Don't implement passkeys. Five Day 2 issues explained
3 months ago
- #security
- #authentication
- #passkeys
- Passkeys are beneficial but can cause harm if implemented incorrectly.
- Five Day 2 problems with passkeys: recovery, cross-device UX, native apps, adoption, and platform changes.
- Day 1 is about building and shipping passkeys; Day 2 involves operational challenges.
- Recovery must be designed carefully to avoid locking users out or reintroducing phishing risks.
- Cross-device UX issues arise from different platforms, browsers, and credential managers.
- Native apps add complexity due to platform-specific behaviors and maintenance requirements.
- Adoption requires a strategic rollout and measurement to ensure success.
- Platform changes (OS/browser updates) can break passkey flows without warning.
- The true cost of passkeys is in ongoing maintenance, not initial implementation.
- Recommendation: Only implement passkeys if you can handle Day 2 challenges or work with a partner like Corbado.