Use Libraries, Not Raw Crypto

Recommended stack

import { generateRegistrationOptions, verifyRegistrationResponse } from '@simplewebauthn/server';

Why libraries matter

WebAuthn has binary formats, origin checks, and edge cases.
Good libraries already handle verification rules and browser quirks.
You still own the challenge lifecycle, credential storage, and recovery UX.
The hard product question is usually fallback and account recovery, not the API call itself.

Recovery: Why Email OTP Is A Strong Backup

Why email OTP works well

Most users already secure their email accounts well.
Email is broadly understood and already part of account recovery habits.
It works across devices without teaching users a new recovery ritual.
It is a better mainstream backup than asking users to store recovery codes they will lose.

Why not SMS or 6-digit authenticator codes

SMS is weak against SIM swapping and carrier-level attacks.
A 6-digit TOTP code is fine as a second factor, but weak as sole identity proof.
Recovery codes are operationally hard for many users to keep safe.
Passkeys plus email OTP is often the most practical product balance.