Why your 2-week passkey sprint will turn into 6 months
16 hours ago
- #native-apps
- #authentication
- #passkeys
- Native passkey implementation is significantly more complex than web, involving platform-specific setups and silent failures.
- Apple's AASA file must be correctly hosted and formatted, with strict HTTP response requirements and unpredictable CDN caching behavior.
- Android requires assetlinks.json with correct SHA-256 fingerprints, and subdomains must be individually listed.
- iOS passkey authentication involves specific sequences and encoding (Base64URL), with system sheets that cannot be customized.
- Android offers two passkey APIs: legacy FIDO2 and the newer Credential Manager, with varying support across devices and OEMs.
- WebView implementations introduce origin validation challenges and security risks if not properly configured.
- Conditional UI for passkeys in native apps is unreliable, with platform-specific quirks.
- Cross-platform passkey usage is limited, requiring fallback authentication methods due to credential manager incompatibilities.
- Testing passkeys requires physical devices, as simulators do not accurately replicate real-world conditions.
- Implementing passkeys in native apps is a sub-project requiring 3-6 months, with extensive fallback and testing strategies.