Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Past Time For Passkeys

Avatar for Kyle Simpson Kyle Simpson PRO
October 03, 2025
Resources
Programming
0
92

Past Time For Passkeys

Over 2 billion devices support some form of biometric unlock (Face ID, Touch ID, etc), making that by far the most common way people protect access to their devices.

The exact same capability, applied to authentication (login) for apps, is called Passkeys. But yet, despite the popularity of biometric device unlock, and the massive problems of passwords -- phishing, cracking, forgetting -- and even SMS texts or TOTP codes for 2FA, for some reason, Passkeys have not yet taken off.

It's well past time for Passkeys to have taken off. We desperately need a broad conversation about what's holding them back and what we can do to upgrade the web to using Passkeys.

In this talk, we'll explore the ins and outs of using Passkeys, including (most importantly!) how to make your users understand and love them!

Avatar for Kyle Simpson

Kyle Simpson PRO

October 03, 2025
Tweet

Resources

Slide Code

https://gist.github.com/getify/b7395cdf0d2c5d3c0dd6685b5fae406d

Nordic.js 2025 Talk

https://www.youtube.com/watch?v=GVH8X_QOlKg

Recording (Youtube)

More Decks by Kyle Simpson

See All by Kyle Simpson
Love/Hate: Upgrading to Web2.5 with Local-First (abbr)
Avatar for Kyle Simpson getify
PRO
0
120
Transforming Composition
Avatar for Kyle Simpson getify
PRO
0
130
Love/Hate: Upgrading to Web2.5 with Local-First
Avatar for Kyle Simpson getify
PRO
0
230
Zero Server Data Security
Avatar for Kyle Simpson getify
PRO
1
220
Imperative vs Declarative: Weathering the storm
Avatar for Kyle Simpson getify
PRO
0
460
Confessions from an Impostor
Avatar for Kyle Simpson getify
PRO
0
240
On the job interview... Composition
Avatar for Kyle Simpson getify
PRO
0
110
Mo'Problems, Mo'Nads
Avatar for Kyle Simpson getify
PRO
1
3.6k
FOUC, and the Death of Progressive Enhancement
Avatar for Kyle Simpson getify
PRO
6
2.3k

Other Decks in Programming

See All in Programming
コードとあなたと私の距離 / The Distance Between Code, You, and I
Avatar for YAMAOKA Hiroyuki hiro_y
0
190
ソフトウェア設計の実践的な考え方
Avatar for 増田 亨 masuda220
PRO
4
630
TransformerからMCPまで(現代AIを理解するための羅針盤)
Avatar for MIKIO KUBO mickey_kubo
4
1.4k
NixOS + Kubernetesで構築する自宅サーバーのすべて
Avatar for ichi-h ichi_h3
0
1.1k
その面倒な作業、「Dart」にやらせませんか? Flutter開発者のための業務効率化
Avatar for YomEngine yordgenome03
1
140
Go言語の特性を活かした公式MCP SDKの設計
Avatar for hond hond0413
1
410
CSC305 Lecture 09
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
300
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
7
550
AkarengaLT vol.38
Avatar for hashimoto-kei hashimoto_kei
1
110
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
520
All About Angular's New Signal Forms
Avatar for Manfred Steyer manfredsteyer
PRO
0
200
モテるデスク環境
Avatar for mozumasu mozumasu
3
480

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
31
2.7k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.2k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
59
9.6k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
630
Docker and Python
Avatar for Tania Allard trallard
46
3.6k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
24
3.7k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
369
20k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
180
10k
It's Worth the Effort
Avatar for 3n 3n
187
28k

Transcript

  1. Kyle Simpson Passwords Are Fine! ******** SLIDES

  2. Kyle Simpson Passwords Are Fine! SLIDES ******** User name or

    password entered incorrectly.

  3. Past Time for Passkeys Kyle Simpson

  4. None

  5. Passwords Are Bad Password Resets Are Bad Security Questions Are

    Bad

  6. Federated/SSO Logins Are Bad Email/SMS/App TOTP 2FA Is Bad Magic

    Login Links Are Bad

  7. QR Code Logins Are Bad OAuth/OIDC Is Bad Security Key

    Devices Are Bad

  8. CAPTCHAs Are Bad Push-Based Approval Is Bad Backup Codes Are

    Bad

  9. These mainly exist to cope with quirks of the web

    They also protect vendor lock-in & monetization

  10. Bad doesn’t just mean poor UX It also means poor

    security

  11. </rant>

  12. Biometric Device Unlock 80-90% of consumer devices worldwide

  13. None
  14. None

  15. This shares my personal biometric data with big tech

  16. Biometric data is registered PER DEVICE, and only stored securely

    on that device

  17. Apple: Secure Enclave Android: TEE / StrongBox

  18. If my biometric data is compromised, I’m screwed

  19. Compromise requires your biometric data AND physical access to your

    device

  20. Device Unlock falls back to PIN/Pattern without biometrics

  21. 86% of US consumers use some device lock 1 55%

    of major global market consumers use biometric unlock 2 1. https://www.pewresearch.org/internet/2023/10/18/how-americans-protect-their-online-data/ 2. https://www.iproov.com/press/consumers-prefer-biometric-face-verification

  22. Passkeys? (Biometric) Device Unlock… but for (web) apps!

  23. None
  24. None

  25. Register Passkey /api/register-passkey /api/save-passkey { credentialID, pubkey } { userID,

    name, challenge }
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None

  32. Authenticate Passkey /api/auth-passkey /api/verify-passkey { credentialID, signature, data } {

    challenge } { success }
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None

  42. “Ugh, can you just give me something that does all

    that for me?”

  43. github.com/mylofi/webauthn-local-client

  44. None

  45. Auth.js / NextAuth (now owned by BetterAuth) Lucia Passport.js ...

  46. BetterAuth Auth0 Okta Clerk Supabase …

  47. “Never roll your own auth…”

  48. Yes, DO roll your own (passkey) auth!

  49. Passkeys shift the burden of safe credential handling from your

    server to users’ device security system
  50. None

  51. Users will resist having to create passkeys on every device

  52. Apple, Google, and Microsoft all support cloud-based Passkey sync between

    devices

  53. A user can be phished/tricked with Passkeys just like passwords

  54. Browser locks a passkey to a web origin, and will

    not share it with any other

  55. If a site is attacked, all its Passkeys can be

    compromised

  56. Sites never see your Passkey, only its public key; they

    can’t do anything bad with it

  57. Passkeys can be stolen by MitM and used without permission

  58. Servers verify the signature signed by the Passkey private key;

    tamper-proof

  59. If I lose my device, I lose access to my

    account

  60. You should set up multiple Passkeys on different devices; any

    device/Passkey lets you in
  61. None

  62. More Private More Secure Familiarity Streamlined UX

  63. User Education User Setup Burden User Responsibility Still Evolving

  64. Patterns for Passkey Use

  65. Alternate Authentication

  66. None

  67. Additional Authentication (2FA)

  68. None

  69. Primary Authentication

  70. None
  71. None
  72. None

  73. Local-Only Passkeys (no server!)

  74. None

  75. Passkey Branding/UX

  76. None
  77. None
  78. None

  79. Passkeys for Passwords

  80. None

  81. a LOT of variance

  82. https://passkey.garden

  83. None

  84. Learn More?

  85. None
  86. None
  87. None

  88. Kyle Simpson SLIDES Past Time for Passkeys Waiting for your

    biometric passkey (face/fingerprint) to be presented…

  89. Past Time for Passkeys Kyle Simpson Thank You! Slide Code