Identity mistakes

• Putting a port inside the RP ID
• Registering on one subdomain and expecting another RP ID to work
• Forgetting that local dev and production use different identities

Verification mistakes

• Skipping origin validation
• Reusing challenges
• Treating passkeys as a frontend-only concern

Product mistakes

• No fallback when a user loses a device
• Assuming passkey-first discovery will stay clean on crowded localhost
• Over-investing in attestation before shipping the basics
• Hiding setup behind too much account ceremony