WebAuthn Implementation

Stored credential data

Persist the public key
Persist the signature counter
Optionally persist transports
Never store the private key

export const passkeys = sqliteTable('passkeys', {
  publicKey: text('public_key').notNull(),
  counter: integer('counter').notNull().default(0),
  transports: text('transports'),
});

Registration rules

Use @simplewebauthn/server
Require residentKey: 'required'
Require userVerification: 'required'
Prefer platform authenticators for one-click login

authenticatorSelection: {
  residentKey: 'required',
  userVerification: 'required',
  authenticatorAttachment: 'platform',
}

Security Considerations

Rate limiting

Limit send-email requests by IP
Limit requests by target email
Add backoff for repeated failures
Prevent email bombing and token abuse

Account enumeration

Passkeys in discovery mode avoid email input entirely
Email login always returns success
Existing accounts get a code email
Missing accounts get a notification email instead

Signup safety

Verify email ownership first
Create the User record last
Keep auth attempts purpose-specific
Treat recovery and signup as first-class flows