Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Past Time For Passkeys

Avatar for Kyle Simpson Kyle Simpson PRO
October 03, 2025
Resources
Programming
0
9

Past Time For Passkeys

Over 2 billion devices support some form of biometric unlock (Face ID, Touch ID, etc), making that by far the most common way people protect access to their devices.

The exact same capability, applied to authentication (login) for apps, is called Passkeys. But yet, despite the popularity of biometric device unlock, and the massive problems of passwords -- phishing, cracking, forgetting -- and even SMS texts or TOTP codes for 2FA, for some reason, Passkeys have not yet taken off.

It's well past time for Passkeys to have taken off. We desperately need a broad conversation about what's holding them back and what we can do to upgrade the web to using Passkeys.

In this talk, we'll explore the ins and outs of using Passkeys, including (most importantly!) how to make your users understand and love them!

Avatar for Kyle Simpson

Kyle Simpson PRO

October 03, 2025
Tweet

Resources

Slide Code

https://gist.github.com/getify/b7395cdf0d2c5d3c0dd6685b5fae406d

More Decks by Kyle Simpson

See All by Kyle Simpson
Love/Hate: Upgrading to Web2.5 with Local-First (abbr)
Avatar for Kyle Simpson getify
PRO
0
110
Transforming Composition
Avatar for Kyle Simpson getify
PRO
0
130
Love/Hate: Upgrading to Web2.5 with Local-First
Avatar for Kyle Simpson getify
PRO
0
230
Zero Server Data Security
Avatar for Kyle Simpson getify
PRO
1
220
Imperative vs Declarative: Weathering the storm
Avatar for Kyle Simpson getify
PRO
0
460
Confessions from an Impostor
Avatar for Kyle Simpson getify
PRO
0
230
On the job interview... Composition
Avatar for Kyle Simpson getify
PRO
0
100
Mo'Problems, Mo'Nads
Avatar for Kyle Simpson getify
PRO
1
3.6k
FOUC, and the Death of Progressive Enhancement
Avatar for Kyle Simpson getify
PRO
6
2.2k

Other Decks in Programming

See All in Programming
WebエンジニアがSwiftをブラウザで動かすプレイグラウンドを作ってみた
Avatar for uutan1108 ohmori_yusuke
0
160
Conquering Massive Traffic Spikes in Ruby Applications with Pitchfork
Avatar for Shia riseshia
0
130
(Extension DC 2025) Actor境界を越える技術
Avatar for Himeshi teamhimeh
1
100
スマホで海難事故は防げるか?年間2000件以上の小型船舶の事故に挑むアプリ開発
Avatar for Atsuki Seo atsuki_seo
0
120
Local Peer-to-Peer APIはどのように使われていくのか?
Avatar for Hal hal_spidernight
2
410
Repenser les filtres API Platform: une nouvelle syntaxe
Avatar for Vincent Amstoutz vinceamstoutz
2
150
ABEMAモバイルアプリが
Kotlin Multiplatformと歩んだ5年 ─ 導入と運用、成功と課題 / iOSDC 2025
Avatar for Akio Yasui akkyie
0
300
CSC509 Lecture 01
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
430
なぜGoのジェネリクスはこの形なのか? Featherweight Goが明かす設計の核心
Avatar for Ryotaro ryotaros
7
970
あなたの知らない「動画広告」の世界 - iOSDC Japan 2025
Avatar for ukitaka ukitaka
0
300
私はどうやって技術力を上げたのか
Avatar for Yusuke Wada yusukebe
42
16k
複雑化したリポジトリをなんとかした話 pipenvからuvによるモノレポ構成への移行
Avatar for Satoshi Kaneyasu satoshi256kbyte
0
550

Featured

See All Featured
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
70
4.8k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
15k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
285
14k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
274
40k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.4k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.5k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
4k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
513
110k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
45
7.7k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
185
22k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k

Transcript

  1. Kyle Simpson Passwords Are Fine! ******** SLIDES

  2. Kyle Simpson Passwords Are Fine! SLIDES ******** User name or

    password entered incorrectly.

