)

Pure passwordless sounds great. Reality requires fallback. Our flow:

  1. Passkey preferred
  2. Password + TOTP still available
  3. Recovery codes for emergencies

Eventually passwords can go away. Not yet.

Language Matters

“Passkey” means nothing to average users. What worked:

  • “Log in with Face ID” (iOS)
  • “Log in with fingerprint” (Android)
  • “Log in with Windows Hello” (Windows)

We used device-specific language, not protocol names.

Attestation for Enterprise

For enterprise customers, we implemented attestation verification. Allows them to require passkeys from managed devices only. Blocks synced passkeys on personal devices.

More work, but necessary for some compliance requirements.

Monitor for Issues

Added specific logging for passkey flows:

  • Registration failures (and why)
  • Authentication failures
  • Fallback to password (how often, why)
  • Cross-device authentication attempts

This data helped us find UX issues. “30% of users fail cross-device on first attempt” led us to add better instructions.

The Security Improvements

Despite the challenges, the security benefits are real.

Credential stuffing: eliminated. No passwords to stuff. Users with passkeys can’t be hit by credential reuse.

Phishing: significantly harder. Had a phishing attempt against our users. Users with passkeys couldn’t be phished. The passkey wouldn’t work on the fake domain.

Session hijacking still matters. Passkeys authenticate the initial login. Session tokens still need protection. Didn’t change our session security posture.

Account takeover via password reset: still a risk. If password fallback exists, so does password reset. That’s still an attack vector.

Adoption Numbers

After 6 months:

  • 34% of users have registered a passkey
  • 67% of logins use passkeys (among users who have them)
  • 8% of users use passkey exclusively (disabled password)

Adoption is growing but not universal. The users who use passkeys love them.

My Recommendations

If you’re implementing passkeys:

1. Start with optional, aim for default.

Don’t force passkeys immediately. Offer them. Make them the easy path. Nudge users toward registration. Eventually make them default for new accounts.

2. Don’t kill passwords yet.

Keep password + MFA as fallback. Recovery scenarios require it. Enterprise edge cases require it.

3. Use platform language.

“Face ID” and “fingerprint” over “passkey” or “WebAuthn” or “FIDO2.”

4. Test the full matrix.

iOS to Mac. Android to Windows. Phone to laptop via QR. Cross-device scenarios are where UX breaks.

5. Plan for enterprise requirements.

Attestation. Device management. Compliance logging. Enterprise will ask for these.

The Future

Passkeys are the future of authentication. The path there is messier than the vision, but we’re making progress.

What I want to see:

  • Better Windows sync
  • Improved cross-device UX
  • More apps supporting passkeys
  • Better recovery flows

What I expect:

  • Passkeys become default for consumer apps (2-3 years)
  • Password “backup” persists longer than we’d like
  • Enterprise adoption slower due to device management concerns

But directionally? This is clearly better than passwords. Worth the implementation effort.

Passwords were a mistake. Passkeys are the correction. We’re finally making it happen, even if it’s messy.

Related Articles

info·10 min read

Authentication Attacks: Passwords, Sessions, and Tokens

How login systems break - brute force, credential stuffing, session hijacking, token flaws, and MFA bypass. The complete beginner's guide to auth attacks.

info·8 min read

Cybersecurity Career Paths: Finding Your Direction

Offensive, defensive, GRC, cloud security, AppSec - the major cybersecurity career paths explained. What each role does, what skills you need, and how to choose.

info·8 min read

Certifications, Learning Resources, and Next Steps

A practical guide to cybersecurity certifications, free and paid learning resources, communities, and building a plan for your first year in security.