Back to Blog

Modern Authentication: Passkeys, WebAuthn and the End of Passwords

DataFmt Team
#authentication #passkeys #webauthn #security
5 min read

Modern Authentication: Passkeys, WebAuthn and the End of Passwords

Passkeys are not a buzzword anymore — Apple, Google, Microsoft and 1Password sync them across devices, and most major sites already accept them. Here is what you need to know to ship them.

What is a passkey, really?

A passkey is a WebAuthn credential: a key pair where the private key never leaves the user’s device (or their cloud-synced keychain). The public key is sent to your server during registration.

When the user signs in:

  1. Server sends a random challenge.
  2. The user authenticates locally (Face ID, fingerprint, PIN).
  3. The device signs the challenge with the private key.
  4. Server verifies with the public key.

Why it beats passwords

  • Phishing-resistant — the credential is bound to the origin (example.com); a fake site cannot use it.
  • No shared secrets — even a database breach reveals only public keys.
  • No reuse — each site has a unique credential.
  • Better UX — one biometric, no typing.

The minimum server flow

// Registration challenge
const options = await generateRegistrationOptions({
  rpName: "datafmt.com",
  rpID: "datafmt.com",
  userID: user.id,
  userName: user.email,
});

// Verify the response
const verification = await verifyRegistrationResponse({
  response: clientResponse,
  expectedChallenge: options.challenge,
  expectedOrigin: "https://datafmt.com",
});

await db.savePasskey({
  user_id: user.id,
  credential_id: verification.registrationInfo.credentialID,
  public_key: verification.registrationInfo.credentialPublicKey,
  counter: verification.registrationInfo.counter,
});

The @simplewebauthn/server library handles the heavy lifting.

Roll-out strategy

  1. Add passkeys as a second factor alongside passwords.
  2. Allow users to upgrade an existing account; sync the public key.
  3. After 90 days, prompt power users to make the account passkey-only.
  4. Keep an account-recovery path (email + magic link) for lost devices.

What about hardware keys?

YubiKeys are also WebAuthn credentials, just stored on a physical device that doesn’t sync. Same API; ideal for high-assurance accounts (admins, finance).

Pitfalls

  • Cross-device flows still confuse users; show the QR code path explicitly.
  • Counter reuse detection should warn but rarely block — sync providers occasionally lag.
  • Discoverable credentials (resident keys) are required for usernameless flows; older browsers may not support them.

TL;DR

Add passkeys as an option today. Make them the default in 12 months. Passwords will stick around as legacy fallback for years — but they are no longer the centerpiece of authentication.

Found this helpful? Try our free tools!

Explore Our Tools →