  3. Past Time for Passkeys Kyle Simpson

  4. None

  5. Passwords Are Bad Password Resets Are Bad Security Questions Are

    Bad

  6. Federated/SSO Logins Are Bad Email/SMS/App TOTP 2FA Is Bad Magic

    Login Links Are Bad

  7. QR Code Logins Are Bad OAuth/OIDC Is Bad Security Key

    Devices Are Bad

  8. CAPTCHAs Are Bad Push-Based Approval Is Bad Backup Codes Are

    Bad

  9. These mainly exist to cope with quirks of the web

    They also protect vendor lock-in & monetization

  10. Bad doesn’t just mean poor UX It also means poor

    security

  11. </rant>

  12. Biometric Device Unlock 80-90% of consumer devices worldwide

  13. None
  14. None

  15. This shares my personal biometric data with big tech

  16. Biometric data is registered PER DEVICE, and only stored securely

    on that device

  17. Apple: Secure Enclave Android: TEE / StrongBox

  18. If my biometric data is compromised, I’m screwed

  19. Compromise requires your biometric data AND physical access to your

    device

  20. Device Unlock falls back to PIN/Pattern without biometrics

  21. 86% of US consumers use some device lock 1 55%

    of major global market consumers use biometric unlock 2 1. https://www.pewresearch.org/internet/2023/10/18/how-americans-protect-their-online-data/ 2. https://www.iproov.com/press/consumers-prefer-biometric-face-verification

  22. Passkeys? (Biometric) Device Unlock… but for (web) apps!

  23. None
  24. None

  25. Register Passkey /api/register-passkey /api/save-passkey { credentialID, pubkey } { userID,

    name, challenge }
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None

  32. Authenticate Passkey /api/auth-passkey /api/verify-passkey { credentialID, signature, data } {

    challenge } { success }
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None

  42. “Ugh, can you just give me something that does all

    that for me?”

  43. github.com/mylofi/webauthn-local-client

  44. None

  45. Auth.js / NextAuth (now owned by BetterAuth) Lucia Passport.js ...

  46. BetterAuth Auth0 Okta Clerk Supabase …

  47. “Never roll your own auth…”

  48. Yes, DO roll your own (passkey) auth!

  49. Passkeys shift the burden of safe credential handling from your

    server to users’ device security system
  50. None

  51. Users will resist having to create passkeys on every device

  52. Apple, Google, and Microsoft all support cloud-based Passkey sync between

    devices

  53. A user can be phished/tricked with Passkeys just like passwords

  54. Browser locks a passkey to a web origin, and will

    not share it with any other

  55. If a site is attacked, all its Passkeys can be

    compromised

  56. Sites never see your Passkey, only its public key; they

    can’t do anything bad with it

  57. Passkeys can be stolen by MitM and used without permission

  58. Servers verify the signature signed by the Passkey private key;

    tamper-proof

  59. If I lose my device, I lose access to my

    account

  60. You should set up multiple Passkeys on different devices; any

    device/Passkey lets you in
  61. None

  62. More Private More Secure Familiarity Streamlined UX

  63. User Education User Setup Burden User Responsibility Still Evolving

  64. Patterns for Passkey Use

  65. Alternate Authentication

  66. None

  67. Additional Authentication (2FA)

  68. None

  69. Primary Authentication

  70. None
  71. None
  72. None

  73. Local-Only Passkeys (no server!)

  74. None

  75. Passkey Branding/UX

  76. None
  77. None
  78. None

  79. Passkeys for Passwords

  80. None

  81. a LOT of variance

  82. https://passkey.garden

  83. None

  84. Learn More?

  85. None
  86. None
  87. None

  88. Kyle Simpson SLIDES Past Time for Passkeys Waiting for your

    biometric passkey (face/fingerprint) to be presented…

  89. Past Time for Passkeys Kyle Simpson Thank You! Slide Code