Things I Learnt About Passkeys when Building Passkeybot

Passkeys are reshaping the authentication landscape by moving secret storage into hardware‑isolated modules such as Apple’s Secure Enclave or Android’s Trusted Execution Environment. These secure elements generate private keys that never leave the chip, and they require user verification—typically a biometric or passcode—before signing a challenge. While this model eliminates password‑based phishing vectors, attestation data that proves which hardware created a credential can inadvertently enable device fingerprinting, raising privacy concerns that enterprises must balance against strict device‑trust policies.

For developers, the launch of passkeybot.com demonstrates how WebAuthn can be abstracted into a few server‑side handlers, but the underlying JavaScript still demands rigorous security hygiene. Immediate mediation, an upcoming Chrome origin trial, lets sites query the presence of local passkeys without invoking the browser UI, streamlining the login flow for returning users. Related Origin Requests expand cross‑domain credential creation, though they require HTTPS and are not yet supported on iOS 18 or Firefox. Additional APIs—such as the Signal API for hint‑based credential deletion and BLE‑based proximity signing—provide flexibility for edge cases like public‑terminal access.

Looking ahead, the Digital Credentials API promises to extend passkey concepts beyond authentication, enabling privacy‑preserving attribute sharing from native OS wallets. Coupled with enterprise‑managed attestation and PKCE‑style secret generation, organizations can build robust, password‑less experiences while mitigating risks like compromised JavaScript or replay attacks. Success will hinge on adopting best practices: enforcing user verification, limiting attestation exposure, and staying current with emerging browser standards that bridge native security hardware to web applications.